Configure ASA Remote Access VPN Connection Profile

A Remote Access VPN connection profile defines the characteristics that allow external users to create a VPN connection to the system using the AnyConnect client. Each profile defines the AAA servers and certificates used for authenticating users, the address pools for assigning users IP addresses, and the group policies that define various user-oriented attributes.

You can create multiple profiles within the remote access VPN configuration if you need to provide variable services to different user groups, or if you have various authentication sources. For example, if your organization merges with a different organization that uses different authentication servers, you can create a profile for the new group that uses those authentication servers.

A remote access VPN connection profile allows your users to connect to your inside networks when they are on external networks, such as their home network. Create separate profiles to accommodate different authentication methods.

Before you begin

Create ASA Remote Access VPN Configuration.

Procedure

Step 1

On the CDO navigation pane, click VPN > ASA/FDM Remote Access VPN Configuration. You can click a VPN configuration to view the summary information on how many connection profiles and group policies are currently configured.

Note	To know the group policies assigned to the device, in Actions, click Group Policies. Group Policies assigned to connection profiles are automatically added to the list and cannot be removed.

If the group policy you need does not yet exist, click and select from the list. You can create additional group policies to provide the services you require. See Create ASA Remote Access VPN Group Policies.

Step 2

Click the connection profile and under Actions in the sidebar at the right, click Add Connection Profile.

Step 3

Configure the basic connection attributes.

Connection Profile Name: The name for this connection, up to 50 characters without spaces. For example, MainOffice.

Note	The name you enter here is what users will see in the connection list in the AnyConnect client. Choose a name that will make sense to your users.

Group Alias, Group URL: Aliases contain alternate names or URLs for a specific connection profile. VPN users can choose an alias name in the AnyConnect client in the list of connections when they connect to the ASA device. The connection profile name is automatically added as a group alias. You can also configure the list of group URLs, which your endpoints can select while initiating the Remote Access VPN connection. If users connect using the group URL, the system will automatically use the connection profile that matches the URL. This URL would be used by clients who do not yet have the AnyConnect client installed. Add as many group aliases and URLs as required. These aliases and URLs must be unique across all connection profiles defined on the device. Group URLs must start with https://.
For example, you might have the alias Contractor and the group URLhttps://ravpn.example.com/contractor. Once the AnyConnect client is installed, the user would simply select the group alias in the AnyConnect VPN drop-down list of connections.

Step 4

Configure the primary and optionally, secondary identity sources. These options determine how remote users authenticate to the device to enable the remote access VPN connection. The simplest approach is to use AAA only and then select an AD realm or use the LocalIdentitySource. You can use the following approaches for Authentication Type:

AAA Only: Authenticate and authorize users based on username and password. For details, see Configure AAA for a Connection Profile.
Client Certificate Only: Authenticate users based on client device identity certificate. For details, see Configure Certificate Authentication for a Connection Profile.
AAA and ClientCertificate: Use both username/password and client device identity certificate.

Step 5

Configure the address pool for clients. The address pool defines the IP addresses that the system can assign to remote clients when they establish a VPN connection. For more information, see Configure Client Address Pool Assignment.

Step 6

Click Continue.

Step 7

Select the Group Policy to use for this profile from the list and click Select.

The group policy sets terms for user connections after the tunnel is established. The system includes a default group policy named 'DfltGrpPolicy'. You can create additional group policies to provide the services you require. See Create ASA Remote Access VPN Group Policies.

Step 8

Click Continue.

Step 9

Review the summary. First, verify that the summary is correct. You can see what end-users need to do to initially install the AnyConnect software and test that they can complete a VPN connection. Click to copy the instructions to the clipboard, and then distribute them to your users.

Step 10

Click Done.

Step 11

Perform step 5 of End-to-End Remote Access VPN Configuration Process for ASA.