04-22-2015 11:30 AM - edited 03-11-2019 10:49 PM
This an opportunity to learn about Cisco SSL VPN feature, clientless VPN and Anyconnect remote access client with Mohammad Alhyari.
Monday, April 27th, 2015 to Friday, May 8th, 2015
Featured Expert
Mohammad Alhyari is a customer support engineer at the Cisco Technical assistance center in Krakow, Poland. CCIE security #35093 with over 5 years of experience in the security team. Mohammed's area of expertise is security, including VPN, SSL VPN, and IPSEC VPN on the Cisco IOS and Cisco ASA platforms.
Find other https://supportforums.cisco.com/expert-corner/events.
**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions
04-29-2015 07:33 AM
Hi Mohammad,
I have few "old" question regarding this discussion's topic, already posted around here, and a new one about licensing.
So here is the question: we manage a scenario based on a couple of old ASA5510 with A/S failover configuration; we have 150 AnyConnect Premium Peers licences but now we need to upgrade them to 200 or more. We got informed that the licensing model is changed and now we need to purchase "Apex" license as "AnyConnect Premium Peers" is no more an option. There will be platform-related problems activating and using the new licences? The old asa5510 support Apex license? It seems that our local Cisco commercial channel can't answer this question.
In my profile ( https://supportforums.cisco.com/users/flaviovettori ) you can review other "old" question, still unanswered, for example:
"our webvpn portal is deployed in a DMZ scenario, so the webvpn ASA's interface has a private address behind another firewalling gateway; we noticed that a portion of our users do access the portal from within the corporate's network, let's say from 10.0.0.0/8 ip space instead of the "outside" (the whole internet).
We would create something like a DAP which intercepts the situation (useraname: any authenticated, source ip address: from 10.0.0.0/8) and apply a message or another action to the logged user: is this possible?"
Thank you in advance.
Flavio
04-30-2015 07:39 AM
Hi Flavio ,
Thanks for posting your question here . Please have a look at the following :
1- There are no restrictions on ASA versions for the Plus/Apex licenses. Any ASA capable of supporting AnyConnect will support the new license model..
2- For your question about the filtering based on the source ip address . Currently this can't be done with DAP and we have the following product enhancement request for this :
CSCsl52329 Choose TG/DAP based upon source IP subnet & other endpoint conditions
As a workaround you can try one of the following :
a) configure a control plane access list to drop the traffic based on the source address . for more information please see this for the control plane option :
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/a1.html#wp1558738
b) if you are using Radius you can use the calling station ID attribute .
I hope you you will find this helpful.
Cheers.
04-29-2015 09:53 AM
Mohammad,
What is your opinion about setting up SSO (single sign-on) for Cisco AnyConnect? Have you run into any issues with the VPN using SSO? We have ASA 5510 and RADIUS server. Does SSO also work on Cisco VPN client? Thanks.
04-30-2015 07:48 AM
Hi Laura ,
SSO works with clientless webvpn (ssl portal), it is is not available for the anyconnect client . The produce Enhancement request for this :
CSCti8145 Implement SSO (Single Signon) with the AnyConnect client
Cheers .
04-30-2015 12:52 PM
Hi Laura.
Clientless vpn provides the access to internal web based applications through the ssl tunnel that is built between the user browser and the ASA so it requires no client to be installed on the machine. it also supports SSO for those internal resources. It can be used to provide access to the following as an example :
http/https websites .
OWA access
Citrix environments .
File access such as CIFS
Here is a good document that explains the detail :
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70475-webvpnasa.html
On the other hand anyconnect provides a full IP tunnel. So it provides full connectivity with the inside resources .
Based on that and with respect to your requirements you can decide which one is needed .
HTH .
04-30-2015 10:42 AM
Mohammad,
We are setting up the cold site for DR (Disaster Recovery). Would you recommend clientless VPN for DR?
Thanks.
04-30-2015 01:31 PM
Czesc,
simply question Mohammad - when we have to use AnyConnect client and when VPN Client 5.x for
IPSec VPN with MS LDAP authentication (except situation when we have GPRS/LTE modem on USB) ?
Thanks and regards,
Marcin
05-01-2015 06:55 AM
Hi Marcin ,
Thanks for the sharing your question here . First i would like to mention that the ipsec client is EOL :
http://www.cisco.com/c/en/us/products/collateral/security/vpn-client/end_of_life_c51-680819.html
Anyconnect provide full tunnel using TLS, DTLS and IPSEC (with IKEv2 integration) and all the new features are integrated into the cisco anyconnect client so we recommend to migrate from the legacy ipsec client to the cisco anyconnect solution . Anyconnect doesn't have the limitations ipsec client has .
For example :
1- End point assessment features (hostscan , prelogin check .... )
2- More control on the client machine (Trusted network detection and always on).
3- IKEv2 support .
4- optimal gateway selection .
This is just an example :)
one big difference was that the legacy client provided ipsec tunnel functionality which has been added to anyconnect when we started supporting ikev2 .
I encourage you to go through the following :
http://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/qa_c67-712937.html?cachemode=refresh
http://www.cisco.com/c/en/us/solutions/enterprise-networks/anyconnect-secure-mobility-solution/index.html
Please feel free to post any concerns related to this .
regards.
Mohammad.
05-01-2015 04:59 AM
Dear Mr Mohammad Alhyari,
I have installed the Cisco mobility client 3.1.01065 in a win 7 (x64) system and try to connect to a SRP527 router.
When enter the WAN IP address from the SRP I get: could not connect to server.
With my XP computer where version 5 is installed all is working fine and the VPN is activated. How do I get the things running with the Win 7 system?
05-01-2015 06:59 AM
Hi Ronald,
It might be a connectivity issue from your machine to the router on TCP port 443 . can you telnet from the machine to the Router on that port ? If you use your Browser, Do you see a response for https://WAN-ADDRESS ?
Please show me your configuration if possible .
Cheers.
05-01-2015 10:10 PM
Hi Mohammad,
I can telnet to that port from remote but will see no answer, port 443 is accepted
What would be the sequence from the client side to make the connection possible based on user group and single user?
The client will make his own script after a success full connection?
I can send pictures from the GUI interface, I have no configuration files to show you
05-02-2015 09:35 AM
Hi Ronald .
Thanks for the reply . Nothing is needed from the client side other than installing the anyconnect secure mobility client . And for anyconnect there is no group password as in the ipsec client .
On the router you need to configure it for anyconnect .The most important point is to make sure the hardware you are using supports anyconnect .Here is the datasheet for ssl vpn:
http://www.cisco.com/c/en/us/products/collateral/security/ios-sslvpn/product_data_sheet0900aecd80405e25.htmlRegards.
As you can see the SPR500 series is not included there .
Thanks again for your participation.
05-01-2015 07:33 AM