Create ASA Remote Access VPN Configuration

CDO allows you to add one or more Adaptive Security Appliance (ASA) devices to the remote access VPN configuration wizard and configure the VPN interfaces, access control, and NAT exemption settings associated with the devices. Therefore, each remote access VPN configuration can have connection profiles and group policies shared across multiple ASA devices that are associated with the remote access VPN configuration. Further, you can enhance the configuration by creating connection profiles and group policies.

You can either onboard an ASA device that has already been configured with remote access VPN settings or a new device without remote access VPN settings. See Onboard ASA Device to CDO. When you onboard an ASA device that already has remote access VPN settings, CDO automatically creates a "Default remote access VPN Configuration" and associates the ASA device with this configuration. Also, this default configuration can contain all the connection profile objects that are defined on the device. See Read RA VPN Configuration of an Onboarded ASA Device for more information. CDO allows you to delete the default configuration.

Important

  • You are not allowed to add ASA and FTD in the same Remote Access VPN Configuration.

  • An ASA device cannot have more than one remote access VPN Configuration.

Before you begin

Before adding the ASA device to the remote access VPN configuration, the following prerequisites must be met on the ASA device:

  • License requirements.

    Device must be enabled for export-controlled functionality.

    To view the license summary of your ASA device, execute the show license summary command in the ASA command-line interface. To use the CDO ASA CLI interface, see Using ASA CLI in CDO interface.

    • Example of export-controlled functionality enabled in the license summary :

    Registration: Status: REGISTERED Smart Account: Cisco SVS temp-request access licensing@cisco.com Export-Controlled Functionality: ALLOWED

    Last Renewal Attempt: None

    Next Renewal Attempt: Jun 08 2021 09:46:22 UTC

    The 'Export-Controlled Functionality' property must be in the 'Allowed' state for creating or editing the VPN configuration.

    If this property is in the 'Not Allowed' state, CDO displays an error message ('remote access VPN cannot be configured for devices which are not export compliant.') when you are creating or modifying the VPN configuration and doesn't allow remote access VPN configuration on the device.

  • Device Identity Certificates.

    Certificates are required to authenticate connections between the clients and the ASA device. Before starting the VPN configuration, ensure that the identity certificate is already present on the ASA device.

    To determine whether or not the certificate is present on the device, execute the show crypto CA Certificates command in the ASA command-line interface. To use the CDO ASA CLI interface, see Using ASA CLI in CDO interface.

    If the identity certificate is not present or you want to enroll in a new certificate, install them on ASA using CDO. See ASA Certificate Management.

    The usage of digital certificates in remote access VPN context is explained in Remote Access VPN Certificate-Based Authentication.

  • Outside interfaces.

    The outside interfaces must be configured already on the ASA device. You need to use either ASDM or ASA CLI to configure interfaces. To know configure interfaces using ASDM, see the "Interfaces" book of the Cisco ASA Series General Operations CLI Configuration Guide, X.Y.

  • Download the AnyConnect packages and upload them to a remote server. Later, use the remote access VPN wizard or ASA File Management wizard to upload the AnyConnect software packages from the server to ASAs. See Manage AnyConnect Software Packages on an ASA Device for instructions.

  • There are no configuration deployments pending.

  • If you are using the local database for authentication Add user accounts to the local database using ASDM or ASA CLI.

    To add user accounts using ASDM, see the "Add a User Account to the Local Database" section in the "AAA Servers and the Local Database" book of the Cisco ASA Series VPN CLI Configuration Guide, X.Y.

    To add user accounts using ASA CLI, execute username[username] password [password] privilege [priv_level] command.

  • ASA changes are synchronized to CDO.

    1. In the left pane, click Inventory and search for one or more ASA devices to be synchronized.

    2. Select one or more devices and then click Check for changes. CDO communicates with one or more FTD devices to synchronize the changes.

  • Remote access VPN configuration group policy objects are consistent.

Procedure

Step 1

Onboard ASA Device to CDO.

Step 2

In the left pane, click VPN > ASA/FDM Remote Access VPN Configuration.

Step 3

Click the blue plus button to create a new remote access VPN configuration.

Step 4

Enter a name for the Remote Access VPN configuration.

Step 5

Click the blue plus button to add ASA devices to the configuration.

You can add the device details and configure network traffic-related permissions that are associated with the device.

  1. Provide the following device details:

    • Device: Select an ASA device that you want to add and click Select. Important: You are not allowed to add ASA and FTD in the same Remote Access VPN Configuration.

    • Certificate of Device Identity: Select the internal certificate used for establishing the identity of the device. This establishes the device identity for AnyConnect clients when they make a connection to the device. Clients must accept this certificate to complete a secure VPN connection.

    • Outside Interface: Select the interface to which users connect when making the remote access VPN connection. Although this is normally the outside (internet-facing) interface, choose whichever interface is between the device and the end-users you are supporting with this connection profile.

      Attention

      You cannot create or modify remote access VPN configuration for devices that are not export compliant. You must license the ASA device with export-controlled functionality enabled and try again.

  2. Click Continue to configure the traffic permissions.

    • Bypass Access Control policy for decrypted traffic (sysopt permit-vpn): Decrypted traffic is subjected to Access Control Policy inspection by default. Enabling this option bypasses the decrypted traffic option bypasses the access control policy inspection, but the VPN Filter ACL and the authorization ACL downloaded from the AAA server are still applied to VPN traffic.

      Note that if you select this option, the system configures the sysopt connection permit-vpn command, which is a global setting. This will also impact the behavior of site-to-site VPN connections.

      If you do not select this option, it might be possible for external users to spoof IP addresses in your remote access VPN address pool, and thus gain access to your network. This can happen because you will need to create access control rules that allow your address pool to have access to internal resources. If you use access control rules, consider using user specifications to control access, rather than source IP address alone.

      The downside of selecting this option is that the VPN traffic will not be inspected, which means that intrusion and file protection, URL filtering, or other advanced features will not be applied to the traffic. This also means that no connection events will be generated for the traffic, and thus statistical dashboards will not reflect VPN connections.

    • NAT Exempt: NAT exemption exempts addresses from translation and allows both translated and remote hosts to initiate connections with your protected hosts. Configure NAT Exempt to exempt traffic to and from the remote access VPN endpoints from NAT translation. See Exempt Remote Access VPN Traffic from NAT.

  3. Click OK.

    The AnyConnect Packages Detected shows the AnyConnect packages that are already available on the device.

    There are two options to upload AnyConnect package to ASA from remote access VPN wizard:

    • (Option 1): Select a package from CDO's repository. The ASA must have access to the internet.

    • (Option 2): Specify the ftp/http/https/scp/smb/tftp URL location where the AnyConnect package is preloaded.

    See Upload new AnyConnect Software Packages for instructions.

    Note

    Note: If you want to replace an existing package, see Replace an Existing AnyConnect Package.

Step 6

Click OK.

The ASA VPN configuration is created.