ASAv – AnyConnect Setup

 1.      Log in to ASAv

See Logging in to an ASAv for more information.

 

2.      Generate Self-Signed Certificate

 

Launch Identity Certificate Wizard

Run the Identity Certificate Wizard in Simple Mode. Download the certificate to import later.

 

Export & Register Certificate in Java

Right-click on the local instance of Java on whichever machine is running ASDM, and select Properties.

Navigate to the Security tab and select Manage Certificates.

Select Import, navigate to the certificate created by ASDM, and import that certificate. Apply all settings.

 

3.      Run AnyConnect Wizard

Once the certificate has been imported, return to ASDM. Go to Wizards at the top, then run the AnyConnect VPN Wizard as shown below.

 

Create Profile

Name the profile appropriately. Select the OUTSIDE interface.

 

Select SSL Protocol

Select the Device Certificate generated earlier from the dropdown menu.

 

Select AnyConnect Image

AnyConnect Images can be obtained by contacting GreenCloud Support.

 

Configure Authentication

Authentication can be performed against a local username/password list, which is directly configurable from the “Authentication Methods” screen. Enter each username/password pair into the Local User Database to configure.

Alternately, RADIUS authentication can be set up by selecting “New…” next to the “AAA Server Group” dropdown.

Configure the Domain Controller’s internal IP and authentication group, and add the Secret Server Key, then select OK. This will authenticate VPN users against the Domain Controller’s user database.

 

Create IP Pool

Select “New” from the “Client Address Assignment” page. Specify a separate IP pool from all other subnets available on the customer’s networks.

The address pool created in this step should be auto-selected in the Client Address Assignment page.

 

Configure DNS

Input the internal address of the customer’s DNS server. Enter the Domain Name if appropriate.

 

NAT Exempt

Select the “Exempt VPN Traffic…” checkbox in order to make the VPN NAT exempt.

 

4.      Save Configuration

Select “Finish” after verifying the VPN configuration. Send the commands to the ASAv in the CLI commands window.

 

5.      Add Split Tunnel Configuration

A Split Tunnel configuration allows the VPN to route traffic across both the external and internal interfaces. This allows outward-facing traffic to behave normally while internal traffic is routed through the VPN.

Under “Configuration”, select “Remote Access VPN” in the lower left, and expand “Network (Client) Access”. Then select AnyConnect Connection Profiles. Find the VPN that was just set up under Connection Profiles, select it, and click “Edit”. This will display the connection profile editing window as shown below.

Select “Manage” next to the Group Policy dropdown as shown above.

Find the group policy for the selected VPN (not the default one), select it and click “Edit” above.

Uncheck “Inherit” next to Policy, and select from the dropdown menu “Tunnel Network List Below”. Then uncheck “Inherit” next to Network List, and select “Manage”.

Under the Standard ACL tab, select “Add”, then select “New ACL”. Name the new ACL, then select “Add” then “New ACE”. Leave the Action radial button on Permit, and select the internal subnet (usually INSIDE-network/24) for the address. Add a description, and select “OK” on every nested menu before this one.

 

6.      Download AnyConnect Client

Navigate to the external IP of the ASAv in a web browser. The AnyConnect Download page will be displayed. Download the client and run the installer. If the AnyConnect Client hosted on the ASAv is old or out of date, please open a ticket with Green Cloud Support to upload the most recent AnyConnect Client image.

 

7.      Connect VPN

Once AnyConnect is installed, run the application and enter the external IP of the ASAv.

Enter the credentials as specified in the previous steps, and verify that the target network can be reached.

Was this article helpful?

Related Articles

string(11) "live search"