cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


259
Views
5
Helpful
3
Replies
Participant

WebVPN enable outside - impact on active vpn sessions

Just starting to configure our ASA 5525X HA pair to support AnyConnect clients.

We currently have several IKEv1 VPNs terminating on our outside interface so I am concerned about the impact of enabling webvpn on the outside as well... is there any service impact to doing this?

Also, I we ever only plan to deploy the AnyConnect client manually to our corporate laptops, is there even any need to enable webvpn and the web deployment capabilities of the ASA?  Does this help down the road when deploying a new version or would we have to do that manually as well?

 

Thanks in advance.

 

John

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

Re: WebVPN enable outside - impact on active vpn sessions

You should be able to enable Anyconnect access without affecting the IKEv1 clients connecting successfully. The only things to be careful about are the Tunnel-group,group-policy and pool configuration. IF you create new TG, GP and pools for the AnyConnect setup, you should have no issues. You can also reuse the same tunnel-group as IKEv1 if you want, but there is a chance you could uncheck something on the ASDM that might be needed for that existing connection. 

 

Enabling webvpn on the outside and adding the Anyconnect client image are a must, even if you plan on pre-deploying the clients to the end user. The idea is that the Anyconnect image is an admin controlled setting, so any update you make to the client will get reflected upon the next connection attempt. 

View solution in original post

3 REPLIES 3
VIP Advocate

Re: WebVPN enable outside - impact on active vpn sessions

You should be able to enable Anyconnect access without affecting the IKEv1 clients connecting successfully. The only things to be careful about are the Tunnel-group,group-policy and pool configuration. IF you create new TG, GP and pools for the AnyConnect setup, you should have no issues. You can also reuse the same tunnel-group as IKEv1 if you want, but there is a chance you could uncheck something on the ASDM that might be needed for that existing connection. 

 

Enabling webvpn on the outside and adding the Anyconnect client image are a must, even if you plan on pre-deploying the clients to the end user. The idea is that the Anyconnect image is an admin controlled setting, so any update you make to the client will get reflected upon the next connection attempt. 

View solution in original post

Highlighted
Participant

Re: WebVPN enable outside - impact on active vpn sessions

Thanks again Rahul.  Very helpful.

 

I have a few more questions if you don't mind. (of course others are free to chine in here.)

So if I wanted to migrate all my remote access vpn users away from the legacy VPN client to AnyConnect, I'm assuming I'd need to create new TG, GP and pools for each of the existing legacy TG, GP and pools, is that correct?  Is this is sound migration strategy? Or is there a better way?

 

Also, what part of the config on the ASA tells the AC client to use IKEv2 instead of SSL for the vpn connection?  I ask because I do not want to deploy SSL VPNs using AnyConnect, only remote access VPNs like I have now.

 

John

VIP Advocate

Re: WebVPN enable outside - impact on active vpn sessions

Depends on how types of users and the way you want to connect. TG defines what auth mechanism will be used for the connection, while GP is where the authorization is applied (what permissions, settings users receives). You can create one TG, GP pair per type of user to match the IKEv1 config. Alternatively, you can also have 1 TG that all users go to, then assign them different GP based on their credentials. I usually recommend this if you are using one type of AAA server (LDAP,Radius, local) for authenticating all your users. This way you do not have to manage different groups that they have to login to. 

 

IKEv2 is controlled by the Anyconnect Client Profile setting. You would have to pre-deploy the client and profile for them to start using IKEv1 from Day1. If that is not possible, you can have them download the profile using SSL on the first successful attempt. The next attempt onward would be based on the profile setting.