ASA Anyconnect VPN
Benefits and features of Anyconnect
- Supports DTLS - Datagram Transport Layer Security
- Supports all major operating systems
- Support for start before logon (SBL)
- Automatic or manual (MSI package) installation
- Supports IPv6 internal networks
- Standalone client (doesn’t need a web browser)
- Certificate-based authentication
- Dynamic Access Policy (DAP - Failover)
- Supports Cisco Secure Desktop
SSL VPN Wizard
The wizard only allows one image to be selected, images for other platfoms can be added later.
access-list NONAT ext permit 172.30.10.0 255.255.255.0 172.30.10.0 255.255.255.0
nat (inside) 0 access-list NONAT
Split Tunnel Configuration
To enable split tunneling, the networks need to be added to the Network List and the Policy needs to be changed.
Client Settings
Turn off Keep Installer on Client system to remove client from the users device on disconnect
DTLS is enabled by default
Download the client automatically once the user signs into the portal.
Troubleshooting Commands
show vpn-sessiondb detail
show crypto protocol statistics ssl
debug webvpn
debug AAACertificate based authentication
Enable local Certificate Authority server
Create a self-signed certificate
Add users to the database a generate a one time password for the users to get the certificate on their device
Enable Anyconnect
SSL VPN Connection Profile
Group Policy
Client login using certificate
login will fail as the client does not currently have a certificate, can use the link to request a certificate using the OTP.
Use the OTP as the password for the private key when importing the certificate.
