Cisco Cisco AnyConnect Secure Mobility Client v2.x Technical Manual
Then, instruct the ASA to use this certificate for SSL:
ssl trust−point testCA
Next is the basic webvpn (SSLVPN) configuration where the feature is enabled on the outside interface.
Client packages that are available for download are defined, and we define a profile is defined (more on this
later):
Client packages that are available for download are defined, and we define a profile is defined (more on this
later):
webvpn
enable outside
anyconnect image disk0:/anyconnect−win−3.1.00495−k9.pkg 1
anyconnect profiles asa9−ssl−ipv4v6 disk0:/asa9−ssl−ipv4v6.xml
anyconnect enable
In this basic example, the IPv4 and IPv6 address pools are configured, DNS server information (that will be
pushed to the client) and a profile in the default group−policy (DfltGrpPolicy). Many more attributes can be
configured here, and optionally you can define different group−policies for different sets of users.
pushed to the client) and a profile in the default group−policy (DfltGrpPolicy). Many more attributes can be
configured here, and optionally you can define different group−policies for different sets of users.
Note: The "gateway−fqdn" attribute is new in version 9.0 and defines the FQDN of the ASA as it is known in
the DNS. The client learns this FQDN from the ASA and will use it when roaming from an IPv4 to an IPv6
network or vice versa.
the DNS. The client learns this FQDN from the ASA and will use it when roaming from an IPv4 to an IPv6
network or vice versa.
group−policy DfltGrpPolicy attributes
dns−server value 10.48.66.195
vpn−tunnel−protocol ssl−client
gateway−fqdn value asa9.example.net
address−pools value pool4
ipv6−address−pools value pool6
webvpn
anyconnect profiles value asa9−ssl−ipv4v6 type user
Next, configure one or more tunnel−groups. The default one (DefaultWEBVPNGroup) is used for this
example, and configure it to require the user to authenticate using a certificate:
example, and configure it to require the user to authenticate using a certificate:
tunnel−group DefaultWEBVPNGroup webvpn−attributes
authentication certificate
By default, the AnyConnect client attempts to connect over IPv4 and, only if this fails, it attempts to connect
over IPv6. However, this behavior can be changed by a setting in the XML profile. The AnyConnect profile
"asa9−ssl−ipv4v6.xml" that is referenced in the configuration above, was generated using the Profile Editor in
ASDM (Configuration − Remote Access VPN − Network (Client) Acccess − AnyConnect Client Profile).
over IPv6. However, this behavior can be changed by a setting in the XML profile. The AnyConnect profile
"asa9−ssl−ipv4v6.xml" that is referenced in the configuration above, was generated using the Profile Editor in
ASDM (Configuration − Remote Access VPN − Network (Client) Acccess − AnyConnect Client Profile).