User Manual
Page 2
... window, choose Configuration > Firewall > Public Servers. The server appears in the USA on Cisco.com. Step 2 Complete the SSC setup fields and click Apply. (For information about configuring the IPS module, see the IPS module quick start guide on recycled paper containing 10% postconsumer waste. 78-19752-02 QUICK START GUIDE Cisco ASA 5505 Adaptive Security Appliance...
... window, choose Configuration > Firewall > Public Servers. The server appears in the USA on Cisco.com. Step 2 Complete the SSC setup fields and click Apply. (For information about configuring the IPS module, see the IPS module quick start guide on recycled paper containing 10% postconsumer waste. 78-19752-02 QUICK START GUIDE Cisco ASA 5505 Adaptive Security Appliance...
Administration Guide
Page 4
...Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections 1 Configuring DTLS 2 Prompting Remote Users 4 Enabling IPv6 VPN Access 5 Enabling Modules for Additional AnyConnect Features 5 Configuring, Enabling, and Using Other AnyConnect Features 6 Configuring Certificate-only Authentication 6 Using Compression 9 Changing Compression ... Rekey 12 Enabling and Adjusting Dead Peer Detection 14 Configuring the Dynamic Access Policies Feature of the Security Appliance 15 Cisco Secure Desktop Support 15 6 C H A P T E R Configuring AnyConnect Features Using CLI 1 Enabling Datagram ...
...Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections 1 Configuring DTLS 2 Prompting Remote Users 4 Enabling IPv6 VPN Access 5 Enabling Modules for Additional AnyConnect Features 5 Configuring, Enabling, and Using Other AnyConnect Features 6 Configuring Certificate-only Authentication 6 Using Compression 9 Changing Compression ... Rekey 12 Enabling and Adjusting Dead Peer Detection 14 Configuring the Dynamic Access Policies Feature of the Security Appliance 15 Cisco Secure Desktop Support 15 6 C H A P T E R Configuring AnyConnect Features Using CLI 1 Enabling Datagram ...
Administration Guide
Page 18
...CSA Versions 5.0 and 5.1. Choose the correct version of the .export file to your VPN policy and generate rules. Attach the new rule module to import. Cisco AnyConnect VPN Client Administrator Guide 1-8 OL-12950-012 Getting and Installing the Files You Need Chapter 1 Introduction Step 1 Step 2 Step 3... Management Center. For more information, see the CSA document Using Management Center for the ASA 5500 Series Adaptive Security Appliance at http://www.cisco.com/cgi-bin/tablebuild.pl/asa. You can get the files from the .zip package files. Specific information about exporting...
...CSA Versions 5.0 and 5.1. Choose the correct version of the .export file to your VPN policy and generate rules. Attach the new rule module to import. Cisco AnyConnect VPN Client Administrator Guide 1-8 OL-12950-012 Getting and Installing the Files You Need Chapter 1 Introduction Step 1 Step 2 Step 3... Management Center. For more information, see the CSA document Using Management Center for the ASA 5500 Series Adaptive Security Appliance at http://www.cisco.com/cgi-bin/tablebuild.pl/asa. You can get the files from the .zip package files. Specific information about exporting...
Administration Guide
Page 21
... these files: @SYSTEM\vpnweb.ocx Application Class: "Cisco Secure Tunneling Client - Refer to the list of these steps: Step 1 Step 2 In the Rule Module: "Cisco Secure Tunneling Client Module", add a FACL: Priority Allow, no Log, Description: "Cisco Secure Tunneling Browsers, read/write vpnweb.ocx" Applications ....dll or MSVCRT.dll located in to a future release of CSA do the following process names: **\vpndownloader.exe @program_files\**\Cisco\Cisco AnyConnect VPN Client\vpndownloader.exe This rule will be built in the winnt\system32 directory. Current shipping versions of CSA. ...
... these files: @SYSTEM\vpnweb.ocx Application Class: "Cisco Secure Tunneling Client - Refer to the list of these steps: Step 1 Step 2 In the Rule Module: "Cisco Secure Tunneling Client Module", add a FACL: Priority Allow, no Log, Description: "Cisco Secure Tunneling Browsers, read/write vpnweb.ocx" Applications ....dll or MSVCRT.dll located in to a future release of CSA do the following process names: **\vpndownloader.exe @program_files\**\Cisco\Cisco AnyConnect VPN Client\vpndownloader.exe This rule will be built in the winnt\system32 directory. Current shipping versions of CSA. ...
Administration Guide
Page 38
...on flash as Start Before Logon (SBL). The attributes you configure on the MTU of core modules that it supports. Adjusting the interval also ensures that it needs for the AnyConnect Client. 3-10 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012 By default, the MTU size adjusts automatically based on... connections established in the client user interface, including the names and addresses of keepalive messages to ensure that an connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle.
...on flash as Start Before Logon (SBL). The attributes you configure on the MTU of core modules that it supports. Adjusting the interval also ensures that it needs for the AnyConnect Client. 3-10 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012 By default, the MTU size adjusts automatically based on... connections established in the client user interface, including the names and addresses of keepalive messages to ensure that an connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle.
Administration Guide
Page 43
...5-1 • Prompting Remote Users, page 5-4 • Enabling IPv6 VPN Access, page 5-5 • Enabling Modules for any specific interface. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 5-1 You cannot enable DTLS globally with some SSL connections and improves the performance of ... • Enabling AnyConnect Keepalives, page 5-11 • Configuring the Dynamic Access Policies Feature of the Security Appliance, page 5-15 • Cisco Secure Desktop Support, page 5-15 • Enabling AnyConnect Rekey, page 5-12 • Enabling and Adjusting Dead Peer Detection, page 5-14...
...5-1 • Prompting Remote Users, page 5-4 • Enabling IPv6 VPN Access, page 5-5 • Enabling Modules for any specific interface. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 5-1 You cannot enable DTLS globally with some SSL connections and improves the performance of ... • Enabling AnyConnect Keepalives, page 5-11 • Configuring the Dynamic Access Policies Feature of the Security Appliance, page 5-15 • Cisco Secure Desktop Support, page 5-15 • Enabling AnyConnect Rekey, page 5-12 • Enabling and Adjusting Dead Peer Detection, page 5-14...
Administration Guide
Page 47
You must update the AnyConnect clients of modules that it needs for Additional AnyConnect Features As new features are : • Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client • Configuration > ... with commas. For more information about enabling IPv6, see Chapter 6, "Configuring AnyConnect Features Using CLI." OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 5-5 Chapter 5 Configuring AnyConnect Features Using ASDM Enabling IPv6 VPN Access Figure 5-4 shows the ...
You must update the AnyConnect clients of modules that it needs for Additional AnyConnect Features As new features are : • Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client • Configuration > ... with commas. For more information about enabling IPv6, see Chapter 6, "Configuring AnyConnect Features Using CLI." OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 5-5 Chapter 5 Configuring AnyConnect Features Using ASDM Enabling IPv6 VPN Access Figure 5-4 shows the ...
Administration Guide
Page 48
...users can specify whether you want users to authenticate using AAA with a username and password or using a digital certificate (or both). Cisco AnyConnect VPN Client Administrator Guide 5-6 OL-12950-012 Some features, such as Secure Desktop and dynamic access policies, do not require that ...feature. Configuring, Enabling, and Using Other AnyConnect Features Chapter 5 Configuring AnyConnect Features Using ASDM Figure 5-5 Optional Client Module to Download In the case of values to enter for each AnyConnect client feature, see the Release Notes for those features occurs on...
...users can specify whether you want users to authenticate using AAA with a username and password or using a digital certificate (or both). Cisco AnyConnect VPN Client Administrator Guide 5-6 OL-12950-012 Some features, such as Secure Desktop and dynamic access policies, do not require that ...feature. Configuring, Enabling, and Using Other AnyConnect Features Chapter 5 Configuring AnyConnect Features Using ASDM Figure 5-5 Optional Client Module to Download In the case of values to enter for each AnyConnect client feature, see the Release Notes for those features occurs on...
Administration Guide
Page 59
... (SSL) Connections, page 6-1 • Prompting Remote Users, page 6-2 • Enabling IPv6 VPN Access, page 6-3 • Enabling Modules for Additional AnyConnect Features, page 6-4 • Configuring Certificate-only Authentication, page 6-5 • Using Compression, page 6-5 • Configuring the...Feature of the Security Appliance, page 6-6 • Configuring the Dynamic Access Policies Feature of the Security Appliance, page 6-6 • Cisco Secure Desktop Support, page 6-6 • Enabling AnyConnect Rekey, page 6-6 • Enabling and Adjusting Dead Peer Detection, page 6-7 ...
... (SSL) Connections, page 6-1 • Prompting Remote Users, page 6-2 • Enabling IPv6 VPN Access, page 6-3 • Enabling Modules for Additional AnyConnect Features, page 6-4 • Configuring Certificate-only Authentication, page 6-5 • Using Compression, page 6-5 • Configuring the...Feature of the Security Appliance, page 6-6 • Configuring the Dynamic Access Policies Feature of the Security Appliance, page 6-6 • Cisco Secure Desktop Support, page 6-6 • Enabling AnyConnect Rekey, page 6-6 • Enabling and Adjusting Dead Peer Detection, page 6-7 ...
Administration Guide
Page 62
...-policy telecommuters attributes hostname(config-group-policy)# webvpn hostame(config-group-webvpn)# svc modules value vpngina Cisco AnyConnect VPN Client Administrator Guide 6-4 OL-12950-012 To enable new features, you must specify the new module names using the svc modules command from the security appliance) only of values to use the new features. Configure...
...-policy telecommuters attributes hostname(config-group-policy)# webvpn hostame(config-group-webvpn)# svc modules value vpngina Cisco AnyConnect VPN Client Administrator Guide 6-4 OL-12950-012 To enable new features, you must specify the new module names using the svc modules command from the security appliance) only of values to use the new features. Configure...
Administration Guide
Page 77
... time, the AnyConnect client requests downloads (from group policy webvpn or username webvpn configuration mode: [no] svc modules {none | value string} The string for additional details. SBL is disabled by setting the value in the ... Before Logon description for SBL is stored elsewhere. To enable new features, such as part of core modules that it supports. Chapter 7 Configuring and Using AnyConnect Client Operating Modes and User Profiles Configuring Profile Attributes..., set to configure the profile attributes. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 7-11
... time, the AnyConnect client requests downloads (from group policy webvpn or username webvpn configuration mode: [no] svc modules {none | value string} The string for additional details. SBL is disabled by setting the value in the ... Before Logon description for SBL is stored elsewhere. To enable new features, such as part of core modules that it supports. Chapter 7 Configuring and Using AnyConnect Client Operating Modes and User Profiles Configuring Profile Attributes..., set to configure the profile attributes. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 7-11
Administration Guide
Page 78
... a user attempts a connection using the client. The supported set includes: • DIGITAL_SIGNATURE • NON_REPUDIATION • KEY_ENCIPHERMENT 7-12 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012 Instead, the user selection is not required. This server list consists of the profile.... Match Attribute The AnyConnect client supports the following certificate match types. Some or all of the client with a server other modules for additional features). Configuring the ServerList Attribute One of the main uses of the profile is to provide a means of ...
... a user attempts a connection using the client. The supported set includes: • DIGITAL_SIGNATURE • NON_REPUDIATION • KEY_ENCIPHERMENT 7-12 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012 Instead, the user selection is not required. This server list consists of the profile.... Match Attribute The AnyConnect client supports the following certificate match types. Some or all of the client with a server other modules for additional features). Configuring the ServerList Attribute One of the main uses of the profile is to provide a means of ...
Administration Guide
Page 116
...messages 11, 8 configuring with ASDM 10 Keep Installer on Client System ASDM 9 key usage certificate matching 12 certificate matching, extended 13 IN-2 Cisco AnyConnect VPN Client Administrator Guide L language localization template 6 translation 2 language localization (translation), configuring with ASDM 4 language translation 3 Linux AnyConnect CLI... Maximum Transmission Unit (MTU) configuring with ASDM 10 Microsoft Installer (MSI) 1 mode, standalone and weblaunch 1 modules, adding ASDM 5 CLI 4 Mozilla, certificates 7 MSI (Microsoft Installer) 1 N Netscape, certificates 7 O Optional Client...
...messages 11, 8 configuring with ASDM 10 Keep Installer on Client System ASDM 9 key usage certificate matching 12 certificate matching, extended 13 IN-2 Cisco AnyConnect VPN Client Administrator Guide L language localization template 6 translation 2 language localization (translation), configuring with ASDM 4 language translation 3 Linux AnyConnect CLI... Maximum Transmission Unit (MTU) configuring with ASDM 10 Microsoft Installer (MSI) 1 mode, standalone and weblaunch 1 modules, adding ASDM 5 CLI 4 Mozilla, certificates 7 MSI (Microsoft Installer) 1 N Netscape, certificates 7 O Optional Client...
Administration Guide
Page 117
...standalone mode 1 start before login (SBL) 2 start before logon (SBL) configuring with ASDM 10 enabling 11 installation requirements 2 Statistics Details window 5 Statistics tab 5 svc modules, adding ASDM 5 CLI 4 T template, localization 6 TLS (Transport Layer Security), connection 1 translation, language 3 translation table, creating or modifying using ASDM 6 translation tables,... 1 trusted root certificate 4 trusted sites adding, using Active Directory 1 adding on individual PCs 3 U user interface customizing 1 overview 2 user profile 4 Cisco AnyConnect VPN Client Administrator Guide IN-3
...standalone mode 1 start before login (SBL) 2 start before logon (SBL) configuring with ASDM 10 enabling 11 installation requirements 2 Statistics Details window 5 Statistics tab 5 svc modules, adding ASDM 5 CLI 4 T template, localization 6 TLS (Transport Layer Security), connection 1 translation, language 3 translation table, creating or modifying using ASDM 6 translation tables,... 1 trusted root certificate 4 trusted sites adding, using Active Directory 1 adding on individual PCs 3 U user interface customizing 1 overview 2 user profile 4 Cisco AnyConnect VPN Client Administrator Guide IN-3