1. Log in to ASAv
See Logging in to an ASAv for more information.
Run the Identity Certificate Wizard in Simple Mode. Download the certificate to import later.
Right-click on the local instance of Java on whichever machine is running ASDM, and select Properties.
Navigate to the Security tab and select Manage Certificates.
Select Import, navigate to the certificate created by ASDM, and import that certificate. Apply all settings.
Once the certificate has been imported, return to ASDM. Go to Wizards at the top, then run the AnyConnect VPN Wizard as shown below.
Name the profile appropriately. Select the OUTSIDE interface.
Select the Device Certificate generated earlier from the dropdown menu.
AnyConnect Images can be obtained by contacting GreenCloud Support.
Authentication can be performed against a local username/password list, which is directly configurable from the “Authentication Methods” screen. Enter each username/password pair into the Local User Database to configure.
Alternately, RADIUS authentication can be set up by selecting “New…” next to the “AAA Server Group” dropdown.
Configure the Domain Controller’s internal IP and authentication group, and add the Secret Server Key, then select OK. This will authenticate VPN users against the Domain Controller’s user database.
Select “New” from the “Client Address Assignment” page. Specify a separate IP pool from all other subnets available on the customer’s networks.
The address pool created in this step should be auto-selected in the Client Address Assignment page.
Input the internal address of the customer’s DNS server. Enter the Domain Name if appropriate.
Select the “Exempt VPN Traffic…” checkbox in order to make the VPN NAT exempt.
Select “Finish” after verifying the VPN configuration. Send the commands to the ASAv in the CLI commands window.
A Split Tunnel configuration allows the VPN to route traffic across both the external and internal interfaces. This allows outward-facing traffic to behave normally while internal traffic is routed through the VPN.
Under “Configuration”, select “Remote Access VPN” in the lower left, and expand “Network (Client) Access”. Then select AnyConnect Connection Profiles. Find the VPN that was just set up under Connection Profiles, select it, and click “Edit”. This will display the connection profile editing window as shown below.
Select “Manage” next to the Group Policy dropdown as shown above.
Find the group policy for the selected VPN (not the default one), select it and click “Edit” above.
Uncheck “Inherit” next to Policy, and select from the dropdown menu “Tunnel Network List Below”. Then uncheck “Inherit” next to Network List, and select “Manage”.
Under the Standard ACL tab, select “Add”, then select “New ACL”. Name the new ACL, then select “Add” then “New ACE”. Leave the Action radial button on Permit, and select the internal subnet (usually INSIDE-network/24) for the address. Add a description, and select “OK” on every nested menu before this one.
Navigate to the external IP of the ASAv in a web browser. The AnyConnect Download page will be displayed. Download the client and run the installer.
Once AnyConnect is installed, run the application and enter the external IP of the ASAv.
Enter the credentials as specified in the previous steps, and verify that the target network can be reached.