Often it is needed for the remote workers to have automatic VPN connection when they are outside of the company. You can use ASA and Anyconnect client to deploy such solution. In this blog post I will show you have to configure Cisco ASA to support Anyconnect for such deployment. Certificates will be used for authentication.
The first thing is to configure SSL VPN server on the Cisco ASA to use certificates for the authentication. I will skip certificate issuing procedure. Bellow you will find basic configuration for SSL VPN on the ASA.
The first thing is to configure SSL VPN server on the Cisco ASA to use certificates for the authentication. I will skip certificate issuing procedure. Bellow you will find basic configuration for SSL VPN on the ASA.
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
anyconnect enable
ssl trust-point SSLVPN_CERT outside
group-policy SSLVPN_GP attributes
dns-server value 192.168.1.10 192.168.1.11
vpn-filter value SSLVPN_FW
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLVPN_SPLIT
default-domain value example.com
address-pools value SSLVPN_POOL
tunnel-group SSLVPN_TG type remote-access
tunnel-group SSLVPN_TG general-attributes
default-group-policy SSLVPN_GP
tunnel-group SSLVPN_TG webvpn-attributes
authentication certificate
group-url https://vpn.example.com/auto enable
enable outside
anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
anyconnect enable
ssl trust-point SSLVPN_CERT outside
group-policy SSLVPN_GP attributes
dns-server value 192.168.1.10 192.168.1.11
vpn-filter value SSLVPN_FW
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLVPN_SPLIT
default-domain value example.com
address-pools value SSLVPN_POOL
tunnel-group SSLVPN_TG type remote-access
tunnel-group SSLVPN_TG general-attributes
default-group-policy SSLVPN_GP
tunnel-group SSLVPN_TG webvpn-attributes
authentication certificate
group-url https://vpn.example.com/auto enable
This is basic SSLVPN configuration and you can try to connect on the outside interface. The next step is to configure Anyconnect profile which will create policy for automatic VPN connection on untrusted networks. You can create Anyconnect profile via ASDM.
When you are connected to ASA with ASDM, click Configuration -> Remote Access VPN -> Network(Client) Access -> AnyConnect Client Profile. In this configuration mode you can add new Anyconnect profile. Click Add button and choose Profile Name and Profile Location. You can also apply this profile to Group Policy you have created in the previous step. But this could be also added later with the command. Click OK and Apply.
When you are connected to ASA with ASDM, click Configuration -> Remote Access VPN -> Network(Client) Access -> AnyConnect Client Profile. In this configuration mode you can add new Anyconnect profile. Click Add button and choose Profile Name and Profile Location. You can also apply this profile to Group Policy you have created in the previous step. But this could be also added later with the command. Click OK and Apply.
group-policy SSLVPN_GP attributes
webvpn
anyconnect profiles value AUTO type user
webvpn
anyconnect profiles value AUTO type user
Now double click on the profile that has been created and configure profile.
Preference (Part 1)
Preference (Part 1)
- Select User as certificate store.
Preference (Part 2)
- Uncheck Disable Automatic Certificate Selection which will configure Anyconnect to automatically select correct certificate.
- Check Automatic VPN Policy and select Disconnect on Trusted Network Policy and Connect on Untrusted Network Policy. You must also enter DNS domain name for your trusted network and you should also add DNS servers.
Certificate Matching
- In this tab you can configure which certificate to use when connecting to the SSL VPN server. I have selected the ISSUER-CN.
Server List
- You must add at least one server otherwise Certificate Matching will be ignored. Configure the same display name and host address as used in the tunnel-group.
After all this has been configured you are ready to test your connection. First you need to connect with Anyconnect manually, so that Anyconnect client download profile. After that you can connect to the Untrusted network and test if your Anyconnect client will connect automatically.
Thank you very much for this great post. private internet access review
ReplyDeleteIt proved to be Very helpful to me and I am sure to all the commentators here! American Netflix
ReplyDeleteWhile we agree that technological advancements are on the upswing today, we must also understand that internet scams are on the rise. When we do our transactions online, we can never be sure of our information staying safe as cyber-crime experts can hack our confidential data anytime. Data security has gone for a toss, and lots of people have been suffering mental and financial losses over the last few years. The only solution to get rid of this problem is to do your transactions and browsing through a VPN (Virtual Private Network). howtogetamericannetflix.pro
ReplyDeleteI am very thankful to you for sharing this information on SSLVPN configuration here and I think it is best to go for it then for untrusted networks. I am also concerned about my internet privacy and that is why I am looking for best vpn for android. Do you have any reliable suggestion for me?
ReplyDeleteThose who especially live in China, Europe, USA, Middle East and Africa will know what VPN Service actually is. For those who still do not know anything about VPN technology despite of it being one of the fastest growing technology and businesses on Internet. Best VPN
ReplyDeleteVPN that does not cost you anything up front. Most free VPN services offer only PPTP which is considered obsolete. Us netflix in canada
ReplyDeletethanks for this usefull article, waiting for this article like this again. Cheap VPN
ReplyDelete
ReplyDeleteI am glad you take pride in what you write. This makes you stand way out from many other writers that push poorly written content.
click to know
By doing this, you can pick between a few servers accessible to you and select the one with slightest association time. browse with indian ip
ReplyDeleteAs a matter of fact VPN servers can be as quick as some other web associations in spite of the fact that there are a few things that you ought to do to have speedier VPN web speeds. https://novavpn.com/blog/popcorn-time/
ReplyDeleteA lot of people having an incorrect image about the cash advance loans or sometimes refer it as bad credit payday loans. click here
ReplyDeletePositive site, where did u come up with the information on this posting?I have read a few of the articles on your website now, and I really like your style. Thanks a million and please keep up the effective work. https://prywatnoscwsieci.pl
ReplyDeleteYou have done a great job on this article. It’s very readable and highly intelligent. You have even managed to make it understandable and easy to read. You have some real writing talent. Thank you. https://privatnostonline.com
ReplyDeleteI might want to thank you for the endeavors you have made in composing this article. I am trusting the same best work from you later on too.. https://www.lemigliorivpn.com
ReplyDeleteI definitely enjoying every little bit of it. It is a great website and nice share. I want to thank you. Good job! You guys do a great blog, and have some great contents. Keep up the good work. gizlilikveguvenlik
ReplyDeleteInteresting topic for a blog. I have been searching the Internet for fun and came upon your website. Fabulous post. Thanks a ton for sharing your knowledge! It is great to see that some people still put in an effort into managing their websites. I'll be sure to check back again real soon. privacidadenlared
ReplyDeleteI have bookmarked your website because this site contains valuable information in it. I am really happy with articles quality and presentation. Thanks a lot for keeping great stuff. I am very much thankful for this site. https://diadiktiokaiasfalia.com
ReplyDeleteThis was a shocking post. It has some look at here fundamental data on this subject. internetprivatsphare.ch
ReplyDeleteYou have done a great job on this article. It’s very readable and highly intelligent. You have even managed to make it understandable and easy to read. You have some real writing talent. Thank you. lesmeilleurs vpn
ReplyDeleteIf you don"t mind proceed with this extraordinary work and I anticipate a greater amount of your magnificent blog entries. vpn austria
ReplyDeleteMy friend mentioned to me your blog, so I thought I’d read it for myself. Very interesting insights, will be back for more! mejoresvpn
ReplyDeleteAn Android VPN is a VPN that is perfect with Android controlled gadgets. Not all VPNs work with each gadget. what is my default gateway
ReplyDeleteExtremely helpful post. This is my first time i visit here. I discovered such a large number of intriguing stuff in your blog particularly its exchange. Truly its extraordinary article. Keep it up. vpnveteran
ReplyDeletePerpetually logical and an outstanding contribution to the world of bloggers.
ReplyDeleteinternet privacy
This comment has been removed by the author.
ReplyDeleteI was very pleased to find this site.I wanted to thank you for this great read!! I definitely enjoying every little bit of it and I have you bookmarked to check out new stuff you post. vpnveteran.com
ReplyDeleteThey look through a representative with the required abilities first in the in-house database of workers. https://gizlilikveguvenlik.com
ReplyDeleteGreat info! I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have. Klik hier
ReplyDeleteOne of the primary things that you should check while picking a VPN specialist co-op is the quantity of servers it has everywhere throughout the world. https://www.vpn.surf/free-vpn/
ReplyDeleteNonphysical merchandise, for example, programming, can be sent electronically, dispensing with the whole transport channel. Installments should be possible in new ways. gizlilikveguvenlik.com
ReplyDeleteThanks for sharing nice information with us. I like your post and all you share with us is up to date and quite informative, I would like to bookmark the page so I can come here again to read you, as you have done a wonderful job. internetetsecurite
ReplyDeleteIn VPS hosting it imparts a physical server to other website and yet it goes about as a virtual devoted server. buy
ReplyDeleteA Windows VPS is certainly increasingly well known as it is perfect with bunches of programming and programs and thus it fills changed needs for various prerequisites of organizations. High Performance VPS
ReplyDeleteThis was really an interesting topic and I kinda agree with what you have mentioned here! dedicated vpn
ReplyDeleteGreat article by the great author, it is very massive and informative but still preaches the way to sounds like that it has some beautiful thoughts described so I really appreciate this article. Best مواقع عطور ومكياج service provider
ReplyDelete