Cisco Phone VPN to CUCM with Anyconnect
Sample Data ASA Configuration
ip local pool [[IP Pool Name]] [[VPN IP Range]] mask [[VPN Subnet Mask]] group-policy [[Group Policy Name]] internal group-policy [[Group Policy Name]] attributes split-tunnel-policy tunnelall vpn-tunnel-protocol ssl-client tunnel-group [[Tunnel-Group Name]] type remote-access tunnel-group [[Tunnel-Group Name]] general-attributes address-pool [[IP Pool Name]] default-group-policy [[Group Policy Name]] tunnel-group [[Tunnel-Group Name]] webvpn-attributes authentication certificate group-url [[Group URL]] enable webvpn enable [[Outside Interface]] anyconnect image disk0:/[[AnyConnect Client Package]] anyconnect enable ssl trust-point [[Trust Point Name]] outside (Use 'show run ssl' to see if there is already an 'ssl trust-point' defined) CUCM Configuration
Export the certificate from the ASA and import the certificate into CallManager as a Phone-VPN-Trust certificate Export the certificate and save as a .pem file on your PC - crypto ca export [[Trust Point Name]] identity-certificate - (Use 'show run ssl' to find the 'ssl trust-point' name) Add the ASA certificate to CUCM - Log in to CallManager Unified OS Administration - Security > Certificate Management > Upload Certificate > Select Phone-VPN-trust - Upload the .pem file VPN Configuration on CallManager - Navigate to Cisco Unified CM Administration - Advanced Features > VPN > VPN Gateway VPN Gateway Configuration window. VPN Gateway Name field: [ Cisco ASA ] VPN Gateway Description: [ Cisco ASA Phone VPN ] VPN Gateway URL: [ [[Group URL]] ] VPN Certificates in this Location: Select the certificate that was uploaded to CallManager previously - Advanced Features > VPN > VPN Group. Select the VPN Gateway previously defined Click the down arrow in order to move the selected gateway to the Selected VPN Gateways - Advanced Features > VPN > VPN Profile complete all fields that are marked with an asterisk (*).
  • Enable Auto Network Detect: If enabled, the VPN phone pings the TFTP server and if no response is received, it auto-initiates a VPN connection.
  • Enable Host ID Check: If enabled, the VPN phone compares the FQDN of the VPN Gateway URL against the CN/SAN of the certificate. The client fails to connect if they do not match or if a wildcard certificate with an asterisk (*) is used.
  • Enable Password Persistence: This allows the VPN phone to cache the username and passsword for the next VPN attempt.
Common Phone Profile - Device > Device Settings > Common Phone Profile - Click on the 'Standard Common Phone Profile' or create a new one - Set 'VPN Group' and 'VPN Profile' Phone Configuration - If you created a new profile for specific phones/users, go to the Phone Configuration window - In the Common Phone Profile field, choose Standard Common Phone Profile. Certificate Authentication Configuration
CUCM Administration - Advanced Features > VPN > VPN Profile - Verify 'Client Authentication Method' is set to 'Certificate' Export Cisco MIC CA Cert or Cisco LSC CA Cert - Unified OS Administration > Security > Certificate Management > Find - Find 'Cisco_Manufacturing_CA.pem' for MIC or 'CAPF.pem' for LSC - Open the .pem file in a text editor Create a new trustpoint on the ASA crypto ca trustpoint CM-Manufacturing enrollment terminal exit crypto ca authenticate CM-Manufacturing <--Insert Text from Cisco_Manufacturing_CA.pem--> quit Verification
show vpn-sessiondb detail anyconnect References
http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/115785-anyconnect-vpn-00.html#anc7



IP Pool Name:
VPN IP Range:
VPN Subnet Mask:
Group Policy Name:
Tunnel-Group Name:
Group URL:
Outside Interface:
AnyConnect Client Package:
Trust Point Name:


Use this code to post the full script to your own page:



Use this code to post only the variables to your own page: