Cisco Cisco ASA 5585-X Adaptive Security Appliance Manuel Technique
ciscoasa# configure terminal
ciscoasa(config)# tunnel−group VPNPhones webvpn−attributes
ciscoasa(config−tunnel−webvpn)# group−url https://192.168.1.1/VPNPhone
enable
ciscoasa(config−tunnel−webvpn)# exit
You can use these commands on the Adaptive Security Device Manager (ASDM) or under the
connection profile.
connection profile.
•
CUCM: ASA SSL VPN with Third−Party Certificates Configuration
This configuration is very similar to the configuration described in CUCM: ASA SSLVPN with Self−Signed
Certificates Configuration section, except that you are using third−party certificates. Configure SSL VPN on
the ASA with third−party certificates as described in ASA 8.x Manually Install 3rd Party Vendor Certificates
for use with WebVPN Configuration Example.
Certificates Configuration section, except that you are using third−party certificates. Configure SSL VPN on
the ASA with third−party certificates as described in ASA 8.x Manually Install 3rd Party Vendor Certificates
for use with WebVPN Configuration Example.
Note: You must copy the full certificate chain from the ASA to the CUCM and include all intermediate and
root certificates. If the CUCM does not include the full chain, the phones do not have the necessary
certificates to authenticate and will fail the SSL VPN handshake.
root certificates. If the CUCM does not include the full chain, the phones do not have the necessary
certificates to authenticate and will fail the SSL VPN handshake.
Basic IOS SSL VPN Configuration
Note: IP phones are designated as not supported in IOS SSL VPN; configurations are in best effort only.
The basic Cisco IOS SSL VPN configuration is described in these documents:
SSL VPN Client (SVC) on IOS with SDM Configuration Example
•
AnyConnect VPN Client on IOS Router with IOS Zone Based Policy Firewall Configuration
Example
Example
•
Once this configuration is complete, a remote test PC should be able to connect to the SSL VPN gateway,
connect via AnyConnect, and ping the CUCM. In Cisco IOS 15.0 and later, you must have a valid SSL VPN
license to complete this task. Both TCP and UDP port 443 must be open between the gateway and the client.
connect via AnyConnect, and ping the CUCM. In Cisco IOS 15.0 and later, you must have a valid SSL VPN
license to complete this task. Both TCP and UDP port 443 must be open between the gateway and the client.
CUCM: IOS SSL VPN with Self−Signed Certificates Configuration
This configuration is similar to the configuration described in CUCM: ASA SSLVPN with Third−Party
Certificates Configuration and CUCM: ASA SSLVPN with Self−Signed Certificates Configuration sections.
The differences are:
Certificates Configuration and CUCM: ASA SSLVPN with Self−Signed Certificates Configuration sections.
The differences are:
Use this command in order to export the self−signed certificate from the router:
R1(config)# crypto pki export trustpoint−name pem terminal
1.
Use these commands in order to import the CUCM certificates:
R1(config)# crypto pki trustpoint certificate−name
R1(config−ca−trustpoint)# enrollment terminal
R1(config)# crypto ca authenticate certificate−name
2.
The WebVPN context configuration should show this text:
gateway webvpn_gateway domain VPNPhone
Configure the CUCM as described in CUCM: ASA SSLVPN with Self−Signed Certificates Configuration
section.
section.