End-to-End Remote Access VPN Configuration Process for ASA

This section provides the end-to-end procedure for configuring remote access VPN on an ASA device onboarded to Security Cloud Control.

To enable remote access VPN for your clients, you need to configure several separate items. The following procedure provides the end-to-end process.

Procedure


Step 1

Configure the identity source used for authenticating remote users. See Configure Identity Sources for ASA for more information.

You can use the following sources to authenticate users attempting to connect to your network using remote access VPN. Additionally, you can use client certificates for authentication, either alone or in conjunction with an identity source.

  • Active Directory identity realm: As a primary authentication source. The user accounts are defined in your Active Directory (AD) server. See Configuring AD Identity Realms. See Create or Edit an ASA Active Directory Realm Object.

  • RADIUS server group: As a primary or secondary authentication source, and for authorization and accounting. See Create or Edit an ASA RADIUS Server Object or Group.

  • Local Identity Source (the local user database): As a primary or fallback source. You can define users directly on the device and not use an external server. If you use the local database as a fallback source, ensure that you define the same usernames/passwords as the ones described in the external server. Note: You can create user accounts directly on the ASA device only from the Adaptive Security Device Manager (ASDM). See the "Configure Local User Groups" section in the Objects for Access Control" chapter of the Cisco ASA Series Firewall ASDM Configuration Guide, X.Y.

Step 2

(optional) Create ASA Remote Access VPN Group Policies. The group policy defines user-related attributes. You can configure group policies to provide differential access to resources based on group membership. Alternatively, use the default policy for all connections.

Step 3

Create ASA Remote Access VPN Configuration.

Step 4

Configure ASA Remote Access VPN Connection Profile.

Step 5

(optional) Exempt Remote Access VPN Traffic from NAT.

Step 6

Review and deploy configuration changes to the devices.

Important

If you change the Remote Access VPN configuration by using a local manager like Adaptive Security Device Manager (ASDM), the Configuration Status of that device in Security Cloud Control shows "Conflict Detected". See Out-of-Band Changes on an ASA Device. You can Resolve Configuration Conflicts on this ASA.


What to do next

Next Steps

Once the remote access VPN configuration is downloaded to the ASA devices, the users can connect to your network from a remote location using a computer or other supported iOS or Android device connected to the Internet. You can monitor live AnyConnect remote access VPN sessions from all onboarded ASA remote access VPN head-ends in your tenant. See Monitoring Remote Access Virtual Private Network.