This document will show how to enable the AnyConnect SBL feature.
Hardware: ASA 5505
FW Version: Cisco Adaptive Security Appliance Software Version 9.1(7)23
ASDM Version: Device Manager Version 7.6(2)150
At first We need prepare a self-signed certificate for the Firewall. The SBL need that the ASA must be reachable via a domain name and it will verify with the certificate whether the domain is trust. IP address does not work.
Step 1: Create the self-signed certificate
crypto key generate rsa label xxx.xxx.xxx modulus 1024
crypto ca trustpoint ASA-CA
enrollment self
fqdn xxx.xxx.xxx
subject-name cn=xxx.xxx.xxx
keypair xxx.xxx.xxx
crl configure
ssl trust-point ASA-CA
Step 2: Request the self-signed certificate.
crypto ca enroll ASA-CA
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
Would you like to continue with this enrollment? [yes/no]: yes
% The fully-qualified domain name in the certificate will be: xxx.xxx.xxx
% Include the device serial number in the subject name? [yes/no]: no
Generate Self-Signed Certificate? [yes/no]: yes
ASA(config)#
The certificate prepare for the Firewall has been done.
Then we need modify the profile file to enable the SBL on the client.
Step 3: The below XML content is need be added in the profile. and upload the file to the firewall.
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon>
</ClientInitialization>
ASA# copy tftp: flash:
Address or name of remote host []?tftp_server_ip_address
Source filename []?source_file_name
Destination filename []?destination_file_name
Step 4: Define the AnyConnect client profile.
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1
anyconnect profiles sbl disk0:/startbeforelogin.xml
anyconnect enable
Step 5: Enable SBL model and push the profile in group policy
group-policy Group_Name attributes
webvpn
anyconnect modules value vpngina
anyconnect profiles value sbl type user
The configuration has been done. Then we need do the below steps on client computer to make the SBL work.
Step 1: Add an A record in user computer’s hosts file.
123.123.123.123 xxx.xxx.xxx
Step 2: Install the certificate to user computer’s Trusted Root Certificate Authority.
Step 3:When the user connect the firewall by AnyConnect . ASA will push SBL model and the profile file.
Step 3: Connect the Anyconnect by SBL
The user will find the cisco AnyConnect icon under the right bottom when back to the windows logon page.
Click it and choose SBL Entry which defined in profile to connect.
Troubleshoot:
Q: the VPN connection failed due to unsuccessful domain name resolution.
A: Please check the local computer internet connection. The client cannot find the ASA site.
Q:The local network may not be trustworthy.
The client cannot verify the site is trust by the certificate. please check your firewall dns record and the certificate.