Anyconnect Asa



Производители

  1. AnyConnect client ASA connection proceeds in the following steps. Establish a session by connecting to ASA using SSL (TCP443) (.) and exchanging certificates, authentication, profile information, etc. While transferring data with SSL (.), if UDP443 is available, it automatically switches to data transfer with DTLS tunnel using UDP443.
  2. Assuming AnyConnect is already configured on your ASA Firewall, registering the new packages is a very simple process. In the near future, we’ll be including a full guide on how to setup AnyConnect Secure Mobility on Cisco ASA Firewalls. Enter configuration mode and in the webvpn section add the following commands: ASA-5506X (config)# webvpn.

Оборудование

Comment and share: Quick guide: AnyConnect Client VPN on Cisco ASA 5505 By Lauren Malhoit Lauren Malhoit has been in the IT field for over 10 years and has acquired several data center certifications.

Cisco AnyConnect Mobile - ASA 5515-X (req. Essentials or Premium)В В (L-ASA-AC-M-5515=)

Cisco AnyConnect Mobile - ASA 5545-X (req. Essentials or Premium)В В (ASA-AC-M-5545=)

Cisco AnyConnect Mobile - ASA 5555-X (req. Essentials or Premium)В В (L-ASA-AC-M-5555=)

Cisco AnyConnect Mobile - ASA 5545-X (req. Aurora hdr pro upgrade. Essentials or Premium)В В (L-ASA-AC-M-5545=)

Cisco AnyConnect Mobile - ASA 5525-X (req. Essentials or Premium)В В (ASA-AC-M-5525=)

Cisco AnyConnect Mobile - ASA 5512-X (req. Essentials or Premium)В В (L-ASA-AC-M-5512=)

Cisco AnyConnect Mobile - ASA 5555-X (req. Essentials or Premium)В В (ASA-AC-M-5555=)

Cisco AnyConnect Mobile - ASA 5515-X (req. Essentials or Premium)В В (ASA-AC-M-5515=)

Cisco AnyConnect Mobile - ASA 5525-X (req. Essentials or Premium)В В (L-ASA-AC-M-5525=)

Cisco AnyConnect Mobile - ASA 5512-X (req. Essentials or Premium)В В (ASA-AC-M-5512=)

Cisco AnyConnect Mobile - ASA 5545-X (req. Essentials or Premium)В В (ASA-AC-M-5545)

Cisco AnyConnect Mobile - ASA 5525-X (req. Essentials or Premium)В В (ASA-AC-M-5525)

Cisco AnyConnect Mobile - ASA 5555-X (req. Essentials or Premium)В В (ASA-AC-M-5555)

Cisco AnyConnect Mobile - ASA 5515-X (req. Essentials or Premium)В В (ASA-AC-M-5515)

Cisco AnyConnect Mobile - ASA 5512-X (req. Essentials or Premium)В В (ASA-AC-M-5512)

8 636 руб.113 USD93.82 EUR0 руб.0 USD0.00 EUR21 857 руб.286 USD237.46 EUR19 870 руб.260 USD215.88 EUR0 руб.0 USD0.00 EUR8 406 руб.110 USD91.33 EUR22 239 руб.291 USD241.61 EUR8 636 руб.113 USD93.82 EUR14 138 руб.185 USD153.60 EUR8 406 руб.110 USD91.33 EUR19 488 руб.255 USD211.72 EUR14 138 руб.185 USD153.60 EUR22 621 руб.296 USD245.77 EUR8 177 руб.107 USD88.84 EUR8 177 руб.107 USD88.84 EUR

See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).

ASA Configuration

Create a Crypto Keypair

Create a CA Trustpoint

Authenticate the Trustpoint

In this example the ASA will enrol with a Windows Certificate Authority.

  • Open the CA’s Trusted Root certificate in notepad
  • Copy the contents on the certificate
  • On the ASA run the command crypto ca authenticate LAB_PKI
  • When prompted paste the contents of the CA Trusted Root certificate
  • Type quit at the end
  • Enter yes to import the certificate

EnrolL ASA for Identity Certificate

The ASA will create a CSR, which will need to be signed by the Windows CA and the signed certificate imported.

  • On the ASA run the command crypto ca enroll LAB_PKI
  • When prompted copy the contents of the CSR
  • Complete the Certificate Signing Request
  • On the Window CA open the Web page to sign certificates, click Request a certificate
  • Click advanced certificate request
  • Paste the CSR generated on the ASA in the previous step above
  • Select the Certificate Template Web Server
  • Click Submit
  • Select Base 64 encoded
  • Click Download certificate, save the file to a file for use in the next step
  • On the ASA, run the command crypto ca import LAB_PKI certificate. LAB_PKI equals the name of the trustpoint previously defined.
  • When prompted paste the contents of the saved file (generated in the previous step)
  • Type quit at the end
  • Verify the Identity and Trusted Root Certificates imported successfully by running the command show crypto ca certificates
  • In the screenshot below the first certificate is the Identity Certificate (note the Subject name of the ASA). The second certificate is the Trusted Root certificate (note the subject name = lab=PKI-CA).

Enable the Certificate Trustpoint on the OUTSIDE interface

Anyconnect asa ise

Enable the Certificate Trustpoint for Remote Access

Define IKEv2 Policy


Define IPSec Transform Sets

Define Crypto Map

Reference the previously created IPSec Transform Sets. Enable Crypto Map on OUTSIDE interface

Modify Group Policy to enable IKEv2

Enable AAA and Certificate authentication

For additional security double authentication will be configured to require certificate and username/password. The certificate will be authenticated against the ASA, the UN/PW will be authenticated against the RADIUS server (defined in the previous post).

Enable AAA accounting (if not already enabled)

Hp software mac download. AAA accounting should be enabled to keep track of the connections.

ISE Configuration

The ISE Authorization Policy as defined in the previous post needs modifying to add a new rule for clients connecting with IPSec. Using this attribute is optional, but can be used to distinguish between different connections types if required.

  • Create a new Authorization rule called AnyConnect IPSec VPN
  • Define Conditions: Cisco-VPN3000:CVPN3000/ASA/PIX7x-Tunnel-Group-Name CONTAINS TG-1 AND Cisco-VPN3000:CVPN3000/ASA/PIX7x-Client-Type EQUALS AnyConnect-Client-IPSec-VPN
  • Permissions: VPN_Permit_DACL

Testing & Verification

You will need to create a AnyConnect Profile, download the AnyConnect Profile Editor

  • Open the VPN Profile Editor
  • Navigate to the Server List and click Add
  • Define a display name for the connection e.g ASA IKEv2/IPSec VPN
  • Define the FQDN
  • Define the User Group, this represents the Tunnel-Group on the ASA, in this instance the name is TG-1 (as defined in the previous post)
  • Set the Primary Protocol to IPSec


Setup
  • Click Save and ensure the file is saved to the folder location:
    • C:ProgramDataCiscoCisco AnyConnect Secure Mobility ClientProfile
  • Restart the Cisco AnyConnect services or reboot
  • Open the Cisco AnyConnect Secure Mobility Client, this should display the new connection


The Windows computer has a User and Computer certificate issued by the same Windows CA that signed the certificate in use on the ASA, and therefore they should mutually trust each other and successfully authenticate.

  • On the ASA run the command debug aaa authentication
  • On the PC connect to the VPN and enter and username/password when prompted. Certificate authentication, if successful should be transparent

Anyconnect Asa Vpn

From the ASA debugs you can see the certificate authentication was successful

Anyconnect Asa

Authentication using Username/Password was also successful. You can see from the debug output aaa authentication was successful, a DACL was downloaded, aaa accounting was successful and the client was successfully assigned an IP address from the local pool.

  • On the ASA run the command show vpn-session detail anyconnect

You will be able to confirm the Username, Assigned IP address, IKEv2 encryption algorithm used, authentication method, group-policy and tunnel-group etc.