Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
775
Views
0
Helpful
2
Replies

AnyConnect RA VPN in ASA Multiple Mode

Go to solution
johnlloyd_13
Level 9
Level 9

‎06-28-2019 01:57 AM - edited ‎06-28-2019 01:58 AM

hi,

i'll be configuring anyconnect for remote access VPN in an ASA5500-X 9.8 code. i tried to search but only see this doc which is on asa 9.6:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200353-ASA-Multi-Context-Mode-Remote-Access-A.html

 

my questions are:

 

1) what anyconnect 4.x is compatible for asa 9.8 code? i don't see any compatibility matrix.

 

2) which is the go-to config? private or shared storage? any config example i can follow?

 

3) is there a specific license/feature needed? I have AnyConnect Premium Peers applied (total of 4x from active-standby FWs).

 

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 500 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 50 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 5000 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual

This platform has an ASA5555 VPN Premium license.


Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 500 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 100 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual    <<< 2x from active + 2x from standby FW
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 5000 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-28-2019 06:50 AM

@johnlloyd_13 

The guide you linked is a valid one, even for 9.8.

1. Any AnyConnect 4.x release is compatible. Cisco generally recommends using the latest release (currently 4.7.04056)

2. As noted in the linked guide, we make some settings in system context, put the Anyconnect images into shared storage and then used the user context(s) to individually setup Anyconnect. That last bit is pretty much like it's done on a single context ASA.

3. You get the 2 "AnyConnect Premium" (roughly equivalent to the current Apex type) licenses per ASA for free. If you need more you need to purchase Anyconnect Plus or Apex (or VPN only) licenses just like with any other ASA. You add those licenses via using the PAK plus serial number(s) to get an activation-key from the software.cisco.com licensing portal.

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-28-2019 06:50 AM

@johnlloyd_13 

The guide you linked is a valid one, even for 9.8.

1. Any AnyConnect 4.x release is compatible. Cisco generally recommends using the latest release (currently 4.7.04056)

2. As noted in the linked guide, we make some settings in system context, put the Anyconnect images into shared storage and then used the user context(s) to individually setup Anyconnect. That last bit is pretty much like it's done on a single context ASA.

3. You get the 2 "AnyConnect Premium" (roughly equivalent to the current Apex type) licenses per ASA for free. If you need more you need to purchase Anyconnect Plus or Apex (or VPN only) licenses just like with any other ASA. You add those licenses via using the PAK plus serial number(s) to get an activation-key from the software.cisco.com licensing portal.

 

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Marvin Rhoads

‎06-29-2019 06:50 AM - edited ‎06-29-2019 07:07 AM

hi marvin,

is this the ONLY file i need to transfer in the ASA flash? users are ONLY using windows.

anyconnect-win-4.7.04056-webdeploy-k9.pkg

 

also, below is my template. appreciate if you let me know if there's any error in my config.

 

do i need to transfer the anyconnect image file twice? one to disk0 and another to the private 'virtual flash'?

 

changeto system

 

class VPN
limit-resource VPN AnyConnect 4    <<< I CURRENTLY HAVE 4 ANYCONNECT DEFAULT/BUILT-IN LICENSE
limit-resource VPN Burst AnyConnect 4


mkdir PRIVATE_VPN

copy ftp://ftpuser:ftpuser@172.x.x.x/anyconnect-win-4.7.04056-webdeploy-k9.pkg flash   <<< DO I NEED TO TRANSFER ANYCONNECT IMAGE FILE TWICE?

copy flash:/anyconnect-win-4.7.04056-webdeploy-k9.pkg flash:/PRIVATE_VPN/CUST-X

 

context CUST-X
member VPN
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1.9
config-url disk0:/VPN.cfg
storage-url private disk0:/PRIVATE_VPN CUST-X

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card