need some help in setting up anyconnect.
I am new to the cisco world and am right now having an nightmare in just getting the licenses needed to run vpn on my router RV345P.
I am now trying to get the licenses below but the CISCO helpdesk is a bit bitchy as they claim they are not on my name but on the sellers name, although I have PAK ID and password...
As per notes from community :
To associate your AnyConnect Client Licence to your RV345 you must generate a Token from your Smart Account. Then go to your RV345 GUI -> Administration -> Licence -> Click on Register, and there you paste the Token generated. This is the way you associate the Licence with the RV.
About the AnyConnect Software, you must call Enterprise TAC +1 800 553 2447. They must associate your Service Contract (Licence) with your Cisco Smart Account. They you go to Downloads, search for AnyConnect and click on Download.
here is the link for reference :
great, went all trhough and now the next questions appear...
which download should I take? is there a guide to install the VPN Software itself?
Each one is self explanatory,
if you looking to just install on windows (not like enterprice auto package along with windows) then download below
ok. so i have somehow installed the anyconnect client on my windows 10 laptop. great.
looking at the rv345p handbook , it seems that I can only use the SSL VPN with the anyconnect client software, right?
I did start the installation on the router but then get to the questions about
Client Address Pool Enter the IP address of the client address pool.
Client Netmask Enter the client netmask.
Client Domain Enter the client domain name
what is expected to be entered here??
and after having all installed. how do I setup the anyconnect client on my laptop? i find no manuals to that...
why is it that complicated and why is there not a simple handbook explaining all??
have you looked at the admin guide :
yes, i did.
and the expressions I copied out there.. page 100 ... this manual gives no hint on what to enter there.
any IP address entered in Client Address Pool results in invalid subnet prefix message.
are there any additonal setting needed on the router for the address pool??
and what about the client domain.. what is needed there?
When you create a VPN connection, the remote client is given an address that will be recognized on the main network where the router or firewall is located. That address is assigned from a "pool" which is usually defined as a subnet. Something like "192.168.100.0 255.255.255.255", for example.
We also assign the client a default domain for ease of looking up remote addresses. So, for instance if your main domain is "company.com", you can assign that to the clients so that when they lookup something like your intranet home page they can just type "intranet" and not "intranet.company.com" (simple example and it may not apply to you exactly, but it makes the point).
thank you Marvin
well, i am a private user and have no domain . so I just leave that one blank?
and regarding the pool, just entering a value that the router will then use (no other settings needed)?
I could save the SSL VPN Settings with that
I also have now anyconnect installed on my laptop... BUT I get the impression the real work now starts... how do I now setup the vpn connection on my laptop???
For the pool, you need to assign addresses that the internal network behind the router will recognize need to be routed to the router for reachability and that do not conflict with anything existing.
In the most simple setup:
remote client ---> Internet ---> router public address :router: router private address ---> internal network
Say the internal network is 192.168.1.0 /24. All internal hosts use the router private address as their default gateway (say 192.168.1.1). You could have the VPN pool be a subset of the internal network (say 192.168.1.240 - 192.168.1.250) or be a separate address space altogether (say 192.168.2.0 /24).
Your AnyConnect client points to the router's public IP (or an FQDN that resolves to it). It is given an address from the pool and communicates to the remote internal network using that address which then appears to the remote clients to be on the router itself.
Address pool is the pool of IP address when the user try to intiate the VPN, and user will be allocated IP address from that pool address.
As long as the settings are correct, and you have ACL in place for the commute user to access resource.
You can just dialin the ASA public faced IP and connect and access the resources.
thank you both!
I would say the setup in the RV345p Router is complete.
the client setup is a black hole to me... no description and to what I see I can not configure the anyconnect mobile client except entering a gateway. there must be something to setup to make that secure access via VPN possible??
The client setup is just that - install and point to the gateway. It's designed to be extremely simple. Almost all options are controlled by the admin at the router (or ASA).
An ASA has more options of configuration bits that you can push to the client (since it's a security appliance with more security features) but the idea is the same.
aha...? and with gateway is what exactly the FQDN I have added to the routers WAN?
I can add the dynamic dns but when running it I first get a message of untrusted server certificate and then an error message stating 'the VPN connection failed due to unsuccessful domain name resolution'
Am I missing someting but I should install a kind of cerfiticates etc...
I can't imagine that just adding a dynamic dns address would be enough...?
SSL/TLS uses certificates for server authentication (and sometimes for clients but not important in this case). The AnyConnect client looks for a server certificate field (common name or CN specifically) to match the FQDN of the gateway (router).
The guide linked earlier describes how to manage certificates on your router. Reference pages 20-22.
That said, a self-signed certificate generally should work. In that case, you would point the client to the IP address and not the FQDN since the self-signed certificate generally does not know about the DDNS-registered FQDN.