User Guide

Table Of Contents

Cisco AnyConnect Secure Mobility Solution Guide

Configuring AnyConnect Secure Mobility

Cisco AnyConnect Secure Mobility Solution Guide

Note Version 8.3 of the ASA can only use WCCP to redirect web traffic when the traffic

enters the ASA on the same interface where WCCP is enabled. However, the

AnyConnect client traffic does not enter the ASA on the same interface where

WCCP is enabled (which is the same interface connected to the WSA). To work

around this, you must connect a router off the WCCP enabled interface to direct

all traffic to the router and then return it to the ASA on the WCCP enabled

interface. This allows the ASA to use WCCP to redirect web traffic to the WSA

for scanning. In

Figure 4, Router A returns all traffic back to the ASA on the same

interface as the WSA, the inside interface.

Note When using this architecture with the Web Security appliance proxy bypass list

feature, only local users are able to successfully reach websites listed in the proxy

bypass list. When a remote user tries to access a website listed in the proxy bypass

list, the connection fails.

Configuring AnyConnect Secure Mobility

To achieve secure mobility for users connecting to the network using VPN, you

must configure the following products:

• Cisco IronPort Web Security appliance. For more information, see

Configuring WSA Support for AnyConnect Secure Mobility, page 17.

• Cisco adaptive security appliance. For more information, see Configuring

ASA Support for AnyConnect Secure Mobility, page 18.

• Cisco AnyConnect secure mobility client. For more information, see

Configuring AnyConnect Support for AnyConnect Secure Mobility, page 19.

To integrate a Web Security appliance and an adaptive security appliance, you

need the following information:

• IP address for each adaptive security appliance

• Port number of each adaptive security appliance

• IP address for each Web Security appliance

• Port number of each Web Security appliance