Re: ASK THE EXPERT : Secure Mobility with AnyConnect 3.0 - Page 2

ciscomoderator · ‎05-06-2011

With

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn how to implement Secure VPN Mobility using Cisco AnyConnect with Cisco expert Naman Latif. Naman is a technical support engineer at the Cisco Technical Assistance Center for VPN and security technologies. His area of expertise includes configuration and troubleshooting for Cisco’s security product portfolio including VPN, PKI and firewall technologies as well as Client and Cisco Adaptive Security Appliance (ASA).

Remember to use the rating system to let Naman know if you have received an adequate response.

Naman might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security, VPN discussion forum shortly after the event. This event lasts through May 20, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

mulatif · ‎05-12-2011

Hi Joceyln,

1. AnyConnect on iPad\iPhone provides full IP connectivity to the Enterprise network and it doesn't interfere with any Apps running on iPad\iPhone. So if you want to access Windows Share, you will need to find an App that can connect to SMB\Windows shares (Unless this is already built-in to the iPad\iPhone).

AnyConnect itself is only to provide connectivity and doesn't perform any other functions i.e. Share access etc.

2. You can use Dynamic Access Policies to restrict only a certain set of Users to connect from iPhone\iPad.

E.g. You can place the authorized Users in a specific AD group and then use DAP to configure an access policy that only allows access to Users from that Group, when the End host is iPad\iPhone.

ASA is able to detect the end device being iPhone\iPad, if you do a 'OS Check' in the DAP Policy.

3. AnyConnect for Android OS (Samsung Devices) will be available soon. However to get an exact date of the release, you will have to contact your Cisco Account team as they can provide a more specific date.

I hope this helps.

Thanks,

Naman

Simon Marley · ‎05-12-2011

Hey Naman,

I have a profile which is set to launch the AnyConnect client on successful authentication. What I'd like to do is close the portal window once the client loads and connects as this isn't required for the user once AC is connected. Do you know if this is possible?

If it not is it possible to customise this portal page like other ones?

I've attached a screen shot of the screen I'm referring too.

We are running 8.4.1

Apologies if this isn't 100% AnyConnect related.

Many thanks in advance,

Simon

mulatif · ‎05-13-2011

Hi Simon,

Thanks for participating in the session.

Currently it is not possible to customize the AnyConnect Launch\Web Launch page.

As for closing the window, you can either

1. Have your Users use the Stand-Alone client , unless there is a preference to launch through IE or any other browser.

2. The second option is to use Scripting to close the IE Window after AnyConnect client has connected. AnyConnect provides the ability to run pre-connect and post-connect scripts as below

http://www.cisco.com/en/US/partner/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac03vpn.html#wp1068902

You can write a script , which will close the IE window after AnyConnect has connected. The scripts are not provided by Cisco and can be in any language as long as they can be run from the command-line.

E.g. You can write a script in VBScript and then use "wscript \ cscript" executables to run the script.

There are quite a few examples available on google for using VBScript to close an Open\IE window.

Hope this helps.

Thanks,

Naman

Simon Marley · ‎05-15-2011

Perfect many thanks Naman

miro.siman · ‎05-14-2011

Hello Naman

we are in process to migrate our remote access users from old cisco ipsec vpn client to anyconnect 3.0. Regarding

part of anyconnect solution - NAM - i have a question.

NAM is perfect solution for securing/managing of wired and wireless connections, but we found out that

NAM couldn't manage other types of connections, e.g. 3G adapters. So user can manually start other

connection over 3G. Is there any solution for this issue?

thank you

miro

mulatif · ‎05-14-2011

Hi Miro,

Thanks for participating in the discussion.

Currently the NAM module doesn't support 3G cards. The support is planned for a future release but there is no fixed schedule at this time.

You can always contact your Cisco Account team and they should be able to provide a more accurate status of this enhancement.

Hope this helps.

Thanks,

Naman

mrp_netsol · ‎05-14-2011

I am implementing a new ASA 5510 with AnyConnect Essentials Licenses. I have it connecting and giving out IP addresses from a local pool to the VPN clients but some how it is getting a default gateway that is not set anywhere on the device. I set a static default route on the device but the VPN clients ignore that and take this x.x.0.1 which is an invalid IP on my network.

What sets the VPN clients' default gateway if not the static 0.0.0.0 route on the interface. That is what everything I have read tells me to set. Well it is..

Any help?

mulatif · ‎05-14-2011

Hi Randy,

Thanks for participating in this discussion.

The use of default gateway in Remote Access Connection (AnyConnect) is not relevant as the traffic is forwarded through the Interface (In this case it will be the "AnyConnect Virtual Connection Adapter"). The ASA on the receiving end then responds even if the traffic is destined to another subnet i.e. Acting as Proxy-ARP.

I assume that the traffic is still getting to its destination ? If not then it will be some other issue and need to be looked in detail (You can open a TAC case to investigate) but it will not be a Default-Gateway issue.

Hope this helps.

Thanks,

Naman

mrp_netsol · ‎05-14-2011

Traffic fails utterly once i connect to the vpn. I assumed it was the gateway thing. I wonder if it is because I am attempting to use a single interface as I have managed firewall from a vendor and I simply need the VPN functionality. I have acl permit any any on the interface. Is my plan just doomed without a second interface so I have and inside and outside interface?

Anyway, how does one open a TAC case? I am new to these forums. Thanks, Randy

mrp_netsol · ‎05-14-2011

scratch that...pings fail...dns fail. I can still reach servers by ip address.

mulatif · ‎05-14-2011

Is the firewall on the PC ? Or Are you talking about the ASA Firewall ?

If you can reach by IP but DNS \ Ping fails then it is more likely firewall issue and AnyConnect seems to be fine. If its a personal firewall then what happens , if you turn-off the personal firewall ?

As for opening the TAC case, you can use information as below

http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

You will need to have a valid SmartNet contract to get support from Cisco TAC.

Thanks,

Naman

mrp_netsol · ‎05-14-2011

By firewall I was refering to the ACL associated with the vpn or interface. I will mess with that some more thanks.

Yeah i am new to smartnet so still finding my way around. Thanks for the link.

miro.siman · ‎05-15-2011

Hi Naman

i have another question regarding cisco anyconnect 3.0 configuration. During our tests we found out that it's possible

to connect to "another" network. Here is more details. We need to use TND and Always-on. User hasn't NAM installed. When

user is connected to trusted network he can still connect to another, e.g. wireless network by using standart Windows wireless

card setting.

Windows routing table is populated with another default route ( from wifi dhcp) but with worse metric. So user cannot use this

for connecting to internet. But it is still possible to connect to/from another computers in attached wireless network.

Is there any possibility for configuring anyconnect 3.0 to avoiding this?

thanks

miro

mulatif · ‎05-15-2011

Hi Miro,

AnyConnect itself without the NAM module cannot control the LAN\Wireless adapters.

If you want to control the Wireless connection then I guess the best way will be to use NAM then you can control the SSID to which Users are allowed to connect by pushing specfic NAM profiles through ASA etc.

Hope this helps.

Thanks,

Naman

J_Vansen_S · ‎05-15-2011

Hi Naman

My objective is to get the host scanned for Anti-virus. But failed to get it to work.
I am using a test lab without an external AAA server. All credentials are stored locally. Is a radius server needed for this to work?

I have tried to disabled the laptop's Microsoft Security Essential, but it still managed to pass the post check and logs me into the VPN

Endpoint Assessment ver3.4.17.1 enabled
DAP- AAA Attribute i have used the VPN connection profile & Endpoint attributes i have selected the Microsoft Security Essential.

Appreciate if you may provide me with some pointers as my understanding of the DAP is limited

Thanks