Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
809
Views
0
Helpful
3
Replies

AnyConnect implementation

Go to solution
amr-abdelhamid
Level 1
Level 1

‎08-15-2016 03:32 AM - edited ‎02-21-2020 08:56 PM

Hello,

Can anyone please provide me with guidelines and configuration steps for deploying and implementing AnyConnect Remote Access VPN solution using ASDM?

  1. AnyConnect needs to be deployed using the Predeploy method
  2. A dual authentication method is required to authenticate the users (using LDAP and Microsoft Azure)
  3. The VPN concentrators are ASA 5516 and 5525
  4. I need to do the configuration using ASDM
  5. How do I configure Policy groups, client profiles and Local policies and Connection profiles 
  6. How dpi configure the authentication
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Terence Payet
Level 1
Level 1

‎08-15-2016 11:49 PM

Hi,

Please have a look at 

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html

Regards,

Terence

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Terence Payet
Level 1
Level 1

‎08-15-2016 11:49 PM

Hi,

Please have a look at 

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/119006-configure-anyconnect-00.html

Regards,

Terence

0 Helpful

Go to solution
amr-abdelhamid
Level 1
Level 1

‎08-20-2016 07:59 AM

Thanks, I have a question regarding identity certificates. My client will be providing the identity certificates so I have to import them using the "Import the identity certificate from a file" radio button "in manage identity certificates". does this also import the CA certificate and the public key and does this also configure the keys on the ASA?

I have searched for a demonstration but I couldn't find any

Thanks

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to amr-abdelhamid

‎08-21-2016 08:22 PM

You have to create a Certificate Signing Request (CSR) first. Use the button "Enroll ASA SSL with Entrust". You can disregard the Entrust bit - the button will create a standard CSR that can be enrolled with any CA.

When you do that. it will prompt you to either use an existing key on the ASA or create a new one. You should make sure you use a key of 2048-bit length (or greater). Create one if the existing available key is any smaller than 2048 bits.

You then provide the CSR (file or text) to the client and they enroll it with their CA. Once they give you the certificate, you install it. Since you have created the CSR earlier, it will show in ASDM as "pending" under the certificate expiry date and the "Issued to" name will be in parentheses. Select that entry and click "Install".

You now have an installed signed identity certificate that can be bound to the interface where you provide SSL VPN service (typically the outside).

The process does not automatically install the issuing CA's root and/or any intermediate certificates. You should add those separately under the "CA Certificates" section. You should also remove support for any old ciphers like RC4 from the SSL section.

If you complete all of the above properly, you can run Qualys SSL checker and should see the grade as A-. (There are a few things Cisco doesn't do by design that Qualys checks for - sort of a philosophical difference in best practices.)

https://www.ssllabs.com/ssltest/index.html

0 Helpful
Customers Also Viewed These Support Documents