We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 641 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

452 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. Hello Rene, first congratulations for your lessons, I have read many of them, and I have liked them all.
    Now I have two questions regarded this lesson:

      <li>Is it mandatory to create/configure the Anyconnect connection first before to create the Local CA Server as you mentioned in the beginning?</li>
      <li>After the exportation from the PC and the importation in the Cisco ASA do I have to repeat that procedure (export from PC and Import in ASA) in every PC or device that I have to connect?</li>

    Thank you in advance

  2. Hi Hector,

    It’s not mandatory, you could configure the local CA first. The configuration for anyconnect is pretty much the same so that’s why I referred to the previous example.

    The certificate that we exported to the computer and then back to the ASA is something you only have to do once…the ASA will present this certificate to the user so that the user can authenticate the ASA.

    User certificates are easier to enroll. They can fetch it using their webbrowser.


  3. Hi Rene

    “Cisco ASA Anyconnect Local CA” Means ASA act like a CA?
    I don’t want a group(In your example SSL_USERS) means users does not have a choice to select group from the combo box called groups . I think if I don’t need the groups I really dont’need this part " tunnel-group MY_TUNNEL webvpn-attributes " .

    In that case how do I enable double auth like username (ldap ) and certificate .

    If I am using a self signed certificate double authentication is part is same ? .How do i generate certificate for the end users if i am using a self signed certificate in asa ?


  4. Hi Sims,

    That’s right, the ASA is the CA that creates certificates here. Although it works, I think it’s a better idea to use an external CA for your certificates.

    The following command allows users to select a group:

    ASA1(config)# webvpn
    ASA1(config-webvpn)# tunnel-group-list enable 

    If you remove it, users shouldn’t be able to get that option anymore.


1 more reply! Ask a question or join the discussion by visiting our Community Forum