Enable SSL VPN on existing IPSec configuration

Brian Preston · ‎08-04-2014

Hi,

Hopefully this will be quite a simple query but we are currently looking at testing and the migrating our users over to SSL Full Client VPN. At the moment we have our ASA 5520 (8.2) configured for IPSec only and this is configured to use an external RADIUS server for authentication. The group policy which we use for this is only configured to allow IPSec, my question is whether I can simply perform the following steps to get SSL VPN working. Apologies in advance but I am still learning this stuff and have been reading many articles regarding setting this up from scratch which I which have been great but I need to accommodate our RADIUS system into it for testing

1. Create a cert from our internal CA and upload it to the ASA

2. Create a AnyConnect Connection profile and select the RADIUS server from the drop down of AAA servers

3. Enable SSL VPN Client on the Group policy currently being used for IPSec

4. Enable Cisco AnyConnect VPN client access on our outside interface

5. Install Cisco SSL VPN client on laptop use Profile editor to create necessary XML configuration file.

Thanks in advance.

Many thanks in advance

Dinesh Moudgil · ‎08-04-2014

Hi ,

Along with the mentioned points , you would have to upload the anyconnect package (e.g. anyconnect-dart-win-3.1.05152version-k9.pkg). on the ASA.

If you are using internal CA , then you would have to install the root certificate from CA on all the clients so that they do not get certificate error. [This is not mandate to get Anyconnect working.]

If you are using Anyconnect 3.X version , then you wont need external profile editor and I don't think there is any need to use Anyconnect 2.5 as 3.0 and 3.1 have more features and functions.

You also don't need to install the client on the user machine as it can be pushed from the ASA itself.

For the radius server , you can surely use the Anyconnect connection profile with radius authentication.

aaa-server test protocol radius
aaa-server test host <IP>
key *****

Ref:- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100936-asa8x-split-tunnel-anyconnect-config.html

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Marvin Rhoads · ‎08-04-2014

I agree with Dinesh with the clarification that the package file for Windows would be "anyconnect-win-3.1.05178-k9.pkg". (At least that's the current version as of this posting.)

I don't know of any reason to go with anything but the latest AnyConnect 3.1 release for a new deployment. I've heard rumor that 4.0 might be out this fall. I might wait until 4.0.2 or such is out before jumping right on a brand new major release.

DART is the optional Diagnostic and Reporting Tool component of AnyConnect.

Brian Preston · ‎08-05-2014

Thanks both for your replies

We're just going to test things first so we don't currently have any AnyConnect licenses. I will be making use of the two free licenses on the ASA. Will more than likely go for the AnyConnect essentials but I am still awaiting pricing for Essentials vs Premium.

Would the recommended approach be to use a public CA to get a certificate? All our client's will be domain joined laptops etc but I'm aware if we do device to go for the Premium AnyConnect licenses with Mobile access none of the devices will have our Internal CA cert on it...

Thanks in advance.

Dinesh Moudgil · ‎08-05-2014

Hi ,

As mentioned, certificates are not necessary for functioning of Anyconnect VPN.
You can surely use internal or public CA , the point to be pondered is in both the cases , you will need to make sure the client has the root certificate .This is for conforming identity of the VPN headend.

You can also use certificates for client authentication instead of username/password as shown here.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/