75-10
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter75 Configuring AnyConnect VPN Client Connections
Configuring AnyConnect Connections
Enabling AnyConnect Client Profile Downloads
You enable Cisco AnyConnect Secure Mobility client features in the AnyConnect profiles—XML files
that contain configuration settings for the core client with its VPN functionality and for the optional
client modules Network Access Manager (NAM), posture, telemetry, and Web Security. The ASA
deploys the profiles during AnyConnect installation and updates. Users cannot manage or modify
profiles.
Profile Editor in ASDM
You can configure a profile using the AnyConnect profile editor, a convenient GUI-based configuration
tool launched from ASDM. The AnyConnect software package for Windows, version 2.5 and later,
includes the editor, which activates when you load the AnyConnect package on the ASA and specify it
as an AnyConnect client image.
Standalone Profile Editor
We also provide a standalone version of the profile editor for Windows that you can use as an alternative
to the profile editor integrated with ASDM. If you are predeploying the client, you can use the standalone
profile editor to create profiles for the VPN service and other modules that you deploy to computers
using your software management system. For more information about using the profile editor, see the
Cisco AnyConnect Secure Mobility Client Administrator Guide.
Note The AnyConnect client protocol defaults to SSL. To enable IPsec IKEv2, you must configure the IKEv2
settings on the ASA and also configure IKEv2 as the primary protocol in the client profile. The
IKEv2enabled profile must be deployed to the endpoint computer, otherwise the client attempts to
connect using SSL. For more information, see the Cisco AnyConnect Secure Mobility Client
Administrator Guide.
Follow these steps to edit a profile and enable the ASA to download it to remote clients:
Step1 Use the profile editor from ASDM or the standalone profile editor to create a profile. For more
information, see the Cisco AnyConnect Secure Mobility Client Administrator Guide.
Step2 Load the profile file into flash memory on the ASA using tftp or another method.
Step3 Use the anyconnect profiles command from webvpn configuration mode to identify the file as a client
profile to load into cache memory.
The following example specifies the files sales_hosts.xml and engineering_hosts.xml as profiles:
asa1(config-webvpn)# anyconnect profiles sales disk0:/sales_hosts.xml
asa1(config-webvpn)# anyconnect profiles engineering disk0:/engineering_hosts.xml
The profiles are now available to group policies.
You can view the profiles loaded in cache memory using the dir cache:stc/profiles command:
hostname(config-webvpn)# dir cache:/stc/profiles
Directory of cache:stc/profiles/
0 ---- 774 11:54:41 Nov 22 2006 engineering.xml
0 ---- 774 11:54:29 Nov 22 2006 sales.xml
2428928 bytes total (18219008 bytes free)
hostname(config-webvpn)#