This one may seem a bit like a very involved configuration but in reality is not. The process is easy, if you know how to set up AnyConnect in an ASA, you will be able to crack it.
I have also included few links that show the process and the important things that you need to consider, as well as licensing requirements
Useful Links: ASA Sample Configuration: (http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/8_5_1/secugd/sec-851-cm/secuvpn.html#wp1054676)
Configure AnyConnect VPN IP Phones with Certificate Authentication on an ASA (http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/115785-anyconnect-vpn-00.html)
SSLVPN with IP Phones Configuration Example (http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115945-config-sslvpn-ip-phones-00.html)
ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example (http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98596-asa-8-x-3rdpartyvendorcert.html)
ip local pool uc-vpn-pool 10.111.1.1-10.111.1.254 mask 255.255.255.0 group-policy GroupPolicy_SSL internal group-policy GroupPolicy_SSL attributes split-tunnel-policy tunnelall vpn-tunnel-protocol ssl-client
tunnel-group vpn-phones type remote-access tunnel-group vpn-phones general-attributes address-pool uc-vpn-pool default-group-policy GroupPolicy_SSL tunnel-group vpn-phones webvpn-attributes group-url (https://uc-vpn.Domain.com/VPNPhone) enable
webvpn enable outside anyconnect image disk0:/anyconnect-win-3.0.3054-k9.pkg anyconnect enable
ssl trust-point SSL outside
Sample Running Configuration
ssl trust-point asa-uc outside webvpn enable outside anyconnect image disk0:/anyconnect-win-3.1.08009-k9.pkg 1 anyconnect image disk0:/anyconnect-macosx-i386-3.1.08009-k9.pkg 2 anyconnect image disk0:/anyconnect-linux-64-3.1.08009-k9.pkg 3 anyconnect profiles remote_client_profile disk0:/remote_client_profile.xml anyconnect profiles uc-vpn disk0:/uc-vpn.xml anyconnect enable tunnel-group-list enable error-recovery disable
group-policy GroupPolicy_SSL internal group-policy GroupPolicy_SSL attributes wins-server none dns-server value 4.2.2.2 8.8.8.8 vpn-tunnel-protocol ssl-client ssl-clientless split-tunnel-policy tunnelall default-domain value domain.com split-tunnel-all-dns enable webvpn anyconnect profiles value uc-vpn type user always-on-vpn profile-setting
tunnel-group vpn-phones type remote-access tunnel-group vpn-phones general-attributes address-pool uc-vpn-pool default-group-policy GroupPolicy_SSL tunnel-group vpn-phones webvpn-attributes authentication certificate group-alias vpn enable group-url (https://uc-vpn.domain.com/vpn) enable
About the Author:
Andres Sarmiento, CCIE # 53520 (Collaboration) With more than 13 years of experience, Andres is specialized in the Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.