2014/05/13

Automatic Anyconnect VPN connection on untrusted networks

Often it is needed for the remote workers to have automatic VPN connection when they are outside of the company. You can use ASA and Anyconnect client to deploy such solution. In this blog post I will show you have to configure Cisco ASA to support Anyconnect for such deployment. Certificates will be used for authentication.

The first thing is to configure SSL VPN server on the Cisco ASA to use certificates for the authentication. I will skip certificate issuing procedure. Bellow you will find basic configuration for SSL VPN on the ASA.

webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
 anyconnect enable

ssl trust-point SSLVPN_CERT outside

group-policy SSLVPN_GP attributes
 dns-server value 192.168.1.10 192.168.1.11
 vpn-filter value SSLVPN_FW
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SSLVPN_SPLIT
 default-domain value example.com
 address-pools value SSLVPN_POOL

tunnel-group SSLVPN_TG type remote-access
tunnel-group SSLVPN_TG general-attributes
 default-group-policy SSLVPN_GP
tunnel-group SSLVPN_TG webvpn-attributes
 authentication certificate
 group-url https://vpn.example.com/auto enable


This is basic SSLVPN configuration and you can try to connect on the outside interface. The next step is to configure Anyconnect profile which will create policy for automatic VPN connection on untrusted networks. You can create Anyconnect profile via ASDM.

When you are connected to ASA with ASDM, click Configuration -> Remote Access VPN -> Network(Client) Access -> AnyConnect Client Profile. In this configuration mode you can add new Anyconnect profile. Click Add button and choose Profile Name and Profile Location. You can also apply this profile to Group Policy you have created in the previous step. But this could be also added later with the command. Click OK and Apply.

group-policy SSLVPN_GP attributes
 webvpn
  anyconnect profiles value AUTO type user


 

Now double click on the profile that has been created and configure profile.

Preference (Part 1)

  • Select User as certificate store.
 


Preference (Part 2)
  • Uncheck Disable Automatic Certificate Selection which will configure Anyconnect to automatically select correct certificate.
  • Check Automatic VPN Policy and select Disconnect on Trusted Network Policy and Connect on Untrusted Network Policy. You must also enter DNS domain name for your trusted network and you should also add DNS servers.
 

Certificate Matching
  • In this tab you can configure which certificate to use when connecting to the SSL VPN server. I have selected the ISSUER-CN.



Server List
  • You must add at least one server otherwise Certificate Matching will be ignored. Configure the same display name and host address as used in the tunnel-group.

 

After all this has been configured you are ready to test your connection. First you need to connect with Anyconnect manually, so that Anyconnect client download profile. After that you can connect to the Untrusted network and test if your Anyconnect client will connect automatically.

34 comments:

  1. It proved to be Very helpful to me and I am sure to all the commentators here! American Netflix

    ReplyDelete
  2. While we agree that technological advancements are on the upswing today, we must also understand that internet scams are on the rise. When we do our transactions online, we can never be sure of our information staying safe as cyber-crime experts can hack our confidential data anytime. Data security has gone for a toss, and lots of people have been suffering mental and financial losses over the last few years. The only solution to get rid of this problem is to do your transactions and browsing through a VPN (Virtual Private Network). howtogetamericannetflix.pro

    ReplyDelete
  3. I am very thankful to you for sharing this information on SSLVPN configuration here and I think it is best to go for it then for untrusted networks. I am also concerned about my internet privacy and that is why I am looking for best vpn for android. Do you have any reliable suggestion for me?

    ReplyDelete
  4. Those who especially live in China, Europe, USA, Middle East and Africa will know what VPN Service actually is. For those who still do not know anything about VPN technology despite of it being one of the fastest growing technology and businesses on Internet. Best VPN

    ReplyDelete
  5. VPN that does not cost you anything up front. Most free VPN services offer only PPTP which is considered obsolete. Us netflix in canada

    ReplyDelete
  6. VPN services provide a way to protect your privacy. The interesting thing about how these networks work is that the privacy protection does more than you might think at first. Most people would expect privacy protection to simply obscure or mask their IP address. Best Cheap VPN

    ReplyDelete
  7. thanks for this usefull article, waiting for this article like this again. Cheap VPN

    ReplyDelete

  8. I am glad you take pride in what you write. This makes you stand way out from many other writers that push poorly written content.
    click to know

    ReplyDelete
  9. By doing this, you can pick between a few servers accessible to you and select the one with slightest association time. browse with indian ip

    ReplyDelete
  10. As a matter of fact VPN servers can be as quick as some other web associations in spite of the fact that there are a few things that you ought to do to have speedier VPN web speeds. https://novavpn.com/blog/popcorn-time/

    ReplyDelete
  11. A lot of people having an incorrect image about the cash advance loans or sometimes refer it as bad credit payday loans. click here

    ReplyDelete
  12. Positive site, where did u come up with the information on this posting?I have read a few of the articles on your website now, and I really like your style. Thanks a million and please keep up the effective work. https://prywatnoscwsieci.pl

    ReplyDelete
  13. You have done a great job on this article. It’s very readable and highly intelligent. You have even managed to make it understandable and easy to read. You have some real writing talent. Thank you. https://privatnostonline.com

    ReplyDelete
  14. I might want to thank you for the endeavors you have made in composing this article. I am trusting the same best work from you later on too..  https://www.lemigliorivpn.com

    ReplyDelete
  15. I definitely enjoying every little bit of it. It is a great website and nice share. I want to thank you. Good job! You guys do a great blog, and have some great contents. Keep up the good work. gizlilikveguvenlik

    ReplyDelete
  16. Interesting topic for a blog. I have been searching the Internet for fun and came upon your website. Fabulous post. Thanks a ton for sharing your knowledge! It is great to see that some people still put in an effort into managing their websites. I'll be sure to check back again real soon. privacidadenlared

    ReplyDelete
  17. I have bookmarked your website because this site contains valuable information in it. I am really happy with articles quality and presentation. Thanks a lot for keeping great stuff. I am very much thankful for this site. https://diadiktiokaiasfalia.com

    ReplyDelete
  18. This was a shocking post. It has some look at here fundamental data on this subject. internetprivatsphare.ch

    ReplyDelete
  19. You have done a great job on this article. It’s very readable and highly intelligent. You have even managed to make it understandable and easy to read. You have some real writing talent. Thank you.  lesmeilleurs vpn

    ReplyDelete
  20. If you don"t mind proceed with this extraordinary work and I anticipate a greater amount of your magnificent blog entries.  vpn austria

    ReplyDelete
  21. My friend mentioned to me your blog, so I thought I’d read it for myself. Very interesting insights, will be back for more! mejoresvpn

    ReplyDelete
  22. An Android VPN is a VPN that is perfect with Android controlled gadgets. Not all VPNs work with each gadget. what is my default gateway

    ReplyDelete
  23. Extremely helpful post. This is my first time i visit here. I discovered such a large number of intriguing stuff in your blog particularly its exchange. Truly its extraordinary article. Keep it up. vpnveteran

    ReplyDelete
  24. Perpetually logical and an outstanding contribution to the world of bloggers.
    internet privacy

    ReplyDelete
  25. This comment has been removed by the author.

    ReplyDelete
  26. I was very pleased to find this site.I wanted to thank you for this great read!! I definitely enjoying every little bit of it and I have you bookmarked to check out new stuff you post. vpnveteran.com

    ReplyDelete
  27. They look through a representative with the required abilities first in the in-house database of workers. https://gizlilikveguvenlik.com

    ReplyDelete
  28. Great info! I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have. Klik hier

    ReplyDelete
  29. One of the primary things that you should check while picking a VPN specialist co-op is the quantity of servers it has everywhere throughout the world. https://www.vpn.surf/free-vpn/

    ReplyDelete
  30. Nonphysical merchandise, for example, programming, can be sent electronically, dispensing with the whole transport channel. Installments should be possible in new ways. gizlilikveguvenlik.com

    ReplyDelete
  31. Thanks for sharing nice information with us. I like your post and all you share with us is up to date and quite informative, I would like to bookmark the page so I can come here again to read you, as you have done a wonderful job. internetetsecurite

    ReplyDelete
  32. In VPS hosting it imparts a physical server to other website and yet it goes about as a virtual devoted server. buy

    ReplyDelete
  33. A Windows VPS is certainly increasingly well known as it is perfect with bunches of programming and programs and thus it fills changed needs for various prerequisites of organizations. High Performance VPS

    ReplyDelete