06-28-2019 01:57 AM - edited 06-28-2019 01:58 AM
hi,
i'll be configuring anyconnect for remote access VPN in an ASA5500-X 9.8 code. i tried to search but only see this doc which is on asa 9.6:
my questions are:
1) what anyconnect 4.x is compatible for asa 9.8 code? i don't see any compatibility matrix.
2) which is the go-to config? private or shared storage? any config example i can follow?
3) is there a specific license/feature needed? I have AnyConnect Premium Peers applied (total of 4x from active-standby FWs).
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 500 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 50 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 5000 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
This platform has an ASA5555 VPN Premium license.
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 500 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 100 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual <<< 2x from active + 2x from standby FW
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 5000 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Solved! Go to Solution.
06-28-2019 06:50 AM
The guide you linked is a valid one, even for 9.8.
1. Any AnyConnect 4.x release is compatible. Cisco generally recommends using the latest release (currently 4.7.04056)
2. As noted in the linked guide, we make some settings in system context, put the Anyconnect images into shared storage and then used the user context(s) to individually setup Anyconnect. That last bit is pretty much like it's done on a single context ASA.
3. You get the 2 "AnyConnect Premium" (roughly equivalent to the current Apex type) licenses per ASA for free. If you need more you need to purchase Anyconnect Plus or Apex (or VPN only) licenses just like with any other ASA. You add those licenses via using the PAK plus serial number(s) to get an activation-key from the software.cisco.com licensing portal.
06-28-2019 06:50 AM
The guide you linked is a valid one, even for 9.8.
1. Any AnyConnect 4.x release is compatible. Cisco generally recommends using the latest release (currently 4.7.04056)
2. As noted in the linked guide, we make some settings in system context, put the Anyconnect images into shared storage and then used the user context(s) to individually setup Anyconnect. That last bit is pretty much like it's done on a single context ASA.
3. You get the 2 "AnyConnect Premium" (roughly equivalent to the current Apex type) licenses per ASA for free. If you need more you need to purchase Anyconnect Plus or Apex (or VPN only) licenses just like with any other ASA. You add those licenses via using the PAK plus serial number(s) to get an activation-key from the software.cisco.com licensing portal.
06-29-2019 06:50 AM - edited 06-29-2019 07:07 AM
hi marvin,
is this the ONLY file i need to transfer in the ASA flash? users are ONLY using windows.
anyconnect-win-4.7.04056-webdeploy-k9.pkg
also, below is my template. appreciate if you let me know if there's any error in my config.
do i need to transfer the anyconnect image file twice? one to disk0 and another to the private 'virtual flash'?
changeto system
class VPN
limit-resource VPN AnyConnect 4 <<< I CURRENTLY HAVE 4 ANYCONNECT DEFAULT/BUILT-IN LICENSE
limit-resource VPN Burst AnyConnect 4
mkdir PRIVATE_VPN
copy ftp://ftpuser:ftpuser@172.x.x.x/anyconnect-win-4.7.04056-webdeploy-k9.pkg flash <<< DO I NEED TO TRANSFER ANYCONNECT IMAGE FILE TWICE?
copy flash:/anyconnect-win-4.7.04056-webdeploy-k9.pkg flash:/PRIVATE_VPN/CUST-X
context CUST-X
member VPN
allocate-interface GigabitEthernet0/0
allocate-interface GigabitEthernet0/1.9
config-url disk0:/VPN.cfg
storage-url private disk0:/PRIVATE_VPN CUST-X
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide