Skip to main content

 

 

Cisco Defense Orchestrator

Create an ASA RA VPN Configuration

CDO allows you to add one or more Adaptive Security Appliance (ASA) devices to the RA VPN configuration wizard and configure the VPN interfaces, access control, and NAT exemption settings associated with the devices. Therefore, each RA VPN configuration can have connection profiles and group policies shared across multiple ASA devices that are associated with the RA VPN configuration. Further, you can enhance the configuration by creating connection profiles and group policies.

You can either onboard an ASA device that has already been configured with RA VPN settings or a new device without RA VPN settings. See Onboard an ASA Device. When you onboard an ASA device that already has RA VPN settings, CDO automatically creates a "Default RA VPN Configuration" and associates the ASA device with this configuration. Also, this default configuration can contain all the connection profile objects that are defined on the device. See Read RA VPN Configuration of an Onboarded ASA Device for more information. CDO allows you to delete the default configuration.

Important:

  • You are not allowed to add ASA and FTD in the same Remote Access VPN Configuration.
  • An ASA device can't have more than one RA VPN Configuration. 

Prerequisites for Creating RA VPN Configuration

Before adding the ASA device to the RA VPN configuration, the following prerequisites must be met on the ASA device:

  • License requirements.

Device must be enabled for export-controlled functionality. 

To view the license summary of your ASA device, execute the show license summary command in the ASA command-line interface. To use the CDO ASA CLI interface, see Using ASA CLI in CDO interface.

Example of export-controlled functionality enabled in the license summary :

Registration:
  Status: REGISTERED
  Smart Account: Cisco SVS temp-request access licensing@cisco.com
  Export-Controlled Functionality: ALLOWED
  Last Renewal Attempt: None
  Next Renewal Attempt: Jun 08 2021 09:46:22 UTC

The 'Export-Controlled Functionality' property must be in the 'Allowed' state for creating or editing the ASA RA VPN configuration. 

If this property is in the 'Not Allowed' state, CDO displays an error message ('RA VPN cannot be configured for devices which are not export compliant.') when you are creating or modifying the VPN configuration and doesn't allow RA VPN configuration on the device.
Note: Export-controlled functionality may not be enabled if the device has a 90-day evaluation license or the registered country might not allow strong encryption for a purchased license. 

  • Device Identity Certificates.

Certificates are required to authenticate connections between the clients and the ASA device. Before starting the VPN configuration, ensure that the identity certificate is already present on the ASA device.

To determine whether or not the certificate is present on the device, execute the show crypto CA Certificates command in the ASA command-line interface. To use the CDO ASA CLI interface, see Using ASA CLI in CDO interface.

If the identity certificate is not present or you want to enroll in a new certificate, install them on ASA using CDO. See ASA Certificate Management

The usage of digital certificates in remote access VPN context is explained in Remote Access VPN Certificate-Based Authentication

  • Outside interfaces.

CDO supports configuring multiple outside interfaces to which users connect when making the remote access VPN connection. Helps to enable remote access VPN on two interfaces connected to different Internet Server Providers (ISPs) for redundancy so that the RA VPN connectivity isn’t disrupted for the users. The outside interfaces must be configured already on the ASA device. You need to use either ASDM or ASA CLI to configure interfaces. 
To know configure interfaces using ASDM, see the "Interfaces" book of the Cisco ASA Series General Operations CLI Configuration Guide, X.Y.

  • Download the AnyConnect packages and upload them to a remote server. Later, use the RA VPN wizard or ASA File Management wizard to upload the AnyConnect software packages from the server to ASAs. See Manage AnyConnect Software Packages on an ASA Device for instructions.
  • There are no configuration deployments pending. 
  • ASA changes are synchronized to CDO.
    1. In the CDO navigation bar at the left, click Devices & Services and search for one or more ASA devices to be synchronized. 
    2. Select one or more devices and then click Check for changes. CDO communicates with one or more FTD devices to synchronize the changes.
  • RA VPN configuration group policy objects are consistent. 

Procedure 

  1. Onboard an ASA Device.
  2. In the CDO navigation bar at the left, click VPN > Remote Access VPN Configuration
  3. Click the blue plus blue_cross_button.png button to create a new RA VPN configuration.
  1. Enter a name for the Remote Access VPN configuration.
  2. Click the blue plus blue_cross_button.png button to add ASA devices to the configuration.
    You can add the device details and configure network traffic-related permissions that are associated with the device.
  1. Provide the following device details:
    • Device: Select an ASA device that you want to add and click Select.
      Important: You are not allowed to add ASA and FTD in the same Remote Access VPN Configuration. 
    • Certificate of Device Identity: Select the internal certificate used for establishing the identity of the device. This establishes the device identity for AnyConnect clients when they make a connection to the device. Clients must accept this certificate to complete a secure VPN connection. 
    • Outside Interface: Click the blue_cross_button.png button and select interfaces to which users connect when creating the remote access VPN connection. Although these are normally the outside (internet-facing) interfaces, choose whichever interfaces are between the device and the end-users you are supporting with this connection profile.  

Attention: You cannot create or modify RA VPN configuration for devices that are not export compliant. You must license the ASA device with export-controlled functionality enabled and try again.

  1. Click Continue to configure the traffic permissions.
    • Bypass Access Control policy for decrypted traffic (sysopt permit-vpn): Decrypted traffic is subjected to Access Control Policy inspection by default.  Enabling this option bypasses the decrypted traffic option bypasses the access control policy inspection, but the VPN Filter ACL and the authorization ACL downloaded from the AAA server are still applied to VPN traffic.
      Note that if you select this option, the system configures the sysopt connection permit-vpn command, which is a global setting. This will also impact the behavior of site-to-site VPN connections. 
      If you do not select this option, it might be possible for external users to spoof IP addresses in your remote access VPN address pool, and thus gain access to your network. This can happen because you will need to create access control rules that allow your address pool to have access to internal resources. If you use access control rules, consider using user specifications to control access, rather than source IP address alone.
      The downside of selecting this option is that the VPN traffic will not be inspected, which means that intrusion and file protection, URL filtering, or other advanced features will not be applied to the traffic. This also means that no connection events will be generated for the traffic, and thus statistical dashboards will not reflect VPN connections.
    • NAT Exempt: NAT exemption exempts addresses from translation and allows both translated and remote hosts to initiate connections with your protected hosts.  Configure NAT Exempt to exempt traffic to and from the remote access VPN endpoints from NAT translation. See Exempting ASA Remote Access Traffic from NAT.
  2. Click OK.

The AnyConnect Packages Detected shows the AnyConnect packages that are already available on the device.

There are two options to upload AnyConnect package to ASA from RA VPN wizard:

  • (Option 1): Select a package from CDO's repository. The ASA must have access to the internet. 
  • (Option 2): Specify the ftp/http/https/scp/smb/tftp URL location where the AnyConnect package is preloaded. 

See Upload new AnyConnect Software Packages for instructions.

Note: If you want to replace an existing package, see Replace an Existing AnyConnect Package.

  1. Click OK
    The ASA VPN configuration is created. 

Modify RA VPN Configuration 

You can modify the name and the device details of an existing RA VPN configuration. 

  1. Select the configuration to be modified and under Actions, click Edit
    • Modify the name if required.
    • Click the blue plus blue_cross_button.png button to add a new device
    • Click verticle_browse.JPG  to perform the following on the ASA device.
      • Click Edit to modify the existing RA VPN configuration.  
      • Click Remove to remove the ASA device from the RA VPN configuration. All connection profiles and RA VPN settings associated with that device except the group policies are deleted. You can remove the group policies explicitly from the objects page.
        Note: You cannot remove the ASA if that is the only device using the configuration. Alternatively, you can remove the RA VPN configuration.
  2. Review and deploy configuration changes to the devices.

You can also search for remote access VPN configuration by typing the name of the configuration or device.

  • Was this article helpful?