Cisco AnyConnect – Securing with Microsoft Certificate Services
Part 2 (How to Configure AnyConnect) KB ID 0001031 Problem Back in Part 1 We configured the Microsoft Certificate Services to meet our certificate needs. Now we configure the firewall for AnyConnect. Solution 1. Log onto the ASA > Go to global configuration Mode. login as: petelong petelong@192.168.100.1’s password:********** Type help or ‘?’ for a list of available commands. Petes-ASA> enable Password: *******...
AnyConnect – Using a Windows DHCP Server to Lease IP Addresses to the Remote Clients
KB ID 0001050 Problem I did an AnyConnect design for a client recently, and they asked ‘Instead of using the firewall to lease the DHCP addresses to our remote clients, can we use our Windows DHCP Server?” In the past I’ve used Windows DHCP servers for IPSEC VPN clients, but more recently I’ve tended to just use the firewall. The client had some valid reasons for wanting to do so, and given the complexity of...
AnyConnect Client Fails To Get IP From Windows DHCP Server
KB ID 0001053 Problem A few days ago I did an article on AnyConnect and Windows DHCP. I ran it up on the test bench for a client, and everything worked fine. Doing the install my test ‘remote’ client failed to get an IP address. As you can see the DHCP Server (Windows Server 2012 R2) is on a different network segment to the inside of the ASA. Solution 1. First this to do was debug the connection, ‘debug webvpn...
ASA 5500 AnyConnect – Change Preferred Encryption Cipher Order
KB ID 0001058 Problem A few days ago I wrote about disabling SSL v3.0 to force your clients to connect with the more secure TLS v1.0. But what if your AnyConnect clients chose to connect with a weaker encryption cipher? The ciphers your firewall offer (by default) will vary depending on what OS your ASA is running. Solution 1. To see what your cipher you are connected with look on the statistics tab, below we are connecting with the...
Apple Devices will not Update Though Cisco ASA and CSC Module
KB ID 0000575 Problem I had a client with this problem the other week, we tracked the problem to the ASA&CSC by simply bypassing the CSC module for the the IP address of the device. So I knew the problem WAS the CSC but not why, or how to fix it. The client in question had a valid SmartNet so they called TAC for a resolution. Solution It turns out that this is a bug, that was first found in CSC version 6.3.1172.4 (at time of...