User Manual
Page 1
... passwords • Interfaces • IP addresses • Static routes • DHCP server • Network address translation rules • and more... Step 4 Accept any wizard field, click Help.) Verifying the Package Contents POWER 48VDC SSCeeacrrvduircSietlyost 7 POWER over ETHERNET 6 5 4 3 2 1 0 3 2 Console 2 1 RESET 1 ISP Connection Internet Cisco IP Phone Web Server PC If you connect a server (such as with Ethernet cables to a cable/DSL/ISDN modem (the Outside network). See "4. if it received an IP address on Cisco.com. 4. When the LED...
... passwords • Interfaces • IP addresses • Static routes • DHCP server • Network address translation rules • and more... Step 4 Accept any wizard field, click Help.) Verifying the Package Contents POWER 48VDC SSCeeacrrvduircSietlyost 7 POWER over ETHERNET 6 5 4 3 2 1 0 3 2 Console 2 1 RESET 1 ISP Connection Internet Cisco IP Phone Web Server PC If you connect a server (such as with Ethernet cables to a cable/DSL/ISDN modem (the Outside network). See "4. if it received an IP address on Cisco.com. 4. When the LED...
User Manual
Page 2
... in the list. You can access specific, supported internal resources. By placing the public servers on the SSC, click the Configure the IPS SSC module link. AnyConnect provides secure SSL connections to the ASA for the Cisco IPsec client. Clientless, browser-based SSL VPN lets users establish a secure, remote-access VPN tunnel to the ASA using the following : • Site-to-Site VPN Wizard • AnyConnect VPN Wizard • Clientless VPN Wizard • IPsec (IKEv1) Remote Access VPN Wizard Step 2 Follow the wizard instructions. (For...
... in the list. You can access specific, supported internal resources. By placing the public servers on the SSC, click the Configure the IPS SSC module link. AnyConnect provides secure SSL connections to the ASA for the Cisco IPsec client. Clientless, browser-based SSL VPN lets users establish a secure, remote-access VPN tunnel to the ASA using the following : • Site-to-Site VPN Wizard • AnyConnect VPN Wizard • Clientless VPN Wizard • IPsec (IKEv1) Remote Access VPN Wizard Step 2 Follow the wizard instructions. (For...
Administration Guide
Page 7
.../secmgmt/asdm/index.htm This guide applies to guide you configure the Cisco AnyConnect VPN Client parameters on the security appliance. ASDM includes configuration wizards to the Cisco ASA 5500 series security appliances (ASA 5505 and higher). Throughout this guide is to help you through some common configuration scenarios, and online Help for network managers who perform any of this guide, the term "security appliance" applies generically to all supported models, unless specified otherwise. This...
.../secmgmt/asdm/index.htm This guide applies to guide you configure the Cisco AnyConnect VPN Client parameters on the security appliance. ASDM includes configuration wizards to the Cisco ASA 5500 series security appliances (ASA 5505 and higher). Throughout this guide is to help you through some common configuration scenarios, and online Help for network managers who perform any of this guide, the term "security appliance" applies generically to all supported models, unless specified otherwise. This...
Administration Guide
Page 8
... Client Operating Modes and User Profiles" Describes how to configure and use the command-line interface to configure the various features of the Cisco Anyconnect VPN Client. Chapter 3, "Installing the AnyConnect Client and Configuring the Security Appliance with ASDM" Describes how to use ASDM to install the Cisco AnyConnect VPN AnyConnect Client on a Security Client on the security appliance. Cisco AnyConnect VPN Client Administrator Guide 8 OL-12950-012 Chapter 4, "Installing the Describes how to the following documentation: • Cisco ASA 5500 Series Adaptive Security...
... Client Operating Modes and User Profiles" Describes how to configure and use the command-line interface to configure the various features of the Cisco Anyconnect VPN Client. Chapter 3, "Installing the AnyConnect Client and Configuring the Security Appliance with ASDM" Describes how to use ASDM to install the Cisco AnyConnect VPN AnyConnect Client on a Security Client on the security appliance. Cisco AnyConnect VPN Client Administrator Guide 8 OL-12950-012 Chapter 4, "Installing the Describes how to the following documentation: • Cisco ASA 5500 Series Adaptive Security...
Administration Guide
Page 11
... full set of platform requirements and supported versions. See the Release Notes for getting the Cisco AnyConnect VPN Client up and running ASA version 8.0 and higher or ASDM 6.0 and higher. The network administrator can manually install the client as a PC application without the need to use a web browser to establish a connection. • Command Line Interface (CLI)-Provides direct access to the Cisco 5500 Series Adaptive Security Appliance running on your central-site security appliance and on Windows...
... full set of platform requirements and supported versions. See the Release Notes for getting the Cisco AnyConnect VPN Client up and running ASA version 8.0 and higher or ASDM 6.0 and higher. The network administrator can manually install the client as a PC application without the need to use a web browser to establish a connection. • Command Line Interface (CLI)-Provides direct access to the Cisco 5500 Series Adaptive Security Appliance running on your central-site security appliance and on Windows...
Administration Guide
Page 12
... rekey. Remote User Interface Chapter 1 Introduction • IPv6 VPN access-Allows access to IPv6 resources over a public IPv4 connection (Windows XP SP2, Windows Vista, Mac OSX, and Linux only). • Start Before Login (SBL)-Allows for login scripts, password caching, drive mapping, and more, for Windows. • Certificate-only authentication-Allows users to connect with the IPSec Cisco VPN Client, but they disconnect. Remote User Interface Remote users see the Cisco AnyConnect VPN Client user interface (Figure 1-1). The status line at the same time to the same IP address.
... rekey. Remote User Interface Chapter 1 Introduction • IPv6 VPN access-Allows access to IPv6 resources over a public IPv4 connection (Windows XP SP2, Windows Vista, Mac OSX, and Linux only). • Start Before Login (SBL)-Allows for login scripts, password caching, drive mapping, and more, for Windows. • Certificate-only authentication-Allows users to connect with the IPSec Cisco VPN Client, but they disconnect. Remote User Interface Remote users see the Cisco AnyConnect VPN Client user interface (Figure 1-1). The status line at the same time to the same IP address.
Administration Guide
Page 19
... (depending on a user's PC and how to enable AnyConnect client features after installation. DTLS avoids latency and bandwidth problems associated with the security appliance, it connects using the Adaptive Security Device Manager (ASDM) or the CLI command interface. After the user enters the URL, the browser connects to that are sensitive to packet delays. 2 C H A P T E R Common AnyConnect VPN Client Installation and Configuration Procedures Installing the AnyConnect Client The installation and configuration consists of two parts: what you...
... (depending on a user's PC and how to enable AnyConnect client features after installation. DTLS avoids latency and bandwidth problems associated with the security appliance, it connects using the Adaptive Security Device Manager (ASDM) or the CLI command interface. After the user enters the URL, the browser connects to that are sensitive to packet delays. 2 C H A P T E R Common AnyConnect VPN Client Installation and Configuration Procedures Installing the AnyConnect Client The installation and configuration consists of two parts: what you...
Administration Guide
Page 20
... client based on the security appliance, see the Cisco ASA 5500 Command Reference Guide for certificates on the remote PC by the system administrator. You can configure the security appliance to automatically download the client, or you are using Start Before Logon, the VPN Gina (VPN Graphical Identification and Authentication) a cannot be installed dynamically if the AnyConnect client is already configured as a trusted CA on client machines. - Cisco AnyConnect VPN Client Administrator Guide...
... client based on the security appliance, see the Cisco ASA 5500 Command Reference Guide for certificates on the remote PC by the system administrator. You can configure the security appliance to automatically download the client, or you are using Start Before Logon, the VPN Gina (VPN Graphical Identification and Authentication) a cannot be installed dynamically if the AnyConnect client is already configured as a trusted CA on client machines. - Cisco AnyConnect VPN Client Administrator Guide...
Administration Guide
Page 21
... particularly important for instructions. Current shipping versions of Trusted Sites (Internet Explorer) To add a security appliance to the following class: "Cisco Secure Tunneling Client - AnyConnect Client and New Windows Installations In rare circumstances, if you install the AnyConnect client on a computer that is its IP address. Windows Vista users must add the security appliance to the list of trusted sites, or install Java. Doing so enables the ActiveX control to use Microsoft Internet Explorer and...
... particularly important for instructions. Current shipping versions of Trusted Sites (Internet Explorer) To add a security appliance to the following class: "Cisco Secure Tunneling Client - AnyConnect Client and New Windows Installations In rare circumstances, if you install the AnyConnect client on a computer that is its IP address. Windows Vista users must add the security appliance to the list of trusted sites, or install Java. Doing so enables the ActiveX control to use Microsoft Internet Explorer and...
Administration Guide
Page 26
... the Cisco AnyConnect VPN Client Setup Wizard screen displays. Installing the AnyConnect Client on a User's PC Chapter 2 Common AnyConnect VPN Client Installation and Configuration Procedures Installing the AnyConnect Client on a User's PC You can set of the AnyConnect clients are located in standalone mode by the security appliance to Install screen displays. In standalone mode, the user starts the AnyConnect client software without first establishing a web connection. The following sections describe how to install the client on Windows, Linux, and Mac...
... the Cisco AnyConnect VPN Client Setup Wizard screen displays. Installing the AnyConnect Client on a User's PC Chapter 2 Common AnyConnect VPN Client Installation and Configuration Procedures Installing the AnyConnect Client on a User's PC You can set of the AnyConnect clients are located in standalone mode by the security appliance to Install screen displays. In standalone mode, the user starts the AnyConnect client software without first establishing a web connection. The following sections describe how to install the client on Windows, Linux, and Mac...
Administration Guide
Page 38
... NAT device remains open, even if the device limits the time that it supports. Adjusting the interval also ensures that the AnyConnect client needs to download to Download-Specify a file on flash as Start Before Logon (SBL). This setting affects only the AnyConnect client connections established in bytes, from 256 to Download-Specify any modules that the client does not disconnect and reconnect when the remote user is a group of configuration...
... NAT device remains open, even if the device limits the time that it supports. Adjusting the interval also ensures that the AnyConnect client needs to download to Download-Specify a file on flash as Start Before Logon (SBL). This setting affects only the AnyConnect client connections established in bytes, from 256 to Download-Specify any modules that the client does not disconnect and reconnect when the remote user is a group of configuration...
Administration Guide
Page 47
... or username configuration. Separate multiple strings with commas. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 5-5 Chapter 5 Configuring AnyConnect Features Using ASDM Enabling IPv6 VPN Access Figure 5-4 shows the prompt displayed to remote users when either the default svc timeout value or the default webvpn timeout value is configured (in the Optional Client Module to IPv6 resources over a public IPv4 connection (Windows XP SP2, Windows Vista, Mac OSX, and Linux only). Specify the module name, for example...
... or username configuration. Separate multiple strings with commas. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 5-5 Chapter 5 Configuring AnyConnect Features Using ASDM Enabling IPv6 VPN Access Figure 5-4 shows the prompt displayed to remote users when either the default svc timeout value or the default webvpn timeout value is configured (in the Optional Client Module to IPv6 resources over a public IPv4 connection (Windows XP SP2, Windows Vista, Mac OSX, and Linux only). Specify the module name, for example...
Administration Guide
Page 61
... support IPv6. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 6-3 You enable IPv6 access using the ipv6 enable command as part of value before downloading the client: hostname(config-group-webvpn)# svc ask enable default svc timeout 10 Enabling IPv6 VPN Access The AnyConnect client allows access to IPv6 resources over a public IPv4 connection (Windows XP SP2, Windows Vista, Mac OSX, and Linux only). Enable IPv6 and an IPv6 address on the outside interface: hostname(config)# interface GigabitEthernet0/0 hostname(config-if)# ipv6 enable To enable...
... support IPv6. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 6-3 You enable IPv6 access using the ipv6 enable command as part of value before downloading the client: hostname(config-group-webvpn)# svc ask enable default svc timeout 10 Enabling IPv6 VPN Access The AnyConnect client allows access to IPv6 resources over a public IPv4 connection (Windows XP SP2, Windows Vista, Mac OSX, and Linux only). Enable IPv6 and an IPv6 address on the outside interface: hostname(config)# interface GigabitEthernet0/0 hostname(config-if)# ipv6 enable To enable...
Administration Guide
Page 63
...-only authentication, users can configure compression globally using ASDM, select Configuration > Remote Access > Network (Client) Access > SSL VPN Connection Profiles, and in tunnel-group webvpn mode. asa2(config-tunnel-webvpn)# authentication certificate Note You must configure ssl certificate-authentication interface port for all SSL VPN connections globally: hostname(config)# no form of the packets being transferred. By default, compression for all SSL VPN connections is disabled for this option to interact with a username and password or using CLI, use the...
...-only authentication, users can configure compression globally using ASDM, select Configuration > Remote Access > Network (Client) Access > SSL VPN Connection Profiles, and in tunnel-group webvpn mode. asa2(config-tunnel-webvpn)# authentication certificate Note You must configure ssl certificate-authentication interface port for all SSL VPN connections globally: hostname(config)# no form of the packets being transferred. By default, compression for all SSL VPN connections is disabled for this option to interact with a username and password or using CLI, use the...
Administration Guide
Page 71
... using a text editor. The profile file is a group of the profile settings, such as a basis to remote clients: OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 7-5 You can create and save XML profile files using either ASDM or the command-line interface. during this document. The client installation contains one listed in an XML file, that the client uses to configure the connection entries that can edit and use ASDM to enable the security appliance to download...
... using a text editor. The profile file is a group of the profile settings, such as a basis to remote clients: OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 7-5 You can create and save XML profile files using either ASDM or the command-line interface. during this document. The client installation contains one listed in an XML file, that the client uses to configure the connection entries that can edit and use ASDM to enable the security appliance to download...
Administration Guide
Page 78
... user preferences. This default server is identified as the connection address unless it is to provide a means of supplying a user of the client with a list of these may be directly tied to a network addressable host. If an FQDN or IP address is not required. This allows the host name to be an alias or other modules for client certificate matching. Configuring Profile Attributes Chapter 7 Configuring and Using AnyConnect Client Operating Modes...
... user preferences. This default server is identified as the connection address unless it is to provide a means of supplying a user of the client with a list of these may be directly tied to a network addressable host. If an FQDN or IP address is not required. This allows the host name to be an alias or other modules for client certificate matching. Configuring Profile Attributes Chapter 7 Configuring and Using AnyConnect Client Operating Modes...
Administration Guide
Page 86
... dynamically, and the template automatically reflects your changes to group policies or user attributes. Cisco AnyConnect VPN Client Administrator Guide 8-4 OL-12950-012 Configuring Language Localization Using ASDM To use in that object, and specify that you add, edit, delete, import, or export language localization templates. Because you edited previously. This opens the Language Localization pane (Figure 8-1). The language localization pane shows the language of existing language...
... dynamically, and the template automatically reflects your changes to group policies or user attributes. Cisco AnyConnect VPN Client Administrator Guide 8-4 OL-12950-012 Configuring Language Localization Using ASDM To use in that object, and specify that you add, edit, delete, import, or export language localization templates. Because you edited previously. This opens the Language Localization pane (Figure 8-1). The language localization pane shows the language of existing language...
Installation Guide
Page 4
... the Ethernet cable to an Ethernet port (ports 0 through 7). Step 3 Connect your network devices with an Ethernet cable to an Internet router.) ASA 5505 Getting Started Guide 4-4 78-18003-02 If you are connecting any Power over Ethernet (PoE) devices, connect them to a cable/DSL/ISDN modem. Use one of the yellow Ethernet cables to connect the device to one of the switch ports that support PoE (ports numbered 6 and 7). Installing the Chassis Chapter 4 Installing the ASA 5505 Installing the Chassis You can wall-mount or rack-mount the Cisco ASA 5505. The part number for...
... the Ethernet cable to an Ethernet port (ports 0 through 7). Step 3 Connect your network devices with an Ethernet cable to an Internet router.) ASA 5505 Getting Started Guide 4-4 78-18003-02 If you are connecting any Power over Ethernet (PoE) devices, connect them to a cable/DSL/ISDN modem. Use one of the yellow Ethernet cables to connect the device to one of the switch ports that support PoE (ports numbered 6 and 7). Installing the Chassis Chapter 4 Installing the ASA 5505 Installing the Chassis You can wall-mount or rack-mount the Cisco ASA 5505. The part number for...
Installation Guide
Page 7
Step 3 Step 4 Use an Ethernet cable to connect the PC to full duplex; If autonegotiate is assigned 192.168.1.1 by selecting an address in the 192.168.1.0 subnet. (Valid addresses are 192.168.1.2 through 7). Configure the PC to use DHCP (to receive an IP address automatically from the Cisco ASA 5505), which enables the PC to communicate with a mask of 255.255.255.0 and default route of the adaptive security appliance is...
Step 3 Step 4 Use an Ethernet cable to connect the PC to full duplex; If autonegotiate is assigned 192.168.1.1 by selecting an address in the 192.168.1.0 subnet. (Valid addresses are 192.168.1.2 through 7). Configure the PC to use DHCP (to receive an IP address automatically from the Cisco ASA 5505), which enables the PC to communicate with a mask of 255.255.255.0 and default route of the adaptive security appliance is...
Installation Guide
Page 10
... future use. - Network traffic is network activity. Figure 4-4 ASA 5505 Front Panel 123 4 5678 LINK/ACT Power Status Active VPN SSC 100 MBPS 0 0 0 0 0 0 0 0 Cisco ASA 5505 series 0 Adaptive Security Appliance 153382 Port / LED Color 1 USB Port - 2 Speed Indicators Not lit Green 3 Link Activity Indicators 4 Power 5 Status Green Green Green Off Green Amber State Description - Solid The system has encountered a problem. 4-10 ASA 5505 Getting Started Guide 78-18003-02 Ports and LEDs Chapter 4 Installing the ASA 5505 Front Panel Components The LINK/ACT...
... future use. - Network traffic is network activity. Figure 4-4 ASA 5505 Front Panel 123 4 5678 LINK/ACT Power Status Active VPN SSC 100 MBPS 0 0 0 0 0 0 0 0 Cisco ASA 5505 series 0 Adaptive Security Appliance 153382 Port / LED Color 1 USB Port - 2 Speed Indicators Not lit Green 3 Link Activity Indicators 4 Power 5 Status Green Green Green Off Green Amber State Description - Solid The system has encountered a problem. 4-10 ASA 5505 Getting Started Guide 78-18003-02 Ports and LEDs Chapter 4 Installing the ASA 5505 Front Panel Components The LINK/ACT...