Create ASA Remote Access VPN Configuration
Security Cloud Control allows you to add one or more Adaptive Security Appliance (ASA) devices to the remote access VPN configuration wizard and configure the VPN interfaces, access control, and NAT exemption settings associated with the devices. Therefore, each remote access VPN configuration can have connection profiles and group policies shared across multiple ASA devices that are associated with the remote access VPN configuration. Further, you can enhance the configuration by creating connection profiles and group policies.
You can either onboard an ASA device that has already been configured with remote access VPN settings or a new device without remote access VPN settings. See Onboard ASA Device to Security Cloud Control. When you onboard an ASA device that already has remote access VPN settings, Security Cloud Control automatically creates a "Default remote access VPN Configuration" and associates the ASA device with this configuration. Also, this default configuration can contain all the connection profile objects that are defined on the device. See Read RA VPN Configuration of an Onboarded ASA Device for more information. Security Cloud Control allows you to delete the default configuration.
Important |
|
Before you begin
Before adding the ASA device to the remote access VPN configuration, the following prerequisites must be met on the ASA device:
-
License requirements.
Device must be enabled for export-controlled functionality.
To view the license summary of your ASA device, execute the show license summary command in the ASA command-line interface. To use the Security Cloud Control ASA CLI interface, see Using ASA CLI in Security Cloud Control interface.
-
Example of export-controlled functionality enabled in the license summary :
Registration: Status: REGISTERED
Smart Account: Cisco SVS temp-request access licensing@cisco.com
Export-Controlled Functionality: ALLOWED
Last Renewal Attempt: None
Next Renewal Attempt: Jun 08 2021 09:46:22 UTC
The 'Export-Controlled Functionality' property must be in the 'Allowed' state for creating or editing the VPN configuration.
If this property is in the 'Not Allowed' state, Security Cloud Control displays an error message ('remote access VPN cannot be configured for devices which are not export compliant.') when you are creating or modifying the VPN configuration and doesn't allow remote access VPN configuration on the device.
-
-
Device Identity Certificates.
Certificates are required to authenticate connections between the clients and the ASA device. Before starting the VPN configuration, ensure that the identity certificate is already present on the ASA device.
To determine whether or not the certificate is present on the device, execute the show crypto CA Certificates command in the ASA command-line interface. To use the Security Cloud Control ASA CLI interface, see Using ASA CLI in Security Cloud Control interface.
If the identity certificate is not present or you want to enroll in a new certificate, install them on ASA using Security Cloud Control. See ASA Certificate Management.
The usage of digital certificates in remote access VPN context is explained in Remote Access VPN Certificate-Based Authentication.
-
Outside interfaces.
The outside interfaces must be configured already on the ASA device. You need to use either ASDM or ASA CLI to configure interfaces. To know configure interfaces using ASDM, see the "Interfaces" book of the Cisco ASA Series General Operations CLI Configuration Guide, X.Y.
-
Download the AnyConnect packages and upload them to a remote server. Later, use the remote access VPN wizard or ASA File Management wizard to upload the AnyConnect software packages from the server to ASAs. See Manage AnyConnect Software Packages on an ASA Device for instructions.
-
There are no configuration deployments pending.
-
If you are using the local database for authentication Add user accounts to the local database using ASDM or ASA CLI.
To add user accounts using ASDM, see the "Add a User Account to the Local Database" section in the "AAA Servers and the Local Database" book of the Cisco ASA Series VPN CLI Configuration Guide, X.Y.
To add user accounts using ASA CLI, execute username[username] password [password] privilege [priv_level] command.
-
ASA changes are synchronized to Security Cloud Control.
-
In the left pane, click and search for one or more ASA devices to be synchronized.
-
Select one or more devices and then click Check for changes. Security Cloud Control communicates with one or more FTD devices to synchronize the changes.
-
-
Remote access VPN configuration group policy objects are consistent.
-
Ensure that all inconsistent group policy objects are resolved as they cannot be added to the remote access VPN configuration. Either address the issue or remove inconsistent group policy objects from the Objects page. For more information see, Resolve Duplicate Object Issues and Resolve Inconsistent Object Issues.
-
Procedure
Step 1 | |||||
Step 2 | In the left pane, click . | ||||
Step 3 | Click the blue plus button to create a new remote access VPN configuration. | ||||
Step 4 | Enter a name for the Remote Access VPN configuration. | ||||
Step 5 | Click the blue plus button to add ASA devices to the configuration. You can add the device details and configure network traffic-related permissions that are associated with the device.
| ||||
Step 6 | Click OK. The ASA VPN configuration is created. |