Cisco Cisco AnyConnect Secure Mobility Client v2.x Technical Manual
Note: Download the AnyConnect VPN Client package (anyconnect-win*.pkg) from the
Cisco
Cisco
(
the ASA's flash memory, which is to be downloaded to the remote user computers in order to
establish the SSL VPN connection with the ASA. Refer to the
establish the SSL VPN connection with the ASA. Refer to the
The information in this document was created from the devices in a specific lab environment. All of
the devices used in this document started with a cleared (default) configuration. If your network is
live, make sure that you understand the potential impact of any command.
the devices used in this document started with a cleared (default) configuration. If your network is
live, make sure that you understand the potential impact of any command.
Background Information
The Certificate authority on the ASA provides these functionalities:
Integrates basic certificate authority operation on the ASA.
●
Deploys certificates.
●
Provides secure revocation checking of issued certificates.
●
Provides a certificate authority on the ASA for use with browser-based(WebVPN) and client-
based(AnyConnect) SSL VPN connections.
based(AnyConnect) SSL VPN connections.
●
Provides trusted digital certificates to users, without the need to rely on external certificate
authorization.
authorization.
●
Provides a secure, in-house authority for certificate authentication and offers straightforward
user enrollment by means of a website login.
user enrollment by means of a website login.
●
Guidelines and Limitations
Supported in routed and transparent firewall mode.
●
Only one local CA server at a time can be resident on an ASA.
●
ASA as a Local CA server feature is not supported in a failover setup.
●
The ASA as of now acting as a Local CA server only supports generation of SHA1 certificates.
●
Local CA server can be used for browser-based and client-based SSL VPN connections.
Currently not supported for IPSec.
Currently not supported for IPSec.
●
Does not support VPN load balancing for the local CA.
●
The local CA cannot be a subordinate to another CA. It can act only as the root CA.
●
Currently the ASA cannot enroll to the local CA server for the identity certificate.
●
When a certificate enrollment is completed, the ASA stores a PKCS12 file containing the
user's keypair and certificate chain, which requires about 2 KB of flash memory or disk space
per enrollment. The actual amount of disk space depends on the configured RSA key size and
certificate fields. Keep this guideline in mind when adding a large number of pending
certificate enrollments on an ASA with a limited amount of available flash memory, because
these PKCS12 files are stored in flash memory for the duration of the configured enrollment
retrieval timeout.
user's keypair and certificate chain, which requires about 2 KB of flash memory or disk space
per enrollment. The actual amount of disk space depends on the configured RSA key size and
certificate fields. Keep this guideline in mind when adding a large number of pending
certificate enrollments on an ASA with a limited amount of available flash memory, because
these PKCS12 files are stored in flash memory for the duration of the configured enrollment
retrieval timeout.
●
Configure
This section describes how to configure the Cisco ASA as a Local CA server.