User Manual
Page 1
... their defaults: • The privileged mode (enable) password that they can customize the security policy to administer the ASA through ASDM and the CLI • When using DHCP. Step 5 Leave the username and password fields empty and click OK. Step 3 Connect the AC power ....) Step 4 Check the Power LED on . LINK/ACT Indicator Power Indicator LINK/ACT Power Status Active VPN SSC 100 MBPS 0 0 0 0 0 0 0 0 Cisco ASA 5505 series 0 Adaptive Security Appliance If a LINK/ACT LED is not lit, the link could be down due to indicate a physical link is recommended or required...
... their defaults: • The privileged mode (enable) password that they can customize the security policy to administer the ASA through ASDM and the CLI • When using DHCP. Step 5 Leave the username and password fields empty and click OK. Step 3 Connect the AC power ....) Step 4 Check the Power LED on . LINK/ACT Indicator Power Indicator LINK/ACT Power Status Active VPN SSC 100 MBPS 0 0 0 0 0 0 0 0 Cisco ASA 5505 series 0 Adaptive Security Appliance If a LINK/ACT LED is not lit, the link could be down due to indicate a physical link is recommended or required...
Administration Guide
Page 4
...Client and Configuring the Security Appliance with ASDM 1 4 C H A P T E R Installing the AnyConnect Client on a Security Appliance Using CLI 1 Enabling AnyConnect Client SSL VPN Connections Using CLI 2 Disabling Permanent Client Installation 4 5 C H A P T E R Configuring AnyConnect Features Using ASDM 1 Enabling Datagram Transport Layer Security (...14 Configuring the Dynamic Access Policies Feature of the Security Appliance 15 Cisco Secure Desktop Support 15 6 C H A P T E R Configuring AnyConnect Features Using CLI 1 Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL)...
...Client and Configuring the Security Appliance with ASDM 1 4 C H A P T E R Installing the AnyConnect Client on a Security Appliance Using CLI 1 Enabling AnyConnect Client SSL VPN Connections Using CLI 2 Disabling Permanent Client Installation 4 5 C H A P T E R Configuring AnyConnect Features Using ASDM 1 Enabling Datagram Transport Layer Security (...14 Configuring the Dynamic Access Policies Feature of the Security Appliance 15 Cisco Secure Desktop Support 15 6 C H A P T E R Configuring AnyConnect Features Using CLI 1 Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL)...
Administration Guide
Page 5
... N D I X OL-12950-012 Configuring and Using AnyConnect Client Operating Modes and User Profiles 1 AnyConnect Client Operating Modes 1 Using the AnyConnect CLI Commands to Connect (Standalone Mode) 1 Connecting Using WebLaunch 3 User Log In and Log Out 4 Logging In 4 Logging Out 4 Configuring and Using... AnyConnect Client 11 XML Settings for Enabling SBL 11 CLI Settings for Enabling SBL 11 Configuring the ServerList Attribute ...Language Localization 7 Creating or Modifying a Translation Table Using CLI 8 Monitoring and Maintaining the AnyConnect Client 1 Viewing AnyConnect Client and SSL VPN...
... N D I X OL-12950-012 Configuring and Using AnyConnect Client Operating Modes and User Profiles 1 AnyConnect Client Operating Modes 1 Using the AnyConnect CLI Commands to Connect (Standalone Mode) 1 Connecting Using WebLaunch 3 User Log In and Log Out 4 Logging In 4 Logging Out 4 Configuring and Using... AnyConnect Client 11 XML Settings for Enabling SBL 11 CLI Settings for Enabling SBL 11 Configuring the ServerList Attribute ...Language Localization 7 Creating or Modifying a Translation Table Using CLI 8 Monitoring and Maintaining the AnyConnect Client 1 Viewing AnyConnect Client and SSL VPN...
Administration Guide
Page 8
... Using CLI" Chapter 5, "Configuring AnyConnect Features Using ASDM" Describes how to use ASDM to access the required files and install the Cisco AnyConnect VPN Client on the security appliance and on the security appliance. Chapter 7, "Configuring and Using AnyConnect Client Operating Modes and User Profiles" Describes how to the following documentation: • Cisco ASA...
... Using CLI" Chapter 5, "Configuring AnyConnect Features Using ASDM" Describes how to use ASDM to access the required files and install the Cisco AnyConnect VPN Client on the security appliance and on the security appliance. Chapter 7, "Configuring and Using AnyConnect Client Operating Modes and User Profiles" Describes how to the following documentation: • Cisco ASA...
Administration Guide
Page 11
... but the focus in this document is primarily on Windows systems. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 1-1 See the Release Notes for getting the Cisco AnyConnect VPN Client up and running ASA version 8.0 and higher or ASDM 6.0 and higher. The AnyConnect client includes the ... the client as a PC application without the need to use a web browser to establish a connection. • Command Line Interface (CLI)-Provides direct access to remote users when they log in the user interface and define the names and addresses of platform requirements and supported ...
... but the focus in this document is primarily on Windows systems. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 1-1 See the Release Notes for getting the Cisco AnyConnect VPN Client up and running ASA version 8.0 and higher or ASDM 6.0 and higher. The AnyConnect client includes the ... the client as a PC application without the need to use a web browser to establish a connection. • Command Line Interface (CLI)-Provides direct access to remote users when they log in the user interface and define the names and addresses of platform requirements and supported ...
Administration Guide
Page 19
...and authentication, and the security appliance identifies the user as necessary. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 2-1 When the client negotiates an SSL VPN connection with... matches the operating system of the remote computer. The AnyConnect client software part of the ASA Release 8.0(1) and later and ASDM Release 6.0 and later. It also describes how to ... to have it connects using the Adaptive Security Device Manager (ASDM) or the CLI command interface. DTLS avoids latency and bandwidth problems associated with the security appliance, it...
...and authentication, and the security appliance identifies the user as necessary. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 2-1 When the client negotiates an SSL VPN connection with... matches the operating system of the remote computer. The AnyConnect client software part of the ASA Release 8.0(1) and later and ASDM Release 6.0 and later. It also describes how to ... to have it connects using the Adaptive Security Device Manager (ASDM) or the CLI command interface. DTLS avoids latency and bandwidth problems associated with the security appliance, it...
Administration Guide
Page 27
... anyconnect-macosx-powerpc-2.0.xxx.dmg This creates a VPN icon representing the installation package file. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 2-9 For example: [root@linuxhost]# cd ciscovpn [root@linuxhost]# ./vpn_install.sh ... PC Running MAC OSX The AnyConnect client image for installation are contained in the directory /opt/cisco/vpn. Double-click the vpn icon to the ciscovpn folder. The installation is complete. MSI...the user interface with the Linux command /opt/cisco/vpn/bin/vpnui or with a tar command. Change to initiate the installation. Unpack the archive...
... anyconnect-macosx-powerpc-2.0.xxx.dmg This creates a VPN icon representing the installation package file. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 2-9 For example: [root@linuxhost]# cd ciscovpn [root@linuxhost]# ./vpn_install.sh ... PC Running MAC OSX The AnyConnect client image for installation are contained in the directory /opt/cisco/vpn. Double-click the vpn icon to the ciscovpn folder. The installation is complete. MSI...the user interface with the Linux command /opt/cisco/vpn/bin/vpnui or with a tar command. Change to initiate the installation. Unpack the archive...
Administration Guide
Page 29
...E R Installing the AnyConnect Client and Configuring the Security Appliance with ASDM Installing the client on the security appliance consists of the CLI commands include the prefix svc, indicating this similarity. With multiple clients, you must also assign the order in which they appear in...(Client) Access > Advanced > SSL VPN > Client Settings. The navigation pane displays features to the security appliance. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 3-1 In the navigation pane, click Remote Access VPN. Perform the following steps to install the client: ...
...E R Installing the AnyConnect Client and Configuring the Security Appliance with ASDM Installing the client on the security appliance consists of the CLI commands include the prefix svc, indicating this similarity. With multiple clients, you must also assign the order in which they appear in...(Client) Access > Advanced > SSL VPN > Client Settings. The navigation pane displays features to the security appliance. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 3-1 In the navigation pane, click Remote Access VPN. Perform the following steps to install the client: ...
Administration Guide
Page 39
...svc image anyconnect-macosx-i386-2.0.0343-k9.pkg 2 hostname(config-webvpn)# svc image anyconnect-linux-2.0.0343-k9.pkg 3 OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 4-1 Note The AnyConnect client configuration uses the same parameters as the SSL VPN Client. anyconnect-win-2.0.0.0343... used by the most commonly-encountered operating system. 4 C H A P T E R Installing the AnyConnect Client on a Security Appliance Using CLI Installing the AnyConnect client on flash as an SSL VPN client package file using the svc image command from privileged EXEC mode, or using the...
...svc image anyconnect-macosx-i386-2.0.0343-k9.pkg 2 hostname(config-webvpn)# svc image anyconnect-linux-2.0.0343-k9.pkg 3 OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 4-1 Note The AnyConnect client configuration uses the same parameters as the SSL VPN Client. anyconnect-win-2.0.0.0343... used by the most commonly-encountered operating system. 4 C H A P T E R Installing the AnyConnect Client on a Security Appliance Using CLI Installing the AnyConnect client on flash as an SSL VPN client package file using the svc image command from privileged EXEC mode, or using the...
Administration Guide
Page 40
... globally, using the show webvpn svc command: hostname(config-webvpn)# show webvpn svc 1. disk0:/anyconnect-linux-2.0.0343-k9.pkg 3 CISCO STC Linux 2,0,0 Tue Mar 27 04:06:53 MST 2007 3 SSL VPN Client(s) installed Enabling AnyConnect Client SSL VPN Connections Using...Client Administrator Guide 4-2 OL-12950-012 Enabling AnyConnect Client SSL VPN Connections Using CLI Chapter 4 Installing the AnyConnect Client on a Security Appliance Using CLI Note The security appliance expands SSL VPN client and the Cisco Secure Desktop images in webvpn mode. For example: hostname(config-webvpn)# dtls...
... globally, using the show webvpn svc command: hostname(config-webvpn)# show webvpn svc 1. disk0:/anyconnect-linux-2.0.0343-k9.pkg 3 CISCO STC Linux 2,0,0 Tue Mar 27 04:06:53 MST 2007 3 SSL VPN Client(s) installed Enabling AnyConnect Client SSL VPN Connections Using...Client Administrator Guide 4-2 OL-12950-012 Enabling AnyConnect Client SSL VPN Connections Using CLI Chapter 4 Installing the AnyConnect Client on a Security Appliance Using CLI Note The security appliance expands SSL VPN client and the Cisco Secure Desktop images in webvpn mode. For example: hostname(config-webvpn)# dtls...
Administration Guide
Page 41
...the tunnel group telecommuters: hostname(config-tunnel-general)# default-group-policy sales Create and enable a group alias that displays in Cisco Security Appliance Command Reference. For more information about the vpn-tunnel-protocol command, see the command description in the group ...to global configuration mode, and then enter webvpn mode. Chapter 4 Installing the AnyConnect Client on a Security Appliance Using CLI Enabling AnyConnect Client SSL VPN Connections Using CLI Step 5 Step 6 Step 7 Step 8 Step 9 ip local pool poolname startaddr-endaddr mask mask The following example...
...the tunnel group telecommuters: hostname(config-tunnel-general)# default-group-policy sales Create and enable a group alias that displays in Cisco Security Appliance Command Reference. For more information about the vpn-tunnel-protocol command, see the command description in the group ...to global configuration mode, and then enter webvpn mode. Chapter 4 Installing the AnyConnect Client on a Security Appliance Using CLI Enabling AnyConnect Client SSL VPN Connections Using CLI Step 5 Step 6 Step 7 Step 8 Step 9 ip local pool poolname startaddr-endaddr mask mask The following example...
Administration Guide
Page 42
...svc For more information about assigning users to group policies, see "Configuring Tunnel Groups, Group Policies, and Users" in Cisco Security Appliance Command Line Configuration Guide. Disabling Permanent Client Installation Disabling permanent AnyConnect client installation enables the automatic uninstalling feature ...4-4 OL-12950-012 Disabling Permanent Client Installation Chapter 4 Installing the AnyConnect Client on a Security Appliance Using CLI To specify SSL as the only permitted tunneling protocol for subsequent connections. The following example configures the existing...
...svc For more information about assigning users to group policies, see "Configuring Tunnel Groups, Group Policies, and Users" in Cisco Security Appliance Command Line Configuration Guide. Disabling Permanent Client Installation Disabling permanent AnyConnect client installation enables the automatic uninstalling feature ...4-4 OL-12950-012 Disabling Permanent Client Installation Chapter 4 Installing the AnyConnect Client on a Security Appliance Using CLI To specify SSL as the only permitted tunneling protocol for subsequent connections. The following example configures the existing...
Administration Guide
Page 47
For more information about enabling IPv6, see Chapter 6, "Configuring AnyConnect Features Using CLI." Separate multiple strings with commas. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 5-5 Enabling Modules for them to use the command-line interface to configure IPv6;...Additional AnyConnect Features As new features are : • Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client • Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users >...
For more information about enabling IPv6, see Chapter 6, "Configuring AnyConnect Features Using CLI." Separate multiple strings with commas. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 5-5 Enabling Modules for them to use the command-line interface to configure IPv6;...Additional AnyConnect Features As new features are : • Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client • Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users >...
Administration Guide
Page 51
By default, compression for all SSL VPN connections is enabled on each interface. You can configure compression globally using the CLI command compression svc command from the drop-down list. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 5-9 If you do not specify a certificate for specific groups or users. By default, if...
By default, compression for all SSL VPN connections is enabled on each interface. You can configure compression globally using the CLI command compression svc command from the drop-down list. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 5-9 If you do not specify a certificate for specific groups or users. By default, if...
Administration Guide
Page 53
...keepalive messages to ensure that an AnyConnect client or SSL VPN connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the.... To set the frequency of keepalive messages, use the Keepalive Messages setting in the CLI). The paths to Inherit. Enabling AnyConnect Keepalives You can be enabled both globally (by...: • Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client • Configuration > Remote Access VPN > Network (Client) Access ...
...keepalive messages to ensure that an AnyConnect client or SSL VPN connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the.... To set the frequency of keepalive messages, use the Keepalive Messages setting in the CLI). The paths to Inherit. Enabling AnyConnect Keepalives You can be enabled both globally (by...: • Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client • Configuration > Remote Access VPN > Network (Client) Access ...
Administration Guide
Page 59
6 C H A P T E R Configuring AnyConnect Features Using CLI The AnyConnect client includes the following features, which you do not enable DTLS, SSL VPN connections connect with an SSL VPN tunnel only.... 6-5 • Configuring the Dynamic Access Policies Feature of the Security Appliance, page 6-6 • Configuring the Dynamic Access Policies Feature of the Security Appliance, page 6-6 • Cisco Secure Desktop Support, page 6-6 • Enabling AnyConnect Rekey, page 6-6 • Enabling and Adjusting Dead Peer Detection, page 6-7 • Enabling AnyConnect Keepalives, page 6-8 Enabling...
6 C H A P T E R Configuring AnyConnect Features Using CLI The AnyConnect client includes the following features, which you do not enable DTLS, SSL VPN connections connect with an SSL VPN tunnel only.... 6-5 • Configuring the Dynamic Access Policies Feature of the Security Appliance, page 6-6 • Configuring the Dynamic Access Policies Feature of the Security Appliance, page 6-6 • Cisco Secure Desktop Support, page 6-6 • Enabling AnyConnect Rekey, page 6-6 • Enabling and Adjusting Dead Peer Detection, page 6-7 • Enabling AnyConnect Keepalives, page 6-8 Enabling...
Administration Guide
Page 60
... ] svc dtls enable If DTLS is configured and UDP is interrupted, the remote user's connection automatically falls back from DTLS to TLS. Cisco AnyConnect VPN Client Administrator Guide 6-2 OL-12950-012 The default is not enabled by default on any individual interface. svc ask enable default... the client or go to the WebVPN portal page and waits indefinitely for user response. Prompting Remote Users Chapter 6 Configuring AnyConnect Features Using CLI Enabling DTLS Globally for a Specific Port To enable DTLS globally for a particular port, use the dtls port command: [no] dtls port...
... ] svc dtls enable If DTLS is configured and UDP is interrupted, the remote user's connection automatically falls back from DTLS to TLS. Cisco AnyConnect VPN Client Administrator Guide 6-2 OL-12950-012 The default is not enabled by default on any individual interface. svc ask enable default... the client or go to the WebVPN portal page and waits indefinitely for user response. Prompting Remote Users Chapter 6 Configuring AnyConnect Features Using CLI Enabling DTLS Globally for a Specific Port To enable DTLS globally for a particular port, use the dtls port command: [no] dtls port...
Administration Guide
Page 61
ASDM does not support IPv6. Configure an IPv6 Tunnel default gateway. Chapter 6 Configuring AnyConnect Features Using CLI Enabling IPv6 VPN Access svc ask enable default webvpn timeout value prompts the remote user to download the client or go to the ...Prompt Displayed to the WebVPN portal page, and waits the duration of enabling SSL VPN connections. Enable IPv6 on the inside interface. 3. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 6-3 Configure an IPv6 address local pool for an IPv6 connection that enables IPv6 on the outside security-level 0 ip address...
ASDM does not support IPv6. Configure an IPv6 Tunnel default gateway. Chapter 6 Configuring AnyConnect Features Using CLI Enabling IPv6 VPN Access svc ask enable default webvpn timeout value prompts the remote user to download the client or go to the ...Prompt Displayed to the WebVPN portal page, and waits the duration of enabling SSL VPN connections. Enable IPv6 on the inside interface. 3. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 6-3 Configure an IPv6 address local pool for an IPv6 connection that enables IPv6 on the outside security-level 0 ip address...
Administration Guide
Page 62
...: hostname(config)# group-policy telecommuters attributes hostname(config-group-policy)# webvpn hostame(config-group-webvpn)# svc modules value vpngina Cisco AnyConnect VPN Client Administrator Guide 6-4 OL-12950-012 To minimize download time, the AnyConnect client requests downloads (from the ... attributes mode for the group policy telecommuters, enters webvpn configuration mode for Additional AnyConnect Features Chapter 6 Configuring AnyConnect Features Using CLI Step 2 ! Step 4 Configure an IPv6 Tunnel Default Gateway: ipv6 route inside security-level 100 ip address 10.10.0.1...
...: hostname(config)# group-policy telecommuters attributes hostname(config-group-policy)# webvpn hostame(config-group-webvpn)# svc modules value vpngina Cisco AnyConnect VPN Client Administrator Guide 6-4 OL-12950-012 To minimize download time, the AnyConnect client requests downloads (from the ... attributes mode for the group policy telecommuters, enters webvpn configuration mode for Additional AnyConnect Features Chapter 6 Configuring AnyConnect Features Using CLI Step 2 ! Step 4 Configure an IPv6 Tunnel Default Gateway: ipv6 route inside security-level 100 ip address 10.10.0.1...
Administration Guide
Page 63
... Cisco AnyConnect VPN Client Administrator Guide 6-5 In the Authentication area, specify only Certificate as Secure Desktop and dynamic access policies, do not require that feature. For broadband connections, compression might result in the Connection Profiles area, select Add or Edit.... When you configure certificate-only authentication, users can also configure compression for specific groups or users. To configure certificate-only authentication using CLI, use the authentication command with digital certificate and ...
... Cisco AnyConnect VPN Client Administrator Guide 6-5 In the Authentication area, specify only Certificate as Secure Desktop and dynamic access policies, do not require that feature. For broadband connections, compression might result in the Connection Profiles area, select Add or Edit.... When you configure certificate-only authentication, users can also configure compression for specific groups or users. To configure certificate-only authentication using CLI, use the authentication command with digital certificate and ...