Cisco Cisco AnyConnect Secure Mobility Client v2.x Technical Manual

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

First off, define a pool of IP addresses from which you will assign one to each client that connects.

If you want the client to also carry IPv6 traffic over the tunnel, you will need a pool of IPv6 addresses. Both
pools are referenced later in the group−policy.

ip local pool pool4 172.16.2.100−172.16.2.199 mask 255.255.255.0

ipv6 local pool pool6 fcfe:2222::64/64 128

For IPv6 connectivity to the ASA, you need an IPv6 address on the interface that the clients will connect to
(typically the outside interface).

For IPv6 connectivity over the tunnel to inside hosts, you need IPv6 on the inside interface(s) as well.

interface Vlan90

 nameif outside

 security−level 0

 ip address 203.0.113.2 255.255.255.0 

 ipv6 address 2001:db8:90::2/64

! 

interface Vlan102

 nameif inside

 security−level 100

 ip address 192.168.102.2 255.255.255.0 

 ipv6 address fcfe:102::2/64

For IPv6, you also need a default route pointing to the next−hop router towards the Internet.

ipv6 route outside ::/0 2001:db8:90::5

route outside 0.0.0.0 0.0.0.0 203.0.113.5 1

In order to authenticate itself to the clients, the ASA needs to have an identity certificate. Instructions on how
to create or import such a certificate are beyond the scope of this document, but can be easily found in other
documents such as

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml

The resulting configuration should look similar to the following:

crypto ca trustpoint testCA

 keypair testCA

 crl configure

...

crypto ca certificate chain testCA

 certificate ca 00

  30820312 308201fa a0030201 02020100 300d0609 2a864886 f70d0101 05050030 

  ...

  quit

 certificate 04

  3082032c 30820214 a0030201 02020104 300d0609 2a864886 f70d0101 05050030 

  ...

  quit