Cisco Phone VPN to CUCM with Anyconnect
Sample Data ASA Configuration
ip local pool SSL_Pool mask group-policy GroupPolicy_SSL internal group-policy GroupPolicy_SSL attributes split-tunnel-policy tunnelall vpn-tunnel-protocol ssl-client tunnel-group SSL type remote-access tunnel-group SSL general-attributes address-pool SSL_Pool default-group-policy GroupPolicy_SSL tunnel-group SSL webvpn-attributes authentication certificate group-url enable webvpn enable outside anyconnect image disk0:/anyconnect-win-3.0.3054-k9.pkg anyconnect enable ssl trust-point SSL outside (Use 'show run ssl' to see if there is already an 'ssl trust-point' defined) CUCM Configuration
Export the certificate from the ASA and import the certificate into CallManager as a Phone-VPN-Trust certificate Export the certificate and save as a .pem file on your PC - crypto ca export SSL identity-certificate - (Use 'show run ssl' to find the 'ssl trust-point' name) Add the ASA certificate to CUCM - Log in to CallManager Unified OS Administration - Security > Certificate Management > Upload Certificate > Select Phone-VPN-trust - Upload the .pem file VPN Configuration on CallManager - Navigate to Cisco Unified CM Administration - Advanced Features > VPN > VPN Gateway VPN Gateway Configuration window. VPN Gateway Name field: [ Cisco ASA ] VPN Gateway Description: [ Cisco ASA Phone VPN ] VPN Gateway URL: [ ] VPN Certificates in this Location: Select the certificate that was uploaded to CallManager previously - Advanced Features > VPN > VPN Group. Select the VPN Gateway previously defined Click the down arrow in order to move the selected gateway to the Selected VPN Gateways - Advanced Features > VPN > VPN Profile complete all fields that are marked with an asterisk (*).
  • Enable Auto Network Detect: If enabled, the VPN phone pings the TFTP server and if no response is received, it auto-initiates a VPN connection.
  • Enable Host ID Check: If enabled, the VPN phone compares the FQDN of the VPN Gateway URL against the CN/SAN of the certificate. The client fails to connect if they do not match or if a wildcard certificate with an asterisk (*) is used.
  • Enable Password Persistence: This allows the VPN phone to cache the username and passsword for the next VPN attempt.
Common Phone Profile - Device > Device Settings > Common Phone Profile - Click on the 'Standard Common Phone Profile' or create a new one - Set 'VPN Group' and 'VPN Profile' Phone Configuration - If you created a new profile for specific phones/users, go to the Phone Configuration window - In the Common Phone Profile field, choose Standard Common Phone Profile. Certificate Authentication Configuration
CUCM Administration - Advanced Features > VPN > VPN Profile - Verify 'Client Authentication Method' is set to 'Certificate' Export Cisco MIC CA Cert or Cisco LSC CA Cert - Unified OS Administration > Security > Certificate Management > Find - Find 'Cisco_Manufacturing_CA.pem' for MIC or 'CAPF.pem' for LSC - Open the .pem file in a text editor Create a new trustpoint on the ASA crypto ca trustpoint CM-Manufacturing enrollment terminal exit crypto ca authenticate CM-Manufacturing <--Insert Text from Cisco_Manufacturing_CA.pem--> quit Verification
show vpn-sessiondb detail anyconnect References

IP Pool Name:
VPN IP Range:
VPN Subnet Mask:
Group Policy Name:
Tunnel-Group Name:
Group URL:
Outside Interface:
AnyConnect Client Package:
Trust Point Name:

Use this code to post the full script to your own page:

Use this code to post only the variables to your own page: