2014/05/13

Automatic Anyconnect VPN connection on untrusted networks

Often it is needed for the remote workers to have automatic VPN connection when they are outside of the company. You can use ASA and Anyconnect client to deploy such solution. In this blog post I will show you have to configure Cisco ASA to support Anyconnect for such deployment. Certificates will be used for authentication.

The first thing is to configure SSL VPN server on the Cisco ASA to use certificates for the authentication. I will skip certificate issuing procedure. Bellow you will find basic configuration for SSL VPN on the ASA.

webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
 anyconnect enable

ssl trust-point SSLVPN_CERT outside

group-policy SSLVPN_GP attributes
 dns-server value 192.168.1.10 192.168.1.11
 vpn-filter value SSLVPN_FW
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SSLVPN_SPLIT
 default-domain value example.com
 address-pools value SSLVPN_POOL

tunnel-group SSLVPN_TG type remote-access
tunnel-group SSLVPN_TG general-attributes
 default-group-policy SSLVPN_GP
tunnel-group SSLVPN_TG webvpn-attributes
 authentication certificate
 group-url https://vpn.example.com/auto enable


This is basic SSLVPN configuration and you can try to connect on the outside interface. The next step is to configure Anyconnect profile which will create policy for automatic VPN connection on untrusted networks. You can create Anyconnect profile via ASDM.

When you are connected to ASA with ASDM, click Configuration -> Remote Access VPN -> Network(Client) Access -> AnyConnect Client Profile. In this configuration mode you can add new Anyconnect profile. Click Add button and choose Profile Name and Profile Location. You can also apply this profile to Group Policy you have created in the previous step. But this could be also added later with the command. Click OK and Apply.

group-policy SSLVPN_GP attributes
 webvpn
  anyconnect profiles value AUTO type user


 

Now double click on the profile that has been created and configure profile.

Preference (Part 1)

  • Select User as certificate store.
 


Preference (Part 2)
  • Uncheck Disable Automatic Certificate Selection which will configure Anyconnect to automatically select correct certificate.
  • Check Automatic VPN Policy and select Disconnect on Trusted Network Policy and Connect on Untrusted Network Policy. You must also enter DNS domain name for your trusted network and you should also add DNS servers.
 

Certificate Matching
  • In this tab you can configure which certificate to use when connecting to the SSL VPN server. I have selected the ISSUER-CN.



Server List
  • You must add at least one server otherwise Certificate Matching will be ignored. Configure the same display name and host address as used in the tunnel-group.

 

After all this has been configured you are ready to test your connection. First you need to connect with Anyconnect manually, so that Anyconnect client download profile. After that you can connect to the Untrusted network and test if your Anyconnect client will connect automatically.