ASAv – AnyConnect Setup

  1. Home
  2. Knowledge Base
  3. Cisco ASAv
  4. ASAv – AnyConnect Setup

 1.      Log in to ASAv

See Logging in to an ASAv for more information.

2.      Generate Self-Signed Certificate

Launch Identity Certificate Wizard

Launch Identity Certificate Wizard

Run the Identity Certificate Wizard in Simple Mode. Download the certificate to import later.

ASDM Identity Certificate Wizard

Export & Register Certificate in Java

Right-click on the local instance of Java on whichever machine is running ASDM, and select Properties.

ASDM Properties

Navigate to the Security tab and select Manage Certificates.

Security tab

Select Import, navigate to the certificate created by ASDM, and import that certificate. Apply all settings.

certificate

3.      Run AnyConnect Wizard

Once the certificate has been imported, return to ASDM. Go to Wizards at the top, then run the AnyConnect VPN Wizard as shown below.

Run AnyConnect Wizard

Create Profile

Name the profile appropriately. Select the OUTSIDE interface.

Setup Wizard

Select SSL Protocol

Select the Device Certificate generated earlier from the dropdown menu.

SSL Protocol

Select AnyConnect Image

AnyConnect Images can be obtained by contacting GreenCloud Support.

Select AnyConnect Image

Configure Authentication

Authentication can be performed against a local username/password list, which is directly configurable from the “Authentication Methods” screen. Enter each username/password pair into the Local User Database to configure.

Configure Authentication

Alternately, RADIUS authentication can be set up by selecting “New…” next to the “AAA Server Group” dropdown.

AAA Server Group

Configure the Domain Controller’s internal IP and authentication group, and add the Secret Server Key, then select OK. This will authenticate VPN users against the Domain Controller’s user database.

Create IP Pool

Select “New” from the “Client Address Assignment” page. Specify a separate IP pool from all other subnets available on the customer’s networks.

IP pool from

The address pool created in this step should be auto-selected in the Client Address Assignment page.

Client Address Assignment page

Configure DNS

Input the internal address of the customer’s DNS server. Enter the Domain Name if appropriate.

Configure DNS

NAT Exempt

Select the “Exempt VPN Traffic…” checkbox in order to make the VPN NAT exempt.

NAT Exempt

4.      Save Configuration

Save Configuration

Select “Finish” after verifying the VPN configuration. Send the commands to the ASAv in the CLI commands window.

5.      Add Split Tunnel Configuration

A Split Tunnel configuration allows the VPN to route traffic across both the external and internal interfaces. This allows outward-facing traffic to behave normally while internal traffic is routed through the VPN.

Add Split Tunnel Configuration

Under “Configuration”, select “Remote Access VPN” in the lower left, and expand “Network (Client) Access”. Then select AnyConnect Connection Profiles. Find the VPN that was just set up under Connection Profiles, select it, and click “Edit”. This will display the connection profile editing window as shown below.

Remote Access VPN

Select “Manage” next to the Group Policy dropdown as shown above.

Group Policy

Find the group policy for the selected VPN (not the default one), select it and click “Edit” above.

group policy for the selected VPN

Uncheck “Inherit” next to Policy, and select from the dropdown menu “Tunnel Network List Below”. Then uncheck “Inherit” next to Network List, and select “Manage”.

ACL Manager

Under the Standard ACL tab, select “Add”, then select “New ACL”. Name the new ACL, then select “Add” then “New ACE”. Leave the Action radial button on Permit, and select the internal subnet (usually INSIDE-network/24) for the address. Add a description, and select “OK” on every nested menu before this one.

6.      Download AnyConnect Client

Navigate to the external IP of the ASAv in a web browser. The AnyConnect Download page will be displayed. Download the client and run the installer. If the AnyConnect Client hosted on the ASAv is old or out of date, please open a ticket with Green Cloud Support to upload the most recent AnyConnect Client image.

7.      Connect VPN

Once AnyConnect is installed, run the application and enter the external IP of the ASAv.

Connect Vpn

Enter the credentials as specified in the previous steps, and verify that the target network can be reached.

Was this article helpful?

Related Articles