AnyConnect VPN and DAP

I'm tying to find a way to migrate from IPSec to Anyconnect. I configured successfully Anyconnect to work but not the way I want. With IPSec, I have 1 profile for all our staff and our distinct individual profiles for sellers who need some access to servers or networks of ther. Since we started to look at Anyconnect we enabled LDAP on the SAA. My question is how can I assign one user an ACL that only allows them to access a server or device? I created a DAP, but I don't see where I can add ad groups, not users.

DAP, you can use "Attribute of Type AAA": Cisco and match on "Username".

Alternatively, you can place the user in a different group of LDAP and configure different group policy for specific access.

It will be useful.

Tags: Cisco Security

Similar Questions

  • Cisco Anyconnect VPN and IPSEC coexist on ASA 5520?

    Can a Cisco ASA 5520 which has been configured as IPSEC VPN gateway and also be configured as a gateway ANYCONNECT VPN and vpn IPSEC service anyconnect vpn clients clients maintenance at the same time? Any negative impact on the performance or any other problem that everyone knows?

    I guess that by 2 connection limit, you are referring to the 2 licenses for anyconnect?  You should consider using the anyconnect essentials license, which is relatively cheap (100-200 dollars I think) and will take you to the edge of the platform with anyocnnect.

    You shouldn't have any problem using IPSEC with LDAP client.  It is quite common - my company is IPSEC as Anyconnect off the coast of the same interface using authentication ldap (even same-group policy) for the two.

    -Jason

  • AnyConnect VPN and HP Office Jet Pro 8500 A910

    I can print from my laptop IBM T400 running Windows 7 64 bit. However, when I log in work AnyConnect VPN, I can't print. He says that the printer is disconnected from the network, even if it is connected. IT support at work said he can't change or adjust the VPN settings. The only way I can print is to disconnect from the VPN. Is this what I can adjust on the software of the printer or the printer itself?

    Hello

    To be able to print on the local network when you are connected to a network remote VPN might be possible by changing the VPN split tunneling configuration.

    However, it is depands on the VPN features and cannot be authorized because of the security requirements of your IT Department.

    Anyway, there is no way to configure such a thing by the printer or the printer software... It is directly affected by the configuration of the network and therefore require to modify VPN settings.

    Kind regards

    Shlomi

  • AnyConnect VPN and LAN access

    When remote users to connect to the Cisco ASA VPN and authenticate with Cisco AnyConnect client, they then full access to the environment internal of LAN of business as if they were sitting at their desks in the Office of the Corporation.

    Right?

    After that the remote client authenticates to the AnyConnect VPN, it is sensible to then run remote users of traffic through the corporate firewall (outside to inside) before allowing LAN access full corporate?

    Remote_User - vpn - ANYCONNECT-(outside) (inside) firewall - CORP_LAN

    Thank you

    Frank

    Hello

    Yes, by default, all traffic will be sent through the tunnel.

    If there are users VPN shouldn't be able to reach the resources, you need to establish rules for access to it. The best way to do this is by using VPN filter.

  • ASA5505 SSL AnyConnect VPN and NAT Reverse Path failure

    I worked on it for a while and just have not found a solution yet.

    I have a Cisco ASA5505 Setup at home and I try to use the AnyConnect VPN client to it.  I followed the example of ASA 8.x split Tunnel but still miss me something.

    My home network is 10.170.x.x and I install the VPN address to 10.170.13.x pool I have a Windows workstation running at 10.170.0.6, printers 10.170.0.20 and 21 and inside the router itself is 10.170.0.1

    I can connect from the outside and am assigned an IP address of 10.170.13.10, but when I try to access network resources via ICMP or open a web page, the newspaper of the ASDM shows a bunch of this:

    5. January 27, 2010 | 10: 33:37 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
    5. January 27, 2010 | 10: 33:36 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
    5. January 27, 2010 | 10: 33: 35 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
    5. January 27, 2010 | 10: 33:34 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
    5. January 27, 2010 | 10:33:30 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
    5. January 27, 2010 | 10: 33:29 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
    5. January 27, 2010 | 10: 33:28 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
    5. January 27, 2010 | 10: 33:28 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
    5. January 27, 2010 | 10:33:23 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
    5. January 27, 2010 | 10:33:17 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
    5. January 27, 2010 | 10: 33: 13 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
    5. January 27, 2010 | 10:33:07 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT

    I tried several things with NAT, but were not able to go beyond that.  Does anyone mind looking at my config running and help me with this?  Thanks a bunch!

    -Tim

    Couple to check points.

    name 10.17.13.0 UFP-VPN-pool looks like it should be the name 10.170.13.0 UFP-VPN-pool

    inside_nat0_outbound to access extended list ip allow list zero 255.255.0.0 255.255.255.0 UFP-VPN-pool

    Looks like that one

    inside_nat0_outbound to list extended ip access list zero UFP-VPN-pool 255.255.255.0 255.255.255.0 allow

  • AnyConnect vpn and a tunnel vpn Firewall even outside of the interface.

    I have a (no connection) remote access vpn and ipsec tunnel connection to return to our supplier is on the same firewall outside interface.

    The problem is when users remote vpn in they are not able to ping or join the provider above the tunnel network.

    now, I understand that this is a Bobby pin hair or u turn due to traffic but I'm still not able to understand how the remote vpn users can reach the network of the provider on the tunnel that ends on the same interface where remote access vpn is also configured.

    The firewall is asa 5510 worm 9.1

    Any suggestions please.

    Hello

    You are on the right track. Turning U will be required to allow vpn clients access to resources in the L2L VPN tunnel.

    The essence is that the split tunneling to access list must include subnets of the remote VPN to peer once the user connects they have directions pertaining to remote resources on anyconnect VPN

    Please go through this post and it will guide you how to set up the u turn on the SAA.
    https://supportforums.Cisco.com/document/52701/u-turninghairpinning-ASA

    http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/100918-ASA-sslvpn-00.html

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • Configuration of the Cisco ACS 5.3 AnyConnect VPN and management of a Cisco ASA 5500.

    We have configured a Cisco ASA 5505 as a VPN endpoint for one of our user groups.  It works, but it works too well.

    We have a group called XXX we need to have access to the Cisco AnyConnect Client.  We have selected this group of our Active Directory and added to our ACS configuration.  We've also added a group called YYY that will manage the ASA. However, this group has no need to access the VPN.

    We added XXX movies for the elements of the policy of access to the network-> authorization profiles.  We also have a profile of YYY.

    She continues to knock on our default Service rule that says allow all.

    We have also created a default network access rule. for this.

    I am at a loss.  I'm sure I missed a checkbox or something.

    Any help would be really appreciated.

    Dwane

    We use Protocol Management GANYMEDE ASA and Ray for VPN access?

    For administration, you must change the device by default admin access strategy and create a permission policy. Even by the way, you can change the network access by default for vpn access and create a respective policy for that too.

    On the SAA, you must configure Ganymede and Ray both as a server group.

    For the administration, you can set Ganymede as an external authentication under orders aaa Server

    AAA-server protocol Ganymede GANYMEDE +.

    Console HTTP authentication AAA GANYMEDE

    Console Telnet AAA authentication RADIUS LOCAL

    authentication AAA ssh console LOCAL GANYMEDE

    Console to enable AAA authentication RADIUS LOCAL

    For VPN, you must set the authentication radius under the tunnel-group.

    I hope this helps.

    Kind regards

    Jousset

    The rate of useful messages-

  • Cisco ASA and AnyConnect VPN certificate error

    Hello

    I am trying to configure Cisco AnyConnect VPN and everything works, but I get this warning message when the connection is opened:

    I don't have public certificate in ASA. Is it possible to use the self-signed certificate and get rid of this warning message?

    Hello

    This is expected behavior on the SAA for an SSL connection. You can certainly use the certificate self-signed on the SAA and then apply it on the external interface.
    Once done, you will need to install this certificate on the clients and this will alleviate the popup error message.

    Here is a document that you can refer to create a self-signed certificate.
    https://supportforums.Cisco.com/document/44116/ASA-self-signed-certificate-WebVPN

    Kind regards
    Dinesh Moudgil

    PS Please note the useful messages.

  • Anyconnect VPN migration issues

    Hi, I do Anyconnect VPN from an ASA ASA migration another. I need your suggestion. Migration must transfer customization and anyconnect vpn configuration. After that I reviewed some documents, looks like the configuration and customization are not the only thing that needs to be transferred. Everything can give some suggestion exactly what needs to be transferred in addition to customization and configuration vpn? Thank you

    Hello

    Although the copy of the configuration of one firewall to another will get all the anyconnect rules and the installation program completed, but the flash content (IE anyconnect programs, profiles anyconnect, customizations anyconnect, bookmarks, and dap profiles) is not transferred to the other ASA. They must be downloaded manually to the ASA again.

    Another way to do this is through ASDM,

    Go to tools > configuration backup:

    Select the components of the VPN you want to create a backup for.

    NOTE *.
    This backup will be restored as a whole via ASDM and substitute another configuration.
    So, you might want to restore the backup to a fresh firewall and then import the configuration and the images of the SAA.

    Otherwise, you can go the ususal path, the anyconnect first configuration copy and then manually transfer components anyconnect flash of one ASA to another.

    **********

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • ASA Anyconnect VPN do not work or download the VPN client

    I have a Cisco ASA 5505 that I try to configure anyconnect VPN and thought, I've changed my setup several times but trying to access my static public IP address of the external IP address to download the image, I am not able to. Also when I do a package tracer I see he has been ignored through the acl when the packets from side to the ASA via port 443, it drops because of the ACL. My DMZ so will he look like something trying to access the ASA via the VPN's going to port 443. Here is my config

    XXXX # sh run
    : Saved
    :
    ASA Version 8.4 (3)
    !
    hostname XXXX
    search for domain name
    activate pFTzVNrKdD9x5rhT encrypted password
    zPBAmb8krxlXh.CH encrypted passwd
    names of
    !
    interface Ethernet0/0
    Outside-interface description
    switchport access vlan 20
    !
    interface Ethernet0/1
    Uplink DMZ description
    switchport access vlan 30
    !
    interface Ethernet0/2
    switchport access vlan 10
    !
    interface Ethernet0/3
    switchport access vlan 10
    !
    interface Ethernet0/4
    Ganymede + ID description
    switchport access vlan 10
    switchport monitor Ethernet0/0
    !
    interface Ethernet0/5
    switchport access vlan 10
    !
    interface Ethernet0/6
    switchport access vlan 10
    !
    interface Ethernet0/7
    Description Wireless_AP_Loft
    switchport access vlan 10
    !
    interface Vlan10
    nameif inside
    security-level 100
    IP 192.168.10.1 255.255.255.0
    !
    interface Vlan20
    nameif outside
    security-level 0
    IP address x.x.x.249 255.255.255.248
    !
    Vlan30 interface
    no interface before Vlan10
    nameif dmz
    security-level 50
    IP 172.16.30.1 255.255.255.0
    !
    boot system Disk0: / asa843 - k8.bin
    passive FTP mode
    DNS lookup field inside
    DNS domain-lookup outside
    DNS domain-lookup dmz
    DNS server-group DefaultDNS
    Name-Server 8.8.8.8
    Server name 8.8.4.4
    search for domain name
    network obj_any1 object
    subnet 0.0.0.0 0.0.0.0
    network of the Webserver_DMZ object
    Home 172.16.30.8
    network of the Mailserver_DMZ object
    Home 172.16.30.7
    the object DMZ network
    172.16.30.0 subnet 255.255.255.0
    network of the FTPserver_DMZ object
    Home 172.16.30.9
    network of the Public-IP-subnet object
    subnet x.x.x.248 255.255.255.248
    network of the FTPserver object
    Home 172.16.30.8
    network of the object inside
    192.168.10.0 subnet 255.255.255.0
    network of the VPN_SSL object
    10.101.4.0 subnet 255.255.255.0
    outside_in list extended access permit tcp any newspaper object Mailserver_DMZ eq www
    outside_in list extended access permit tcp any newspaper EQ 587 Mailserver_DMZ object
    outside_in list extended access permit tcp any newspaper SMTP object Mailserver_DMZ eq
    outside_in list extended access permit tcp any newspaper of the Mailserver_DMZ eq pop3 object
    outside_in list extended access permit tcp any newspaper EQ 2525 Mailserver_DMZ object
    outside_in list extended access permit tcp any newspaper of the Mailserver_DMZ eq imap4 object
    outside_in list extended access permit tcp any newspaper EQ 465 Mailserver_DMZ object
    outside_in list extended access permit tcp any newspaper EQ 993 Mailserver_DMZ object
    outside_in list extended access permit tcp any newspaper EQ 995 object Mailserver_DMZ
    outside_in list extended access permit tcp any newspaper EQ 5901 Mailserver_DMZ object
    outside_in list extended access permit tcp any newspaper Mailserver_DMZ eq https object
    Note access list ACL for VPN Tunnel from Split vpn_SplitTunnel
    vpn_SplitTunnel list standard access allowed 192.168.10.0 255.255.255.0
    pager lines 24
    Enable logging
    timestamp of the record
    exploitation forest-size of the buffer to 8192
    logging trap warnings
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    MTU 1500 dmz
    local pool VPN_SSL 10.101.4.1 - 10.101.4.4 255.255.255.0 IP mask
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 647.bin
    don't allow no asdm history
    ARP timeout 14400
    NAT (inside, outside) static source inside inside static destination VPN_SSL VPN_SSL
    NAT (exterior, Interior) static source VPN_SSL VPN_SSL
    !
    network obj_any1 object
    NAT static interface (indoor, outdoor)
    network of the Webserver_DMZ object
    NAT (dmz, outside) static x.x.x.250
    network of the Mailserver_DMZ object
    NAT (dmz, outside) static x.x.x.. 251
    the object DMZ network
    NAT (dmz, outside) static interface
    Access-group outside_in in external interface
    Route outside 0.0.0.0 0.0.0.0 x.x.x.254 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    AAA-server protocol Ganymede HNIC +.
    AAA-server host 192.168.10.2 HNIC (inside)
    Timeout 60
    key *.
    identity of the user by default-domain LOCAL
    Console HTTP authentication AAA HNIC
    AAA console HNIC ssh authentication
    Console AAA authentication telnet HNIC
    AAA authentication secure-http-client
    http 192.168.10.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ca trustpoint localtrust
    registration auto
    Configure CRL
    Crypto ca trustpoint VPN_Articulate2day
    registration auto
    name of the object CN = vpn.articulate2day.com
    sslvpnkey key pair
    Configure CRL
    Telnet 192.168.10.0 255.255.255.0 inside
    Telnet timeout 30
    SSH 192.168.10.0 255.255.255.0 inside
    SSH timeout 15
    SSH version 2
    Console timeout 0
    No vpn-addr-assign aaa

    DHCP-client update dns
    dhcpd dns 8.8.8.8 8.8.4.4
    dhcpd outside auto_config
    !
    dhcpd address 192.168.10.100 - 192.168.10.150 inside
    dhcpd allow inside
    !
    dhcpd address dmz 172.16.30.20 - 172.16.30.23
    dhcpd enable dmz
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    authenticate the NTP
    NTP server 192.168.10.2
    WebVPN
    allow outside
    AnyConnect image disk0:/anyconnect-linux-64-3.1.06079-k9.pkg 1
    AnyConnect enable
    tunnel-group-list activate
    internal VPN_SSL group policy
    VPN_SSL group policy attributes
    value of server DNS 8.8.8.8
    client ssl-VPN-tunnel-Protocol
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list vpn_SplitTunnel
    the address value VPN_SSL pools
    WebVPN
    activate AnyConnect ssl dtls
    AnyConnect Dungeon-Installer installed
    AnyConnect ssl keepalive 15
    AnyConnect ssl deflate compression
    AnyConnect ask enable
    ronmitch50 spn1SehCw8TvCzu7 encrypted password username
    username ronmitch50 attributes
    type of remote access service
    type tunnel-group VPN_SSL_Clients remote access
    attributes global-tunnel-group VPN_SSL_Clients
    address VPN_SSL pool
    Group Policy - by default-VPN_SSL
    tunnel-group VPN_SSL_Clients webvpn-attributes
    enable VPNSSL_GNS3 group-alias
    type tunnel-group VPN_SSL remote access
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    inspect esmtp
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    call-home
    Profile of CiscoTAC-1
    no active account
    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
    email address of destination [email protected] / * /
    destination-mode http transport
    Subscribe to alert-group diagnosis
    Subscribe to alert-group environment
    Subscribe to alert-group monthly periodic inventory
    monthly periodicals to subscribe to alert-group configuration
    daily periodic subscribe to alert-group telemetry
    Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
    : end

    XXXX #.

    You do not have this configuration:

     object network DMZ nat (dmz,outside) static interface

    Try and take (or delete):

     object network DMZ nat (dmz,outside) dynamic interface

  • How Anyconnect VPN users will connect with cisco ASA, which uses the server (domain controller) Radius for authentication

    Hi team

    Hope you do well. !!!

    currently I am doing a project which consists in CISCO ASA-5545-X, RADIUS (domain controller) server for authentication. Here, I need to configure Anyconnect VPN and host checker in cisco asa.

    1 users will connect: user advanced browser on SSL VPN pop past username and password.

    2. (cisco ASA) authentication: VPN sends credentials to the RADIUS server.

    3 RADIUS server: authentication: receipt and SSL VPN (ASA) group.

    4 connectivity creation: If employee: PC so NAW verified compliance, no PC check Assign user to the appropriate role and give IP.

    This is my requirement, so someone please guide me how to set up step by step.

    1. how to set up the Radius Server?

    2. how to configure CISCO ASA?

    Thanks in advance.

    Hey Chick,

    Please consult the following page of installation as well as ASA Radius server. The ASA end there is frankly nothing much difference by doing this.

    http://www.4salesbyself.com/1configuring-RADIUS-authentication-for-webvp...

    Hope this helps

    Knockaert

  • VPN and Annyconnect on the same port

    You can configure asa firewall to allow the anyconnect VPN and then allow the traffic of users annyconnect cross tunnel vpn on the firewall even on remote site? Users on the local network can connect to a remote site via vpn tunnel but not anyconnect users.

    Thank you

    Of course, it is a common requirement. You just need to make sure to include the address pool of the AnyConnect users in your access list mentioned by the cryptomap used in the tunnel of site.

  • IOS anyconnect vpn group lock and user restrictions

    Dear Experts,

    I now have two questions about cisco IOS vpn on ISR G2:

    1 is it possible to lock user group in IOS anyconnect VPN we can do in ASA? If so, can someone share the steps for her?

    2 - a customer wishes to restrict the anyconnect user login as it might turn the connection to the user on request. That is to say whenever the user wants to connect via vpn to ask the administrator to allow connection. can we do without deleting the username and create again?

    the other may be on ASA or IOS.

    Please see this guide:

    http://www.Cisco.com/c/en/us/support/docs/security/iOS-easy-VPN/117634-c...

    As he points out, "for the Cisco IOS group-lock and the ipsec: use vpn-group, it only works for IPSec (the easy VPN server)." In order to group-lock specific users in specific contexts of WebVPN (and strategies Group attached), authentication domains should be used. »

    If you lock a user to a policy that authenticates, but does provide real access permissions (say an ACL that blocks all traffic to the private network) then you have essentially made their ability to non-functional connection.

    If you use an external AAA server (for example, RADIUS or LDAP), then you can move in and out of the group which is authorized without disable VPN access / delete their account altogether.

  • MAC and PC can reach the same an ASA for Anyconnect VPN?

    Hi, we have MAC and PC users. We configure the Anyconnect VPN in an ASA. But two users need two image of sorts. We must therefore use the two commands:

    AnyConnect image disk0: / anyconnect -win- 3.1.04066 - k9.pkg

    AnyConnect image disk0: / anyconnect -macosx- i386 - 2.5.2014 - k9.pkg.

    This is what two commands cannot coexist in an ASA. How to solve the problem? I hope your suggestion. Thank you

    They can co-exist, but you must add different sequence numbers at the end of each command.

  • AnyConnect VPN Microsoft CA and a Public certificate

    Hello

    I'm looking for some help with a script. I'm no expert in networks by any stretch and I won't implement myself but I need to try to understand if it is possible what I'm looking for.

    We are implementing an Anyconnect VPN with certificate of our own internal CA of Microsoft authentication. I have a product which will distribute certificates from a model for mobile devices rather than the SAA itself. We have our CA and a certificate of identity on the SAA and the operation of the authentication.

    However, the IOS Anyconnect application complains that no reliable VPN.

    So from there, I get that I need a public certificate on the SAA, but can I still have the certificate of the Microsoft CA and certificate of identity making the authentication of end users?

    Can I have written some of it wrong, but I think this gives an idea where I'm going.

    Pointers would be greatly appreciated.

    Yes - IOS is somewhat capricious won't trust internal CA issued certificates. You can buy and install a certificate from a well known public certification authority and to identify your ASA. That will be the certificate bound to the ASA outside interface and it will allow the customers based on IOS (and all others) to connect using this certificate.

    This part is distinguished by the device or user certificates on clients. Those who can still be used, as long the ASA has imported the Microsoft CA on trusts and the public key of the server, the two can co-exist.

Maybe you are looking for