05-06-2011 03:09 PM - edited 02-21-2020 05:19 PM
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn how to implement Secure VPN Mobility using Cisco AnyConnect with Cisco expert Naman Latif. Naman is a technical support engineer at the Cisco Technical Assistance Center for VPN and security technologies. His area of expertise includes configuration and troubleshooting for Cisco’s security product portfolio including VPN, PKI and firewall technologies as well as Client and Cisco Adaptive Security Appliance (ASA).
Remember to use the rating system to let Naman know if you have received an adequate response.
Naman might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security, VPN discussion forum shortly after the event. This event lasts through May 20, 2011. Visit this forum often to view responses to your questions and the questions of other community members.
05-12-2011 07:58 AM
Hi Joceyln,
1. AnyConnect on iPad\iPhone provides full IP connectivity to the Enterprise network and it doesn't interfere with any Apps running on iPad\iPhone. So if you want to access Windows Share, you will need to find an App that can connect to SMB\Windows shares (Unless this is already built-in to the iPad\iPhone).
AnyConnect itself is only to provide connectivity and doesn't perform any other functions i.e. Share access etc.
2. You can use Dynamic Access Policies to restrict only a certain set of Users to connect from iPhone\iPad.
E.g. You can place the authorized Users in a specific AD group and then use DAP to configure an access policy that only allows access to Users from that Group, when the End host is iPad\iPhone.
ASA is able to detect the end device being iPhone\iPad, if you do a 'OS Check' in the DAP Policy.
3. AnyConnect for Android OS (Samsung Devices) will be available soon. However to get an exact date of the release, you will have to contact your Cisco Account team as they can provide a more specific date.
I hope this helps.
Thanks,
Naman
05-12-2011 09:59 PM
Hey Naman,
I have a profile which is set to launch the AnyConnect client on successful authentication. What I'd like to do is close the portal window once the client loads and connects as this isn't required for the user once AC is connected. Do you know if this is possible?
If it not is it possible to customise this portal page like other ones?
I've attached a screen shot of the screen I'm referring too.
We are running 8.4.1
Apologies if this isn't 100% AnyConnect related.
Many thanks in advance,
Simon
05-13-2011 10:39 AM
Hi Simon,
Thanks for participating in the session.
Currently it is not possible to customize the AnyConnect Launch\Web Launch page.
As for closing the window, you can either
1. Have your Users use the Stand-Alone client , unless there is a preference to launch through IE or any other browser.
2. The second option is to use Scripting to close the IE Window after AnyConnect client has connected. AnyConnect provides the ability to run pre-connect and post-connect scripts as below
You can write a script , which will close the IE window after AnyConnect has connected. The scripts are not provided by Cisco and can be in any language as long as they can be run from the command-line.
E.g. You can write a script in VBScript and then use "wscript \ cscript" executables to run the script.
There are quite a few examples available on google for using VBScript to close an Open\IE window.
Hope this helps.
Thanks,
Naman
05-15-2011 06:00 PM
Perfect many thanks Naman
05-14-2011 11:16 AM
Hello Naman
we are in process to migrate our remote access users from old cisco ipsec vpn client to anyconnect 3.0. Regarding
part of anyconnect solution - NAM - i have a question.
NAM is perfect solution for securing/managing of wired and wireless connections, but we found out that
NAM couldn't manage other types of connections, e.g. 3G adapters. So user can manually start other
connection over 3G. Is there any solution for this issue?
thank you
miro
05-14-2011 07:49 PM
Hi Miro,
Thanks for participating in the discussion.
Currently the NAM module doesn't support 3G cards. The support is planned for a future release but there is no fixed schedule at this time.
You can always contact your Cisco Account team and they should be able to provide a more accurate status of this enhancement.
Hope this helps.
Thanks,
Naman
05-14-2011 12:11 PM
I am implementing a new ASA 5510 with AnyConnect Essentials Licenses. I have it connecting and giving out IP addresses from a local pool to the VPN clients but some how it is getting a default gateway that is not set anywhere on the device. I set a static default route on the device but the VPN clients ignore that and take this x.x.0.1 which is an invalid IP on my network.
What sets the VPN clients' default gateway if not the static 0.0.0.0 route on the interface. That is what everything I have read tells me to set. Well it is..
Any help?
05-14-2011 07:42 PM
Hi Randy,
Thanks for participating in this discussion.
The use of default gateway in Remote Access Connection (AnyConnect) is not relevant as the traffic is forwarded through the Interface (In this case it will be the "AnyConnect Virtual Connection Adapter"). The ASA on the receiving end then responds even if the traffic is destined to another subnet i.e. Acting as Proxy-ARP.
I assume that the traffic is still getting to its destination ? If not then it will be some other issue and need to be looked in detail (You can open a TAC case to investigate) but it will not be a Default-Gateway issue.
Hope this helps.
Thanks,
Naman
05-14-2011 08:01 PM
Traffic fails utterly once i connect to the vpn. I assumed it was the gateway thing. I wonder if it is because I am attempting to use a single interface as I have managed firewall from a vendor and I simply need the VPN functionality. I have acl permit any any on the interface. Is my plan just doomed without a second interface so I have and inside and outside interface?
Anyway, how does one open a TAC case? I am new to these forums. Thanks, Randy
05-14-2011 08:08 PM
scratch that...pings fail...dns fail. I can still reach servers by ip address.
05-14-2011 08:47 PM
Is the firewall on the PC ? Or Are you talking about the ASA Firewall ?
If you can reach by IP but DNS \ Ping fails then it is more likely firewall issue and AnyConnect seems to be fine. If its a personal firewall then what happens , if you turn-off the personal firewall ?
As for opening the TAC case, you can use information as below
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
You will need to have a valid SmartNet contract to get support from Cisco TAC.
Thanks,
Naman
05-14-2011 09:47 PM
By firewall I was refering to the ACL associated with the vpn or interface. I will mess with that some more thanks.
Yeah i am new to smartnet so still finding my way around. Thanks for the link.
05-15-2011 01:53 AM
Hi Naman
i have another question regarding cisco anyconnect 3.0 configuration. During our tests we found out that it's possible
to connect to "another" network. Here is more details. We need to use TND and Always-on. User hasn't NAM installed. When
user is connected to trusted network he can still connect to another, e.g. wireless network by using standart Windows wireless
card setting.
Windows routing table is populated with another default route ( from wifi dhcp) but with worse metric. So user cannot use this
for connecting to internet. But it is still possible to connect to/from another computers in attached wireless network.
Is there any possibility for configuring anyconnect 3.0 to avoiding this?
thanks
miro
05-15-2011 08:49 PM
Hi Miro,
AnyConnect itself without the NAM module cannot control the LAN\Wireless adapters.
If you want to control the Wireless connection then I guess the best way will be to use NAM then you can control the SSID to which Users are allowed to connect by pushing specfic NAM profiles through ASA etc.
Hope this helps.
Thanks,
Naman
05-15-2011 07:39 PM
Hi Naman
My objective is to get the host scanned for Anti-virus. But failed to get it to work.
I am using a test lab without an external AAA server. All credentials are stored locally. Is a radius server needed for this to work?
I have tried to disabled the laptop's Microsoft Security Essential, but it still managed to pass the post check and logs me into the VPN
Appreciate if you may provide me with some pointers as my understanding of the DAP is limited
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide