ASA AnyConnect and SSL VPN for IP Phones with CUCM

This one may seem a bit like a very involved configuration but in reality is not. The process is easy, if you know how to set up AnyConnect in an ASA, you will be able to crack it.

I have also included few links that show the process and the important things that you need to consider, as well as licensing requirements

Useful Links:
ASA Sample Configuration:
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/8_5_1/secugd/sec-851-cm/secuvpn.html#wp1054676

Configure AnyConnect VPN IP Phones with Certificate Authentication on an ASA
http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/115785-anyconnect-vpn-00.html

SSLVPN with IP Phones Configuration Example
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115945-config-sslvpn-ip-phones-00.html

ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98596-asa-8-x-3rdpartyvendorcert.html

ip local pool uc-vpn-pool 10.111.1.1-10.111.1.254 mask 255.255.255.0
group-policy GroupPolicy_SSL internal
group-policy GroupPolicy_SSL attributes
split-tunnel-policy tunnelall
vpn-tunnel-protocol ssl-client

tunnel-group vpn-phones type remote-access
tunnel-group vpn-phones general-attributes
address-pool uc-vpn-pool
default-group-policy GroupPolicy_SSL
tunnel-group vpn-phones webvpn-attributes
group-url https://uc-vpn.Domain.com/VPNPhone enable

webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.0.3054-k9.pkg
anyconnect enable

ssl trust-point SSL outside
—————————————–
Sample Running Configuration
—————————————–
ssl trust-point asa-uc outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.08009-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.08009-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-64-3.1.08009-k9.pkg 3
anyconnect profiles remote_client_profile disk0:/remote_client_profile.xml
anyconnect profiles uc-vpn disk0:/uc-vpn.xml
anyconnect enable
tunnel-group-list enable
error-recovery disable

group-policy GroupPolicy_SSL internal
group-policy GroupPolicy_SSL attributes
wins-server none
dns-server value 4.2.2.2 8.8.8.8
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelall
default-domain value domain.com
split-tunnel-all-dns enable
webvpn
anyconnect profiles value uc-vpn type user
always-on-vpn profile-setting

tunnel-group vpn-phones type remote-access
tunnel-group vpn-phones general-attributes
address-pool uc-vpn-pool
default-group-policy GroupPolicy_SSL
tunnel-group vpn-phones webvpn-attributes
authentication certificate
group-alias vpn enable
group-url https://uc-vpn.domain.com/vpn enable

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 13 years of experience, Andres is specialized in the Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s