Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2486
Views
0
Helpful
6
Replies

Anyconnect VPN through Juniper SRX

Go to solution
David Pearson
Level 1
Level 1

‎02-15-2019 02:21 AM - edited ‎02-21-2020 08:49 AM

I am trying to setup Cisco anyconnect to terminate on an ASA through a juniper srx650, I currently use the older cisco client and that works fine. 

Does anyconnect use different ports?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎02-15-2019 02:25 AM

Hi there,

AnyConnect will use UDP/443 and TCP/443 as a fallback. Check that both destination ports are allowed into the SRX zone that the ASA is positioned in.

 

cheers,

Seb.

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to David Pearson

‎02-15-2019 06:11 AM

The traditional Cisco client for Remote Access VPN used ipsec and so you had to permit ports for isakmp and esp. By default the AnyConnect client does not ipsec but uses SSL and so the ports would certainly be different. As suggested in a previous response you would need to permit TCP and UDP 443.

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎02-15-2019 02:25 AM

Hi there,

AnyConnect will use UDP/443 and TCP/443 as a fallback. Check that both destination ports are allowed into the SRX zone that the ASA is positioned in.

 

cheers,

Seb.

0 Helpful

Go to solution
David Pearson
Level 1
Level 1
In response to Seb Rupik

‎02-15-2019 02:28 AM

Hi Seb,

 

I have been using the old cisco client for years and have been asked to get anyconnect up and working as we are moving to windows 10. If the same ports are used I would expect them to have just worked?

 

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to David Pearson

‎02-15-2019 02:48 AM

hmmm, well if you are not using webssl, perhaps you have AnyConnect over IKEv2. Can you share the crypto config from your ASA?

 

cheers,

Seb.

0 Helpful

Go to solution
David Pearson
Level 1
Level 1
In response to Seb Rupik

‎02-15-2019 03:29 AM

Hi Seb,

 

I am not currently using the webssl, if I test the on another prepord network/firewall, that does not go through the Juniper it works. hence the question about what ports are required for anyconnect.

Do you know of a best practice guide for anyconnect?

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to David Pearson

‎02-15-2019 06:11 AM

The traditional Cisco client for Remote Access VPN used ipsec and so you had to permit ports for isakmp and esp. By default the AnyConnect client does not ipsec but uses SSL and so the ports would certainly be different. As suggested in a previous response you would need to permit TCP and UDP 443.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
David Pearson
Level 1
Level 1
In response to Seb Rupik

‎02-17-2019 11:53 PM

Hi Seb,

 

Thanks for the help, I had not allowed 443.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card