Some USC online services require access through on-campus USC Secure Wireless or a wired network connection. USC offers Virtual Private Networking (VPN) to provide secure remote access to these services when you are off-campus. Use AnyConnect VPN if you are away from the USC campus and are unable to connect to services. Additionally, you must use AnyConnect VPN to access internal USC systems handling confidential or sensitive data, such as Student Information Systems (SIS), and file servers for specific schools and departments.
Please be aware that you DO NOT need to use AnyConnect VPN when accessing Blackboard, Zoom, Workday, ServiceNow, Microsoft Office 365 or Google Apps at USC.
Examples of Applications that Require AnyConnect VPN
- Pitchbook – Marshall
- Business Intelligence – Kuali
- Remote Desktop Access
- MyAccess
- Student Information System (SIS)
- Center for Advanced Research Computing (CARC)
The anyconnect ask command specifies how the anyconnect client will be installed on the user’s computer. The none default anyconnect part tells the ASA not to ask the user if he/she wants to use WebVPN or anyconnect but just starts the download of the anyconnect client automatically. The anyconnect dpd-interval command is used for Dead Peer.
How Do I Connect to VPN?
- RV082 Dual WAN VPN Router. RV110W Wireless-N VPN Firewall. RV120W Wireless-N VPN Firewall. RV130 VPN Router. RV130W Wireless-N Multifunction VPN Router. RV132W ADSL2+ Wireless-N VPN Router. RV134W VDSL2 Wireless-AC VPN Router. RV160 VPN Router. RV160W Wireless-AC VPN Router.
- Note: Download the AnyConnect VPN Webdeploy package (anyconnect-win.pkg or anyconnect-macos.pkg) from the Cisco Software Download (registered customers only). Copy the AnyConnect VPN client to the ASA's flash memory, which is to be downloaded to the remote user computers in order to establish the SSL VPN connection with the ASA.
- Faculty/Non-IT Staff and Students: Use AnyConnect VPN using the following address: vpn.usc.edu. Duo Two-Factor Authentication (2FA) is required.
- IT Employees/SIS Users: Use AnyConnect VPN using the following address: connect.usc.edu. Duo 2FA is required.
NOTE: For detailed Cisco AnyConnect VPN client installation instructions for Mac and Windows and Frequently Asked Questions, refer to the resources listed in the right panel.
Existing VPN URLs
The following URLs are supported via AnyConnect VPN:
- connect.usc.edu
- sslvpn.usc.edu
- vpn.usc.edu
Where Do I Go for Help?
If you need help setting up AnyConnect VPN, please contact the ITS Customer Support Center.
If you have questions regarding confidential data protection, please email infosecgrm@usc.edu.
We have resisted the change for a long time, bit its time to finally move some of our customers over to the SSL VPN who were previously using the IPSec Remote Access VPN. Windows 10 does not support the IPSec client any more, Cisco have stopped developing it and its only saving grace is that Mac seem to have no problem with the built in VPN connector.
We are moving some clients to the ASAv which I will document the installation of another time, but the software version I am using is 9.6(1).
Requirements:
1. Most users will be standard, tunnel-all users
2. A few users will require local LAN access for IP printers etc. These will be kept to a minimum as they pose a security risk
3. The Anyconnect software should be deployed from the ASA.
4. The users will all be stored in the ASA local database.
Stage 1 – Get a 3rd party certificate
I have a previous post on this which is still valid. I used a RapidSSL from Geotrust. The latest client has a ‘checked’ check box to disable non trusted certificates by default and could cause a lot of pain for the support guys – so do this first! make sure the time is set as per the article.
Stage 2 – Create an IP pool for the remote users
I favour using a completely separate IP range, not used anywhere else on the internal network. This saves a lot of faff with adding routes later.
ip local pool VPN-POOL 10.11.11.1-10.11.11.50
Stage 3 – Sort the NAT out
I ran into a world of pain when i did this first as the ASA started responding to ARP requests from anything on its OUTSIDE subnet. The take-home message is that avoid using ‘any’ in your NAT setup. So we want to define the POOL as an object and use that to get the NAT exemption for data leaving our ‘INSIDE’ network to the ‘OUTSIDE’ network via the VPN tunnel. Also we want traffic coming back from the client, not destined for the INSIDE network to be NATted to the internet.
object network VPN-IP-POOL
subnet 10.11.11.0 255.255.255.0
nat (OUTSIDE,OUTSIDE) dynamic interface dns
Now the NAT exemption for the INSIDE to OUTSIDE traffic. I assume there is already a LAN object defined.
nat (INSIDE,OUTSIDE) source static LAN LAN destination static VPN-IP-POOL VPN-IP-POOL
Also we’ll need to allow the OUTSIDE traffic to hairpin on the interface.
same-security-traffic permit intra-interface
Stage 4 – Add the webvpn config
Here we need to upload the pkg files which can be downloaded from cisco.com into the flash of the ASA. they are then referenced in the config.
webvpn
enable OUTSIDE
anyconnect image disk0:/anyconnect-win-4.2.05015-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-4.2.05015-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-64-4.2.05015-k9.pkg 3
anyconnect enable
tunnel-group-list enable
Note the pkg references have an index number to permit multiple files to be uploaded.
Cisco IOS SSLVPN Q&A
Stage 5 – Group Policy
We’ll create a Group Policy to set the parameters for the users. Its best to create a new policy rather than edit the default. This is our ‘tunnel-all’ policy which will be referenced by the tunnel group as the default policy.
group-policy CUSTOMER-POLICY internal
group-policy CUSTOMER-POLICY attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
Stage 6 – The Tunnel Group
Here a tunnel group is created which pulls it all together
tunnel-group CUSTOMER type remote-access
tunnel-group CUSTOMER general-attributes
address-pool VPN-POOL
default-group-policy CUSTOMER-POLICY
tunnel-group CUSTOMER webvpn-attributes
group-alias CUSTOMER-LOGIN enable
The group aliases appear in the dropdown when the user logs in.
Stage 7 – The Users
The users are all using the default group policy of ‘CUSTOMER-POLICY’ unless we specify differently.
username user_name password pass_word
username user_name attributes
vpn-group-policy MY-DIFFERENT-GROUP-POLICY
group-lock value CUSTOMER
service-type remote-access
I’ve also locked the user into the correct group to be secure.
Cisco Anyconnect Vpn Windows 10
This is enough to get up and running – there is loads more to do with customisation, additional security and the like, but for now the customer needs to get online.