We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 549 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


299 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Notable Replies

  1. Hello Rene, first congratulations for your lessons, I have read many of them, and I have liked them all.
    Now I have two questions regarded this lesson:

      <li>Is it mandatory to create/configure the Anyconnect connection first before to create the Local CA Server as you mentioned in the beginning?</li>
      <li>After the exportation from the PC and the importation in the Cisco ASA do I have to repeat that procedure (export from PC and Import in ASA) in every PC or device that I have to connect?</li>

    Thank you in advance

  2. Hi Hector,

    It's not mandatory, you could configure the local CA first. The configuration for anyconnect is pretty much the same so that's why I referred to the previous example.

    The certificate that we exported to the computer and then back to the ASA is something you only have to do once...the ASA will present this certificate to the user so that the user can authenticate the ASA.

    User certificates are easier to enroll. They can fetch it using their webbrowser.


  3. sims says:

    Hi Rene

    "Cisco ASA Anyconnect Local CA" Means ASA act like a CA?
    I don't want a group(In your example SSL_USERS) means users does not have a choice to select group from the combo box called groups . I think if I don't need the groups I really dont'need this part " tunnel-group MY_TUNNEL webvpn-attributes " .

    In that case how do I enable double auth like username (ldap ) and certificate .

    If I am using a self signed certificate double authentication is part is same ? .How do i generate certificate for the end users if i am using a self signed certificate in asa ?


  4. Hi Sims,

    That's right, the ASA is the CA that creates certificates here. Although it works, I think it's a better idea to use an external CA for your certificates.

    The following command allows users to select a group:

    ASA1(config)# webvpn
    ASA1(config-webvpn)# tunnel-group-list enable

    If you remove it, users shouldn't be able to get that option anymore.


  5. Hey Rene,

    I am using unetlab to do this lab ASA 8.4, This lab is the only one that is not fully working. I get the certificate prompt to use my certificate but once i click okay, internet explorer goes to "page cannot be displayed". I am using win7 - 32 bit image and IE8. I have imported all the proper certificates, following your example.

Continue the discussion forum.networklessons.com

1 more reply