VPN migration to Anyconnect

avilt · ‎08-13-2013

I am currently using Cisco VPN client 5.x on Windows to connect to Cisco VPN concentrator. First I connect to VPN client and then login to windows domain using the domain login features. I have several VPN groups so that each group gets a unique ACL filters.

Now I am looking for the new replacement client "Anyconnect" with ASA and evaluating the software "Anyconnect Secure Mobility Client"

a) With new "Anyconnect" how can I create multiple groups so that each group get's a unique ACL's. What is the equivalant option for groups in ASA anyconnect?
In ASDM when I create "connection profile" I do not see any group related settings like shared secret. How can I make group level settings so that I can create connection profiles for each department?

b) When I launch new anyconnect connection profile from ASDM, I have two VPN protocols to choose from. SSL & IPSec. I beleive SSL is used to download the initial image from ASA thru browser and connect to VPN servers over SSL. IPSec requires device digital certificate. Why is it necessary to have this device digital certificate?

c) I do not want to users to download the image thru browser instead like to pre-deploy the image using Helpdesk. In this case I can completely disable SSL option during the "anyconnect" connection profile right?

Marvin Rhoads · ‎08-13-2013

a) Each distinct group-policy may have a unique set of networks that are tunneled for that group. They are defined in the access-list specified in the "split-tunnel-network-list value " command under the "group-policy attributes" section of the config. The group policies are the configuration file name for what you referred to as connection profiles.

b) The device certificate is used in at least one location (for SSL VPN). In SSL VPN it identifies the ASA as an SSL server. You can you a self-signed (dynamic or persistent) or CA-signed certificate. For IPSec you can authenticate using either certificate or any other AAA method that's setup.

c) You may disable the SSL option assuming you are using only IPSec remote access VPNs. It is a global option so if you ever add an SSL VPN it must be enabled globally.

avilt · ‎08-13-2013

I am well versed with VPN concentrator and I am a bit confused with this Anyconnect, profile creation.

Let me explain you my current traditional VPN setup with VPN concentrator. Helpdesk staff will install the client and create a profile which requires a VPN group password (not disclosed to the users), the users will be pointed to radius authentication later. Here in this setup we have the control over the profile.

With Anyconnect how can I have control over this?
My understanding is that first create the group policy with the requried settings and then assign it to the "connection profile"

Now how can I setup this "connection profile" on the client side so that each department uses it's own "connection profile" ? Example SALES team should use only the sales profile, IT will have his own profile with un-limited access etc.