A few days ago I did an article on Deploying Cisco AnyConnect with the Cisco FTD, there I glossed over the AnyConnect profile section. For a long time now, we have been able to edit the AnyConnect profile from within the firewall (if we are running ASA code!) But for the FTD we need to take a step backwards and go back to using the ‘offline’ AnyConnect profile editor.
Solution
Firstly you need to download the offline profile editor, you will find it on the Cisco AnyConnect Mobility Client download page;
I wont insult your intelligence, the setup is straight forward;
Launch the editor, and the screen you will see is exactly the same as you would normally see while using the profile editor in a Cisco ASA, (when launched from within the ASDM).
Note: I’m not going to go though all the settings, (this post would become immense!) Typically I allow remote (RDP) connections, and set the public FDQN for my AnyConnect profile.
Once you have finished, you can simply save the settings as an XML file.
Import an AnyConnect ‘Profile XML File’ into Cisco ASA
As mentioned above with all ‘modern’ versions of the ASDM/AnyConnect client you can create and edit an AnyConnect profile directly from within the ASDM. But (for completeness) here’s how to import one you created externally, (or exported form another firewall).
Import an AnyConnect ‘Profile XML File’ into Cisco FTD
Objects > AnyConnect Client Profiles > Create AnyConnect Client Profile > Give it a name > Upload.
Browse to, and select the previously created XML file > Open.
Then save and deploy the changes (this takes ages!).
You can now select this ‘profile file’ when setting up AnyConnect, or edit any existing AnyConnect Remote Access VPN configuration, and add this profile to it.
Related Articles, References, Credits, or External Links
Back in Part 1 We configured the Microsoft Certificate Services to meet our certificate needs. Now we configure the firewall for AnyConnect.
Solution
1. Log onto the ASA > Go to global configuration Mode.
[box]
login as: petelong
petelong@192.168.100.1's password:**********
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: *******
Petes-ASA# configure terminal
Petes-ASA(config)#
[/box]
2. Enable domain DNS Lookup inside, (for CRL lookups).
[box]
Petes-ASA(config)# dns domain-lookup inside
Petes-ASA(config)# dns server-group DefaultDNS
Petes-ASA(config-dns-server-group)# name-server 192.168.1.10
Petes-ASA(config-dns-server-group)# exit
Petes-ASA(config)#
[/box]
3. Enable NTP Time sync (here I’m using an external IP in the UK).
[box]
Petes-ASA(config)# ntp server 130.88.212.143 source outside
[/box]
4. Copy over AnyConnect Image, from a TFTP server.
[box]
Petes-ASA(config)# copy tftp flash
Address or name of remote host [] 192.168.100.10
Source filename [] anyconnect-win-3.1.06079-k9.pkg
Destination filename [anyconnect-win-3.1.06079-k9.pkg]{Enter}
Accessing tftp://192.168.100.10/anyconnect-win-3.1.06079-k9.pkg...!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-3.1.06079-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
37984585 bytes copied in 69.650 secs (550501 bytes/sec)
[/box]
5. Setup AnyConnect, Ive covered this before here if you want to know what all these commands are for.
7. Setup a certificate Trustpoint (Note: mine checks CRL’s, if you do the same make sure your PKI deployment has CRL locations setup and configured properly).
8. Get your CA Certificate from NDES (Note: If you have multiple issuing servers then you may need to manually import the CA certs for them later, or some clients will work, and others wont depending on which issuing CA servers issued the computer or user certificates! Good luck troubleshooting that if you forget!)
[box]
Petes-ASA(config-ca-trustpoint)# crypto ca authenticate PNL-Trustpoint
INFO: Certificate has the following attributes:
Fingerprint: cc528d62 112a5704 bd444535 53353d0e
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
Petes-ASA(config)#
[/box]
9. Get the Identity Certificate for the ASA (this will be created from either the ‘IPSEC (Offline request)’ template), or your custom one if you changed it.
[box]
Petes-ASA(config)# crypto ca enroll PNL-Trustpoint
Would you like to continue with this enrollment? [yes/no]: yes
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ********
Re-enter password: ********
% The subject name in the certificate will be: CN=vpn.petenetlive.com,OU=IS,O=Pe teNetLive,C=GB,St=Teesside,L=Middlesbrough,EA=pl@petenetlive.com
% The fully-qualified domain name in the certificate will be: vpn.petenetlive.com
% Include the device serial number in the subject name? [yes/no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
Petes-ASA(config)#
[/box]
10. You can take a look on your running config and you should not see two certificates (big blocks of hex code). Or simply go to the Certificate Services server and see if the cert was issued.
Now if you have been following along from the beginning, you will remember my client wants an ‘always on’ connection, and they want to allow ‘local LAN‘ access to the remote client. This is done by configuring an ‘AnyConnect Client Profile’. This has to be done from the ASDM.
Open the ASDM and navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile > Add > Name the profile and assign it to your AnyConnect Group Policy.
Note: Here is where you specify ‘always on’.
Note: If you cannot see this option make sure you have an AnyConnect software package loaded into the firewall.
You can now select and open this profile, and a separate profile editor window will open, where you can allow LAN access, specify reconnect, and get the connection to auto-connect.
Related Articles, References, Credits, or External Links