Often it is needed for the remote workers to have automatic VPN connection when they are outside of the company. You can use ASA and Anyconnect client to deploy such solution. In this blog post I will show you have to configure Cisco ASA to support Anyconnect for such deployment. Certificates will be used for authentication.
The first thing is to configure SSL VPN server on the Cisco ASA to use certificates for the authentication. I will skip certificate issuing procedure. Bellow you will find basic configuration for SSL VPN on the ASA.
The first thing is to configure SSL VPN server on the Cisco ASA to use certificates for the authentication. I will skip certificate issuing procedure. Bellow you will find basic configuration for SSL VPN on the ASA.
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
anyconnect enable
ssl trust-point SSLVPN_CERT outside
group-policy SSLVPN_GP attributes
dns-server value 192.168.1.10 192.168.1.11
vpn-filter value SSLVPN_FW
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLVPN_SPLIT
default-domain value example.com
address-pools value SSLVPN_POOL
tunnel-group SSLVPN_TG type remote-access
tunnel-group SSLVPN_TG general-attributes
default-group-policy SSLVPN_GP
tunnel-group SSLVPN_TG webvpn-attributes
authentication certificate
group-url https://vpn.example.com/auto enable
enable outside
anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
anyconnect enable
ssl trust-point SSLVPN_CERT outside
group-policy SSLVPN_GP attributes
dns-server value 192.168.1.10 192.168.1.11
vpn-filter value SSLVPN_FW
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLVPN_SPLIT
default-domain value example.com
address-pools value SSLVPN_POOL
tunnel-group SSLVPN_TG type remote-access
tunnel-group SSLVPN_TG general-attributes
default-group-policy SSLVPN_GP
tunnel-group SSLVPN_TG webvpn-attributes
authentication certificate
group-url https://vpn.example.com/auto enable
This is basic SSLVPN configuration and you can try to connect on the outside interface. The next step is to configure Anyconnect profile which will create policy for automatic VPN connection on untrusted networks. You can create Anyconnect profile via ASDM.
When you are connected to ASA with ASDM, click Configuration -> Remote Access VPN -> Network(Client) Access -> AnyConnect Client Profile. In this configuration mode you can add new Anyconnect profile. Click Add button and choose Profile Name and Profile Location. You can also apply this profile to Group Policy you have created in the previous step. But this could be also added later with the command. Click OK and Apply.
When you are connected to ASA with ASDM, click Configuration -> Remote Access VPN -> Network(Client) Access -> AnyConnect Client Profile. In this configuration mode you can add new Anyconnect profile. Click Add button and choose Profile Name and Profile Location. You can also apply this profile to Group Policy you have created in the previous step. But this could be also added later with the command. Click OK and Apply.
group-policy SSLVPN_GP attributes
webvpn
anyconnect profiles value AUTO type user
webvpn
anyconnect profiles value AUTO type user
Now double click on the profile that has been created and configure profile.
Preference (Part 1)
Preference (Part 1)
- Select User as certificate store.
Preference (Part 2)
- Uncheck Disable Automatic Certificate Selection which will configure Anyconnect to automatically select correct certificate.
- Check Automatic VPN Policy and select Disconnect on Trusted Network Policy and Connect on Untrusted Network Policy. You must also enter DNS domain name for your trusted network and you should also add DNS servers.
Certificate Matching
- In this tab you can configure which certificate to use when connecting to the SSL VPN server. I have selected the ISSUER-CN.
Server List
- You must add at least one server otherwise Certificate Matching will be ignored. Configure the same display name and host address as used in the tunnel-group.
After all this has been configured you are ready to test your connection. First you need to connect with Anyconnect manually, so that Anyconnect client download profile. After that you can connect to the Untrusted network and test if your Anyconnect client will connect automatically.
