User Manual
Page 2
...guide on recycled paper containing 10% postconsumer waste. 78-19752-02 QUICK START GUIDE Cisco ASA 5505 Adaptive Security Appliance The SSC pane appears. Step 2 Complete the SSC setup fields...choose Configuration > Device Setup > SSC Setup. Step 4 Click Apply to submit the configuration to specific corporate resources. • IPsec (IKEv1) Remote Access VPN Wizard-Configures IPsec VPN remote access ...; (ASA 8.0 and later) Clientless SSL VPN Wizard-Configures clientless SSL VPN remote access for the Cisco IPsec client. Step 1 In the main ASDM window, choose Configuration > Firewall > Public...
...guide on recycled paper containing 10% postconsumer waste. 78-19752-02 QUICK START GUIDE Cisco ASA 5505 Adaptive Security Appliance The SSC pane appears. Step 2 Complete the SSC setup fields...choose Configuration > Device Setup > SSC Setup. Step 4 Click Apply to submit the configuration to specific corporate resources. • IPsec (IKEv1) Remote Access VPN Wizard-Configures IPsec VPN remote access ...; (ASA 8.0 and later) Clientless SSL VPN Wizard-Configures clientless SSL VPN remote access for the Cisco IPsec client. Step 1 In the main ASDM window, choose Configuration > Firewall > Public...
Administration Guide
Page 2
... Administrator Guide © 2007-2010 Cisco Systems, Inc. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. The use of the UNIX operating system. THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN...
... Administrator Guide © 2007-2010 Cisco Systems, Inc. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. The use of the UNIX operating system. THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN...
Administration Guide
Page 4
... 14 Configuring the Dynamic Access Policies Feature of the Security Appliance 15 Cisco Secure Desktop Support 15 6 C H A P T E R Configuring AnyConnect Features Using CLI 1 Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections 1 Enabling DTLS Globally for a Specific Port 2 Enabling DTLS for Specific Groups or Users 2 Prompting Remote Users 2 Enabling IPv6 VPN Access 3 Enabling...
... 14 Configuring the Dynamic Access Policies Feature of the Security Appliance 15 Cisco Secure Desktop Support 15 6 C H A P T E R Configuring AnyConnect Features Using CLI 1 Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections 1 Enabling DTLS Globally for a Specific Port 2 Enabling DTLS for Specific Groups or Users 2 Prompting Remote Users 2 Enabling IPv6 VPN Access 3 Enabling...
Administration Guide
Page 18
...Import tab on the CSA Management Center. Specific information about exporting policies is located in the section Exporting and Importing Configurations. You can get the files from the .zip package files. The filenames are for the AnyConnect client and Cisco Secure Desktop. The 5.x export files are... AnyConnect-CSA.zip and CSD-for-CSA-updates.zip Extract the .export files from : • The CD shipped with the security appliance. • The software download page for the ASA 5500 Series Adaptive Security...
...Import tab on the CSA Management Center. Specific information about exporting policies is located in the section Exporting and Importing Configurations. You can get the files from the .zip package files. The filenames are for the AnyConnect client and Cisco Secure Desktop. The 5.x export files are... AnyConnect-CSA.zip and CSD-for-CSA-updates.zip Extract the .export files from : • The CD shipped with the security appliance. • The software download page for the ASA 5500 Series Adaptive Security...
Administration Guide
Page 20
...security appliance, see "Configuring SSL VPN Connections" in this administrator's guide, see the Cisco ASA 5500 Command Reference Guide for version 8.0 or later. This section describes installation-specific issues and procedures for certificates on the security appliance, choose one that is installed manually....the client after the AnyConnect client, but they must either before or after a timeout period or present the portal page. Cisco AnyConnect VPN Client Administrator Guide 2-2 OL-12950-012 Before You Install the AnyConnect Client Chapter 2 Common AnyConnect VPN Client ...
...security appliance, see "Configuring SSL VPN Connections" in this administrator's guide, see the Cisco ASA 5500 Command Reference Guide for version 8.0 or later. This section describes installation-specific issues and procedures for certificates on the security appliance, choose one that is installed manually....the client after the AnyConnect client, but they must either before or after a timeout period or present the portal page. Cisco AnyConnect VPN Client Administrator Guide 2-2 OL-12950-012 Before You Install the AnyConnect Client Chapter 2 Common AnyConnect VPN Client ...
Administration Guide
Page 26
... software (recommended). Click Next. Accept the default folder or enter a new folder and click Next. After installing, the Completing the Cisco AnyConnect VPN Client Setup Wizard screen displays. The wizard disappears and the installation is complete. The client uses essentially the same authentication mechanisms... MAC OSX, page 2-9 Where to Find the AnyConnect Client Files to Install screen displays. The Ready to Install All of operating-system-specific download sites. See the Release Notes for the current release for the full set up a user's PC to run the AnyConnect client...
... software (recommended). Click Next. Accept the default folder or enter a new folder and click Next. After installing, the Completing the Cisco AnyConnect VPN Client Setup Wizard screen displays. The wizard disappears and the installation is complete. The client uses essentially the same authentication mechanisms... MAC OSX, page 2-9 Where to Find the AnyConnect Client Files to Install screen displays. The Ready to Install All of operating-system-specific download sites. See the Release Notes for the current release for the full set up a user's PC to run the AnyConnect client...
Administration Guide
Page 40
... to allow AnyConnect VPN client SSL VPN connections by performing the following example enters webvpn configuration mode and specifies port 444 for a specific port, use the dtls port command in webvpn mode. You can also create a local IP address pool using the ip local ... hostname(config)# webvp4 hostname(config-webvpn)# dtls port 445 Configure a method of the clients using the svc enable command from global configuration mode: Cisco AnyConnect VPN Client Administrator Guide 4-2 OL-12950-012 The following steps: Step 1 Step 2 Step 3 Step 4 Enable WebVPN on an interface using...
... to allow AnyConnect VPN client SSL VPN connections by performing the following example enters webvpn configuration mode and specifies port 444 for a specific port, use the dtls port command in webvpn mode. You can also create a local IP address pool using the ip local ... hostname(config)# webvp4 hostname(config-webvpn)# dtls port 445 Configure a method of the clients using the svc enable command from global configuration mode: Cisco AnyConnect VPN Client Administrator Guide 4-2 OL-12950-012 The following steps: Step 1 Step 2 Step 3 Step 4 Enable WebVPN on an interface using...
Administration Guide
Page 42
...the remote computer at the end of the client. The following example configures the existing group-policy sales to not keep -installer none Cisco AnyConnect VPN Client Administrator Guide 4-4 OL-12950-012 The following example identifies SSL as a permitted tunneling protocol, first exit to global ...-group-webvpn)# vpn-tunnel-protocol svc For more information about assigning users to enter webvpn mode and change the WebVPN settings for a specific group or user, use the svc keep-installer command from group-policy or username webvpn modes: svc keep-installer none The default is...
...the remote computer at the end of the client. The following example configures the existing group-policy sales to not keep -installer none Cisco AnyConnect VPN Client Administrator Guide 4-4 OL-12950-012 The following example identifies SSL as a permitted tunneling protocol, first exit to global ...-group-webvpn)# vpn-tunnel-protocol svc For more information about assigning users to enter webvpn mode and change the WebVPN settings for a specific group or user, use the svc keep-installer command from group-policy or username webvpn modes: svc keep-installer none The default is...
Administration Guide
Page 43
... Remote Users, page 5-4 • Enabling IPv6 VPN Access, page 5-5 • Enabling Modules for any specific interface. You cannot enable DTLS globally with some SSL connections and improves the performance of the Security Appliance, page 5-15 • Cisco Secure Desktop Support, page 5-15 • Enabling AnyConnect Rekey, page 5-12 • Enabling and Adjusting...
... Remote Users, page 5-4 • Enabling IPv6 VPN Access, page 5-5 • Enabling Modules for any specific interface. You cannot enable DTLS globally with some SSL connections and improves the performance of the Security Appliance, page 5-15 • Cisco Secure Desktop Support, page 5-15 • Enabling AnyConnect Rekey, page 5-12 • Enabling and Adjusting...
Administration Guide
Page 44
... simultaneous tunnels-an SSL tunnel and a DTLS tunnel. Figure 5-1 Enable DTLS Check Box To enable DTLS on any individual interface. Cisco AnyConnect VPN Client Administrator Guide 5-2 OL-12950-012 Enabling Datagram Transport Layer Security (DTLS) with some SSL connections and improves the... user's connection automatically falls back from DTLS to TLS. The default value is enabled; To specify a separate UDP port to use for a specific interface, select Configuration > Remote Access VPN > Network (Client) Access > Advanced > SSL VPN Connection profiles. The default is port 443. ...
... simultaneous tunnels-an SSL tunnel and a DTLS tunnel. Figure 5-1 Enable DTLS Check Box To enable DTLS on any individual interface. Cisco AnyConnect VPN Client Administrator Guide 5-2 OL-12950-012 Enabling Datagram Transport Layer Security (DTLS) with some SSL connections and improves the... user's connection automatically falls back from DTLS to TLS. The default value is enabled; To specify a separate UDP port to use for a specific interface, select Configuration > Remote Access VPN > Network (Client) Access > Advanced > SSL VPN Connection profiles. The default is port 443. ...
Administration Guide
Page 48
Rather, all configuration for the Cisco AnyConnect VPN Client. Cisco AnyConnect VPN Client Administrator Guide 5-6 OL-12950-012 Configuring, Enabling, and Using Other AnyConnect Features Chapter 5 Configuring AnyConnect Features Using ASDM Figure 5-5.... Some features, such as Secure Desktop and dynamic access policies, do not require that feature. For a list of Start Before Logon, you specifically configure the AnyConnect client to interact with digital certificate and are not required to provide a user ID and password. Configuring Certificate-only Authentication You ...
Rather, all configuration for the Cisco AnyConnect VPN Client. Cisco AnyConnect VPN Client Administrator Guide 5-6 OL-12950-012 Configuring, Enabling, and Using Other AnyConnect Features Chapter 5 Configuring AnyConnect Features Using ASDM Figure 5-5.... Some features, such as Secure Desktop and dynamic access policies, do not require that feature. For a list of Start Before Logon, you specifically configure the AnyConnect client to interact with digital certificate and are not required to provide a user ID and password. Configuring Certificate-only Authentication You ...
Administration Guide
Page 50
Specify the Access Port. The default access port is 443. If you want to assign a specific certificate to an interface, click Assign Certificate to enable access. Cisco AnyConnect VPN Client Administrator Guide 5-8 OL-12950-012 This opens the SSL Settings dialog box (Figure 5-8). Configuring, Enabling, and ... AnyConnect Features Using ASDM Figure 5-7 SSL VPN Connection Profiles Dialog Box In the Access Interfaces area, select the check box Enable Cisco AnyConnect VPN Client or legacy SSL VPN Client access on which you want to Interface. Then select the check boxes for the ...
Specify the Access Port. The default access port is 443. If you want to assign a specific certificate to an interface, click Assign Certificate to enable access. Cisco AnyConnect VPN Client Administrator Guide 5-8 OL-12950-012 This opens the SSL Settings dialog box (Figure 5-8). Configuring, Enabling, and ... AnyConnect Features Using ASDM Figure 5-7 SSL VPN Connection Profiles Dialog Box In the Access Interfaces area, select the check box Enable Cisco AnyConnect VPN Client or legacy SSL VPN Client access on which you want to Interface. Then select the check boxes for the ...
Administration Guide
Page 51
... transferred. You can configure compression globally using the CLI command compression svc command from the drop-down list. By default, compression for specific groups or users. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 5-9 If you do not specify a certificate for SSL authentication on the security appliance, both at the global...
... transferred. You can configure compression globally using the CLI command compression svc command from the drop-down list. By default, compression for specific groups or users. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 5-9 If you do not specify a certificate for SSL authentication on the security appliance, both at the global...
Administration Guide
Page 52
... Cisco AnyConnect VPN Client Administrator Guide OL-12950-012 The global setting overrides the group-policy and username settings. Configuring, Enabling, and Using Other AnyConnect Features Chapter 5 Configuring AnyConnect Features Using ASDM Changing Compression Globally To change compression for a specific group.... In the following paths: • Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client • Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local...
... Cisco AnyConnect VPN Client Administrator Guide OL-12950-012 The global setting overrides the group-policy and username settings. Configuring, Enabling, and Using Other AnyConnect Features Chapter 5 Configuring AnyConnect Features Using ASDM Changing Compression Globally To change compression for a specific group.... In the following paths: • Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client • Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local...
Administration Guide
Page 53
...is set to disable (or to ensure that an AnyConnect client or SSL VPN connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the client does not disconnect...Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 5-11 Adjusting the frequency also ensures that the connection can ...Setting Configuring, Enabling, and Using Other AnyConnect Features By default, for the specific group policy or username.
...is set to disable (or to ensure that an AnyConnect client or SSL VPN connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the client does not disconnect...Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 5-11 Adjusting the frequency also ensures that the connection can ...Setting Configuring, Enabling, and Using Other AnyConnect Features By default, for the specific group policy or username.
Administration Guide
Page 56
... this setting are: • Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client > Dead Peer Detection • Configuration > Remote Access VPN > Network...User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client > Dead Peer Detection Figure 5-12 shows an example of configuring the Dead Peer Detection setting for a specific group or user, and ...an internal group policy. 5-14 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012 Fallback to TLS, if necessary.
... this setting are: • Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client > Dead Peer Detection • Configuration > Remote Access VPN > Network...User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client > Dead Peer Detection Figure 5-12 shows an example of configuring the Dead Peer Detection setting for a specific group or user, and ...an internal group policy. 5-14 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012 Fallback to TLS, if necessary.
Administration Guide
Page 57
... Detection-Deselect the Disable check box to specify that dead-peer detection is performed by the security appliance (gateway). There is no specific configuration of the session after they disconnect. Enter the interval, from 30 to 3600 seconds, with which the client performs dead-peer...they remain secure while they are connected, and attempts to remove traces of AnyConnect required to use dynamic access policies. The Cisco AnyConnect VPN Client supports the Secure Desktop functions of multiple group membership and endpoint security for VPN connections. For detailed information about...
... Detection-Deselect the Disable check box to specify that dead-peer detection is performed by the security appliance (gateway). There is no specific configuration of the session after they disconnect. Enter the interval, from 30 to 3600 seconds, with which the client performs dead-peer...they remain secure while they are connected, and attempts to remove traces of AnyConnect required to use dynamic access policies. The Cisco AnyConnect VPN Client supports the Secure Desktop functions of multiple group membership and endpoint security for VPN connections. For detailed information about...
Administration Guide
Page 58
There is no specific configuration of AnyConnect required to use Secure Desktop. Configuring, Enabling, and Using Other AnyConnect Features Chapter 5 Configuring AnyConnect Features Using ASDM Cisco Secure Desktop for Cisco ASA 5500 Series Administrators (Software Release 3.2). 5-16 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012 For detailed information about configuring Cisco Secure Desktop, see the Cisco Secure Desktop Configuration Guide for Windows 2000 and Windows XP.
There is no specific configuration of AnyConnect required to use Secure Desktop. Configuring, Enabling, and Using Other AnyConnect Features Chapter 5 Configuring AnyConnect Features Using ASDM Cisco Secure Desktop for Cisco ASA 5500 Series Administrators (Software Release 3.2). 5-16 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012 For detailed information about configuring Cisco Secure Desktop, see the Cisco Secure Desktop Configuration Guide for Windows 2000 and Windows XP.
Administration Guide
Page 60
... the client or go to the WebVPN portal page and waits the duration of real-time applications that are sensitive to packet delays. Cisco AnyConnect VPN Client Administrator Guide 6-2 OL-12950-012 svc ask enable default webvpn immediately goes to TLS. however, DTLS is enabled;...the svc ask command from DTLS to the portal page. Prompting Remote Users Chapter 6 Configuring AnyConnect Features Using CLI Enabling DTLS Globally for a Specific Port To enable DTLS globally for a particular port, use the dtls port command: [no] dtls port port_number For example: hostname(config-webvpn)#...
... the client or go to the WebVPN portal page and waits the duration of real-time applications that are sensitive to packet delays. Cisco AnyConnect VPN Client Administrator Guide 6-2 OL-12950-012 svc ask enable default webvpn immediately goes to TLS. however, DTLS is enabled;...the svc ask command from DTLS to the portal page. Prompting Remote Users Chapter 6 Configuring AnyConnect Features Using CLI Enabling DTLS Globally for a Specific Port To enable DTLS globally for a particular port, use the dtls port command: [no] dtls port port_number For example: hostname(config-webvpn)#...
Administration Guide
Page 63
... for all SSL VPN connections globally: hostname(config)# no compression svc OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 6-5 The global setting overrides the group-policy and username ...use the no compression svc To remove the command from global configuration mode. When you specifically configure the AnyConnect client to provide a user ID and password. asa2(config-tunnel-webvpn...keyword certificate in group-policy and username webvpn modes. This displays the Add or Edit SSL VPN Connect Profile dialog box with a username and password or using the compression...
... for all SSL VPN connections globally: hostname(config)# no compression svc OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 6-5 The global setting overrides the group-policy and username ...use the no compression svc To remove the command from global configuration mode. When you specifically configure the AnyConnect client to provide a user ID and password. asa2(config-tunnel-webvpn...keyword certificate in group-policy and username webvpn modes. This displays the Add or Edit SSL VPN Connect Profile dialog box with a username and password or using the compression...