Ssl trust-point asa-identity-cert outside In this example, the DNS server has the A record, - 172.16.1.250 and you can see from the show ip output that 172.16.1.250 is configured on the interface named outside. You have the option to use username/password authentication as well, but there are more requirements on the ASA that are outside of the scope of this document. Also, you can see that this example uses certificate-based authentication. This is usually done if the phones do not have access to a DNS server that can resolve the Fully Qualified Domain Name (FQDN) of the ASA. You can use an IP address rather than a name for the group-url. Tunnel-group vpn-phone-group webvpn-attributes Tunnel-group vpn-phone-group general-attributes Tunnel-group vpn-phone-group type remote-access If you modified the names of the IP address pool or group policy, then you need to use replace the incorrect values with your modified names: Notice the reference to the names of the IP address pool and group policy that you created earlier in the 3rd and 4th lines of the snippet. Configure a new tunnel group in order to apply the group policy created earlier to any clients that connect on a specific URL. In this environment, the outside interface is named outside, so these commands enable An圜onnect on that interface. Interface Name IP address Subnet mask Method
Run show ip to see the list of interfaces: sckiewer-ASAv# show ip Typically, this interface is named outside (as shown in the snippet), but it is configurable, so be sure to confirm you have the right interface. In order to do this, you need to know the name of the outside interface. Step 3. You need to enable An圜onnect if it is not already enabled. Once the pool is created, you need to configure a group policy (a set of parameters for the connection between the ASA and IP phones): Ip local pool vpn-phone-pool 10.10.1.1-10.10.1.254 mask 255.255.255.0Īlso, if you prefer a different network or subnet mask, that can be changed as well. The pool can be created with this command on the ASA:
This is similar to a DHCP pool in that when an IP phone connects to the ASA it receives an IP address from this pool. Step 2. Create an IP address pool for VPN clients. Most of these names are referenced elsewhere in the config, so it is important to remember the names you use in these sections (group policy, tunnel group, etc) becase you need them later. Note: All of the underlined items in the configuration section are configurable names that can be changed. Now that you have confirmed that your ASA supports VPN phones, you can begin the configuration.
If this feature is not enabled, you need to work with the License team to get the appropriate license. The show version command on the ASA can be used to verify that Anyconnect for Cisco VPN Phone is enabled as shown in this snippet: Step 1. Verify that the ASA is licensed to support An圜onnect for VPN phones. You could start with either product first, but this document covers the ASA configuration first. VPN phones require that you have the proper configuration on your ASA and CUCM. Next, you need to search the List Features section for Virtual Private Network Client as shown in the image: Generate a new report and then select your phone model in the dropdown. In order to use the phone feature list, access your CUCM publisher in your browser and navigate to Cisco Unified Reporting > Unified CM Phone Feature List. You must check the Phone Feature List on CUCM to ensure that your phone model supports the VPN feature. The test environment in this article includes an 8861, ASAv, and CUCM 11.5.1, but there are many different variations of these products that you could use. If your network is live, ensure that you understand the potential impact of any command. All of the devices used in this document started with a cleared (default) configuration. The information in this document was created from the devices in a specific lab environment. An圜onnect Virtual Private Network (VPN).Cisco Adaptive Security Appliance (ASA).Cisco Unified Communications Manager (CUCM).Prerequisites RequirementsĬisco recommends that you have knowledge of these topics:
This document describes how to configure and troubleshoot the VPN Phone feature of Cisco IP Phones and Cisco Unified Communications Manager.