Hi Flavio ,

Thanks for posting your question here . Please have a look at the following :

1- There are no restrictions on ASA versions for the Plus/Apex licenses. Any ASA capable of supporting AnyConnect will support the new license model..

2- For your question about the filtering based on the source ip address . Currently this can't be done with DAP and we have the following product enhancement request for this :

CSCsl52329    Choose TG/DAP based upon source IP subnet & other endpoint conditions 

As a workaround you can try one of the following :

a) configure a control plane access list to drop the traffic based on the source address . for more information please see this for the control plane option :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/a1.html#wp1558738

b) if you are using Radius you can use the calling station ID attribute .

I hope you you will find this helpful.

Cheers.

Hi Laura ,

SSO works with clientless webvpn (ssl portal), it is  is not available for the anyconnect client . The produce Enhancement request for this :

CSCti8145 Implement SSO (Single Signon) with the AnyConnect client
 

Cheers .

Hi Laura.

Clientless vpn provides the access to internal web based applications through the ssl tunnel that is built between the user browser and the ASA so it requires no client to be installed on the machine. it also supports SSO for those internal resources. It can be used to provide access to the following as an example :

http/https websites .

OWA access 

Citrix environments .

File access such as CIFS 

Here is a good document that explains the detail :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70475-webvpnasa.html

On the other hand anyconnect provides a full IP tunnel. So it provides full connectivity with the inside resources . 

Based on that and with respect to your requirements you can decide which one is needed .

HTH .

Hi Marcin ,

Thanks for the sharing your question here . First i would like to mention that the ipsec client is EOL :

http://www.cisco.com/c/en/us/products/collateral/security/vpn-client/end_of_life_c51-680819.html

Anyconnect provide full tunnel using TLS, DTLS and IPSEC (with IKEv2 integration) and all the new features are integrated into the cisco anyconnect client so we recommend to migrate from the legacy ipsec client to the cisco anyconnect solution . Anyconnect doesn't have the limitations ipsec client has . 

For example :

1-  End point assessment features (hostscan , prelogin check .... )

2- More control on the client machine (Trusted network detection and always on).

3- IKEv2 support .

4- optimal gateway selection .

This is just an example  :)

one big difference was that the legacy client provided ipsec tunnel functionality which has been added to anyconnect when we started supporting ikev2 .

I encourage you  to go through the following :

http://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/qa_c67-712937.html?cachemode=refresh

http://www.cisco.com/c/en/us/solutions/enterprise-networks/anyconnect-secure-mobility-solution/index.html

Please feel free to post any concerns related to this .

regards.

Mohammad.

Hi Ronald,

It might be a connectivity issue from your machine to the router on TCP port 443 .  can you telnet from the machine to the Router on that port ? If you use your Browser, Do you see a response for https://WAN-ADDRESS ?

Please show me your configuration if possible .

Cheers.

Hi Mohammad,

I can telnet to that port from remote but will see no answer, port 443 is accepted

What would be the sequence from the client side to make the connection possible based on user group and single user?

The client will make his own script after a success full connection?

I can send pictures from the GUI interface, I have no configuration files to show you

Hi Ronald .

Thanks for the reply . Nothing is needed from the client side other than installing the anyconnect secure mobility client . And for anyconnect there is no group password as in the ipsec client .

On the router you need to configure it for anyconnect .The most important point is to make sure the hardware you are using supports anyconnect .Here is the datasheet for ssl vpn:

http://www.cisco.com/c/en/us/products/collateral/security/ios-sslvpn/product_data_sheet0900aecd80405e25.htmlRegards.

As you can see the SPR500 series is not included there . 

Thanks again for your participation. 

Ronald,

Your XP computer with version 5 would be version 5 of the Cisco IPsec (IKEv1) VPN client.

AnyConnect Secure Mobility Client is a client primarily for SSL VPN (although it also works with the newer and less common IPsec IKEv2).

The router would need to have a configuration change to additionally support AnyConnect-based clients.

Thanks Marvin,

The SRP500 series is out  of service but loaded with the latest firmware.

I only have the choice for a group + password and users + password.

Is there no way to make a configuration file which I can use on the client side to connect to that router?