64-43
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 64 General VPN Setup
Configuring AnyConnect (SSL) VPN Client Connections
For more information about creating and deploying AnyConnect client profiles and controlling client
features, see the AnyConnect VPN Client Administrator Guide.
Fields
Profile Name—Specify a name for the profile you add.
Profile Usage—This feature is not currently supported. See the release notes for the AnyConnect VPN
client for the latest information on supported features.
Group Policy—Specify a group policy for this profile. The profile downloads to users belonging to the
group policy along with the AnyConnect client.
Profile Location—Specify a path to the profile file in the adaptive security appliance flash memory. If
the file does not exist, the adaptive security appliance creates one based on the profile template.
Exporting an AnyConnect Client Profile
Export an AnyConnect VPN client profile from this window. You can export to a local device or a remote
server.
For more information about creating and deploying AnyConnect client profiles and controlling client
features, see the AnyConnect VPN Client Administrator Guide.
Fields
Device Profile Path—Displays the path and filename of the profile file.
Local Path—Specify the path and filename to export the profile file.
Browse Local—Click to launch a window to browse the local device file system.
Exempting AnyConnect Traffic from Network Address Translation
If you have configured your ASA to perform network address translation (NAT), you must exempt your
remote access AnyConnect client traffic from being translated so that the AnyConnect clients, internal
networks, and corporate resources on a DMZ, can originate network connections to each other. Failing
to exempt the AnyConnect client traffic from being translated prevents the AnyConnect clients and other
corporate resources from communicating.
“Identity NAT” (also known as “NAT exemption”) allows an address to be translated to itself, which
effectively bypasses NAT. Identity NAT can be applied between two address pools, an address pool and
a subnetwork, or two subnetworks.
This procedure illustrates how you would configure identity NAT between these hypothetical network
objects in our example network topology: Engineering VPN address pool, Sales VPN address pool,
inside network, a DMZ network, and the Internet. Each Identity NAT configuration requires one NAT
rule.
Table 64-1 Network Addressing for Configuring Identity NAT for VPN Clients
Network or Address Pool Network or address pool name Range of addresses
Inside network inside-network 10.50.50.0 - 10.50.50.255
Engineering VPN address pool Engineering-VPN 10.60.60.1 - 10.60.60.254
Sales VPN address pool Sales-VPN 10.70.70.1 - 10.70.70.254
DMZ network DMZ-network 192.168.1.0 - 192.168.1.255
To Next Page
Loading...
