Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn about configuration basics of AnyConnect Secure Sockets Layer VPN Client on Adaptive Security Appliances through Adaptive Security Device Manager with Vikas Saxena. Vikas has been a customer support engineer at the Cisco Technical Assistance Center since 2003. Currently he is associated with the Security and VPN teams. His areas of expertise include VPN, firewalls, public key infrastructure, Cisco Security Manager, intrusion prevention systems, and Linux. He holds CCIE certification #19971 in Security.
Remember to use the rating system to let Vikas know if you have received an adequate response.
Vikas might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through December 22, 2010. Visit this forum often to view responses to your questions and the questions of other community members.
I would like to thank you for this opportunity and just ask you a couple of quick questions...
Personally I'm used to the CLI for the most part, but...
I know that it's recommended to configure the SSL via ASDM via the wizard or even manually, but can you use the ASDM when something does not work?
I mean.. for troubleshooting a non-working AnyConnect connection... how would you use ASDM to troubleshoot (or better CLI)?
What's coming new for SSL in Cisco ASAs in a future release?
Thanks for being so active in the community.
>>I know that it's recommended to configure the SSL via ASDM via the wizard or even manually, but can you use the ASDM when something does not work?
ASDM unlike VPN 3000 Concentrator GUI is not itegrated into the code of the ASA. ASDM is just an application which runs the command (availble for CLI users) and pipes the output to the GUI parser. Troubleshooting through ASDM is still only limited to watching the live logs in the log viewer.
>>I mean.. for troubleshooting a non-working AnyConnect connection... how would you use ASDM to troubleshoot (or better CLI)?
As I mentioned before, the syslogs can be viewed regarding an AnyConnct connection problem, Apart from that debugs have to be run through the CLI only.
To troubleshoot the first thing is to ascertain where the problem is for example. the problem could be with the initial SSL connection or after the initial connection. Because the AnyConnect protocol travels inside the SSL connection. If the SSL Connection is established and the client is not connecting than 'deb webvpn svc' can show us where the problem is. Again, the problem could be DAP or tunnel/group policy assignment or plain client install problem (debug dap ? for all the options for DAP). For pure client side issues DART is the best tool, simply because it collects whatever there is related to AnyC client and presents the information in one place.
>> What's coming new for SSL in Cisco ASAs in a future release?
The AnyConnect client 3.0 is still in Beta, therefore the features present in Beta may or may not be present in the released client. However, as per the initial reports IKEv2 (that means IPSEC Client) could be one of the main features. Stay tuned for the release, I would say.
When the AnyConnect SSL VPN Client 3.0 is released, will it run on Cisco IOS 8.0.5? Thanks.
This will actually depend upon the features which will be there in the new client.
Nothing can be said with certainty regarding the features as the client is still due to be released.
I would like to know whether there is a way to assign group policy based on the user group authenticated against LDAP. e.g. User is group XYZ he will have different policy while user in Group ABC will be assigned different group policy.
Thanks in advance
In case of user authentication via LDAP the memberOf attribute associated with the user is sent acorss by the LDAP server. On Cisco ASA we can go ahead and map the memberof attribute with other RADIUS attribute / Cisco Attribute etc. Once the mapping is done we can map the value accordingly.
For example: A user by name Deepak can be part of Group"Employee" in a domain sectac.com. As soon as user Deepak logs in the LDAP server will return the authentication success and memberOf Employee. We can configure ASA to map the LDAP attribute value Employee to group policy like Employee etc.
A LDAP the representation of syntax above will be like:-
CN=Users is like folder under which this group exist.
We had an example in the presentation by Vikas and I have attached the screeen shot of Mapping with example. Additionaly, you will find the following link helpful.
Hope this helps.
Thanks for the prompt response and its perfect match for the solution that i was looking for. Appreciate your time and help.
I would like to thank you for this opportunity and I need your help in my setup...
I use an ASA 5520 with 2800 Cisco router as in the design attached to this email and I did a Site-Site VPN connection from the router inter face (10.10.0.1/16) in the users subnet (10.10.X.X /16) to the interface of the ASA (10.100.1.1) in the Subnet (10.100.1.X /24) and it did not work, any advice will by appreciated,
Thanks in advanced
Please note, this thread is specifically meant for "ANYCONNECT SSL VPN CLIENT ON ASA THROUGH ASDM" . However; in your case you seems to be looking for an assistance with regard to IPSEC Lan to Lan VPN.
I would request you to please go ahead and post the query under the correct thread :-
Also, please get the output of show cry ipsec sa and sh cry isakmp sa to check on which phase concerned tunnel is failing. On ASA please get show run crypto and on IOS router get the ouput of show run | sec cry and show access-list used as crypto acl.
Thanks, for understanding.
I'll be configuring an AnyConnect Client & ASA remote access solution and will need to enforce a requirement that the client systems are corporate-owned and imaged computers. I know there are a variety of watermark checking features, but I'm curious if you have any experience and/or suggestions on what the most reliable files, registry entries, etc. are that people generally use for this feature. I'm thinking that checking for the existence and valid checksum of the corporate drive encryption software might be a good start, and possibly a registry entry or two that would indicate that the software is installed and active. Does this sound reasonable? And just to keep this question more on-topic, is ASDM a good approach for configuring this, or is it easier to use the CLI? I'm reasonably comfortable with both.
Thanks for any advice you can share.
on an ASA5510, what is the most stable software version to enable the anyconnect feature? and how do we publish a portal, based on the user who is logging in, so this portal can show the user the files he is allowed to access?
for example, if userA logs in via ciscoanyconnect, we want him to land into a portal where he will have access to folders he is allowed. the same thing for userB... when userB gets in, we want to land him on a portal that will make visible only the items he is allowed to see.
Generally it is recommened to be on the latest version of the anyconnect client. It will provided the widest support for operating systems and the most recent bug fixes. With that being said many customers have found that the latest version in the 2.4.x throttle works well.
In regards to your second question that seems more related to the clientless portal rather than anyconnect. Under the user/group accounts you can configure different bookmarks or customizations. This way user a and user b will have different links presented to them. You will naturally need to provide some method to distinguish user a from user b. Perhaps ldap mapping as was mentioned earlier in the thread.