Configuring AnyConnect Alongside AppGate SDP

  • 2 minute read
Prev Next

This document describes a method for configuring Cisco Remote Access VPN policies to allow the AnyConnect agent (Cisco Secure Client) to coincide with the AppGate SDP client on a workstation. The method described below is just one way to allow for interoperability, and there are most likely several other configuration options that can be implemented to achieve the same goal.

Prerequisites

Mutually exclusive subnets for AppGate and Cisco so that there is no IP overlap between the AnyConnect policies and the AppGate policies.

AppGate Configuration Checklist

  • Make sure that “tamper proofing” is not being enforced per AppGate Device Policies.

  • Make sure that none of the site’s within your collective are set up as a default Gateway for end user traffic.

  • Take note of the subnet(s) that AppGate will be providing secure access to.

  • Take note of the IP addresses of all AppGate Controllers and relevant gateways.

Cisco Configuration Steps

  1. Open ASDM and login.

  2. Navigate to Configuration -> Remote Access VPN -> and expand the Network (client) Access tree.

  3. Click on Group Policies and either add or modify a group Policy for this use case.

  4. Within the Group Policy Configuration, on the left hand side, expand the Advanced tree and click on Split Tunneling.

  5. Next to Policy, make sure that Inherit is unchecked and select “Exclude network list below” from the drop down.

  6. Next to Network List, make sure that Inherit is unchecked and click Manage next to the drop down.

  7. Within the manage window, add a new ACL, and then add ACEs that contain the exclusive subnets and the IPs of all relevant AppGate appliances (Controllers and gateways). Make sure the Action is set to permit.

  8. Click OK which will bring you back to the split tunnel policy page and select the new ACL that you configured in step 7 from the drop down next to Network List.

  9. Click OK and then navigate to the Secure Client Connection Profiles, under Network (client) Access.

  10. Either add or modify a Connection Profile.

  11. Select the group policy configured above, from the drop down next to Group Policy.

  12. Make sure the client address pools and authentication are set the way you like it and save the changes.

Validation

Log into AnyConnect and AppGate on the same machine and confirm that you can access resources behind both solutions.

Related articles