When installing the AnyConnect client software for use by remote users, you have two installation options:
* Web deployment
* Manual predeployment
The choice ultimately depends on the evironment the AnyConnect remote-access VPN will be deployed to. For example, if users are seldom in the corporate office environment and spend the majority of their time on the road, the web deployment method of the installation may suit their needs because it allows for an easy automatic installation upon opening a URL to the SSL VPN service, which allows for the automatic download and installation of the client software.
When deploying your first full-tunnel AnyConnect SSL VPN on an ASA device, you must complete a number of steps before remote users can connect to the device and begin using the connection for access to internal resources:
* IP addressing: The ASA device requires an IP address for the external- and internal-facing interfaces (and any demilitarized zone [DMZ] or other internal networks that may be required). Therefore, you must know your organization's IP addressing policy to complete this step and assign the device-required addresses.
* Enable IPv6 access: This step is optional and should only need to be completed if your organization uses an internal IPv6 addressing scheme and you aim to extend the use of IPv6 to your VPN-connected clients. IPv6 is only supported with SSL connectivity and not IKEv2.
* Hostname, domain name, and Domain Name System (DNS): SSL requires the ASA to have a hostname and domain name combination configured before an RSA key pair can be generated to secure packets between the ASA and remote clients. Give your ASA a hostname and configure a domain name. In addition, configure the addresses of your organization's internal DNS servers to allow users access by fully qualified domain name (FQDN) to any internal or external resources they require through the SSL VPN tunnel after it has succesfully established.
* Enroll with a CA and become a member of a PKI: The use of SSL on your ASA device also requires the ASA to have an identity certificate installed, which for the successful authentication of the ASA.
* Enable the relevant interfaces for SSL/DTLS and AnyConnect client access: Before SSL, DTLS, IKEv2, and AnyConnect client access can occur, you need to specify which interface these services will be available on.
* Create a connection profile: In this step, create a new connection profile and enable it for use with SSL VPN connections. A connection profile provides your AnyConnect users with prelogin settings such as authentication and authorization methods, DNS servers and domain name, IP address pool, and so on.
I'll be using the AnyConnect VPN wizard in ASDM and choose web deployment as an example.
Download the AnyConnect .pkg file from Cisco.com (CCO login required) and upload it from PC local drive.
We login to the SSL VPN portal and choose the ANYCONNECT-PROF group from the drop-down menu. It will automatically prompt to download and install the AnyConnect software.
To verify, we go to Monitoring > VPN Statistics > Sessions > Filter by: AnyConnect (optionally click Details).
We could also view the same output via CLI using the command show vpn-sessiondb anyconnect.
* Web deployment
* Manual predeployment
The choice ultimately depends on the evironment the AnyConnect remote-access VPN will be deployed to. For example, if users are seldom in the corporate office environment and spend the majority of their time on the road, the web deployment method of the installation may suit their needs because it allows for an easy automatic installation upon opening a URL to the SSL VPN service, which allows for the automatic download and installation of the client software.
When deploying your first full-tunnel AnyConnect SSL VPN on an ASA device, you must complete a number of steps before remote users can connect to the device and begin using the connection for access to internal resources:
* IP addressing: The ASA device requires an IP address for the external- and internal-facing interfaces (and any demilitarized zone [DMZ] or other internal networks that may be required). Therefore, you must know your organization's IP addressing policy to complete this step and assign the device-required addresses.
* Enable IPv6 access: This step is optional and should only need to be completed if your organization uses an internal IPv6 addressing scheme and you aim to extend the use of IPv6 to your VPN-connected clients. IPv6 is only supported with SSL connectivity and not IKEv2.
* Hostname, domain name, and Domain Name System (DNS): SSL requires the ASA to have a hostname and domain name combination configured before an RSA key pair can be generated to secure packets between the ASA and remote clients. Give your ASA a hostname and configure a domain name. In addition, configure the addresses of your organization's internal DNS servers to allow users access by fully qualified domain name (FQDN) to any internal or external resources they require through the SSL VPN tunnel after it has succesfully established.
* Enroll with a CA and become a member of a PKI: The use of SSL on your ASA device also requires the ASA to have an identity certificate installed, which for the successful authentication of the ASA.
* Enable the relevant interfaces for SSL/DTLS and AnyConnect client access: Before SSL, DTLS, IKEv2, and AnyConnect client access can occur, you need to specify which interface these services will be available on.
* Create a connection profile: In this step, create a new connection profile and enable it for use with SSL VPN connections. A connection profile provides your AnyConnect users with prelogin settings such as authentication and authorization methods, DNS servers and domain name, IP address pool, and so on.
I'll be using the AnyConnect VPN wizard in ASDM and choose web deployment as an example.
Download the AnyConnect .pkg file from Cisco.com (CCO login required) and upload it from PC local drive.
We login to the SSL VPN portal and choose the ANYCONNECT-PROF group from the drop-down menu. It will automatically prompt to download and install the AnyConnect software.
I received the IP address of 10.1.1.10 /24 from the AnyConnect pool.
To verify, we go to Monitoring > VPN Statistics > Sessions > Filter by: AnyConnect (optionally click Details).
We could also view the same output via CLI using the command show vpn-sessiondb anyconnect.