cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8229
Views
105
Helpful
31
Replies

Ask the Expert: Configuring and Troubleshooting remote access SSL VPN on Cisco Adaptive Security Appliance

Lisa Latour
Level 6
Level 6

This an opportunity to learn about Cisco SSL VPN  feature, clientless VPN and Anyconnect remote access client with Mohammad Alhyari.

Monday, April 27th, 2015  to Friday, May 8th, 2015

Featured Expert

Cisco Expert

Mohammad Alhyari is a customer support engineer at the Cisco Technical assistance center in Krakow, Poland. CCIE security #35093 with over 5 years of experience in the security team. Mohammed's area of expertise is security, including VPN, SSL VPN, and IPSEC VPN on the Cisco IOS and Cisco ASA platforms.

 

Find other  https://supportforums.cisco.com/expert-corner/events.

**Ratings Encourage Participation! **
Please be sure to rate the Answers to Questions

 

31 Replies 31

Flavio Vettori
Level 1
Level 1

Hi Mohammad,

     I have few "old" question regarding this discussion's topic, already posted around here, and a new one about licensing.

So here is the question: we manage a scenario based on a couple of old ASA5510 with A/S failover configuration; we have 150 AnyConnect Premium Peers licences but now we need to upgrade them to 200 or more. We got informed that the licensing model is changed and now we need to purchase "Apex" license as "AnyConnect Premium Peers" is no more an option. There will be platform-related problems activating and using the new licences? The old asa5510 support Apex license? It seems that our local Cisco commercial channel can't answer this question.

In my profile ( https://supportforums.cisco.com/users/flaviovettori ) you can review other "old" question, still unanswered, for example:

"our webvpn portal is deployed in a DMZ scenario, so the webvpn ASA's interface has a private address behind another firewalling gateway; we noticed that a portion of our users do access the portal from within the corporate's network, let's say from 10.0.0.0/8 ip space instead of the "outside" (the whole internet).

We would create something like a DAP which intercepts the situation (useraname: any authenticated, source ip address: from 10.0.0.0/8) and apply a message or another action to the logged user: is this possible?"

Thank you in advance.
Flavio

Hi Flavio ,

Thanks for posting your question here . Please have a look at the following :

1- There are no restrictions on ASA versions for the Plus/Apex licenses. Any ASA capable of supporting AnyConnect will support the new license model..

 

2- For your question about the filtering based on the source ip address . Currently this can't be done with DAP and we have the following product enhancement request for this :

CSCsl52329    Choose TG/DAP based upon source IP subnet & other endpoint conditions 

 

As a workaround you can try one of the following :

a) configure a control plane access list to drop the traffic based on the source address . for more information please see this for the control plane option :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/a1.html#wp1558738

b) if you are using Radius you can use the calling station ID attribute .

 

I hope you you will find this helpful.

 

Cheers.

 

laurabolda
Level 1
Level 1

Mohammad,

What is your opinion about setting up SSO (single sign-on) for Cisco AnyConnect?  Have you run into any issues with the VPN using SSO?  We have ASA 5510 and RADIUS server.  Does SSO also work on Cisco VPN client?  Thanks.

 

Hi Laura ,

SSO works with clientless webvpn (ssl portal), it is  is not available for the anyconnect client . The produce Enhancement request for this :

CSCti8145 Implement SSO (Single Signon) with the AnyConnect client
 

Cheers .

 

Hi Laura.

Clientless vpn provides the access to internal web based applications through the ssl tunnel that is built between the user browser and the ASA so it requires no client to be installed on the machine. it also supports SSO for those internal resources. It can be used to provide access to the following as an example :

 

http/https websites .

OWA access 

Citrix environments .

File access such as CIFS 

Here is a good document that explains the detail :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70475-webvpnasa.html

 

On the other hand anyconnect provides a full IP tunnel. So it provides full connectivity with the inside resources . 

 

Based on that and with respect to your requirements you can decide which one is needed .

 

HTH .

laurabolda
Level 1
Level 1

Mohammad,

We are setting up the cold site for DR (Disaster Recovery).  Would you recommend clientless VPN for DR?

Thanks.

Czesc,

simply question Mohammad - when we have to use AnyConnect client and when VPN Client 5.x for

IPSec VPN with MS LDAP authentication (except situation when we have GPRS/LTE modem on USB) ?

Thanks and regards,

Marcin 

 

Hi Marcin ,

Thanks for the sharing your question here . First i would like to mention that the ipsec client is EOL :

http://www.cisco.com/c/en/us/products/collateral/security/vpn-client/end_of_life_c51-680819.html

Anyconnect provide full tunnel using TLS, DTLS and IPSEC (with IKEv2 integration) and all the new features are integrated into the cisco anyconnect client so we recommend to migrate from the legacy ipsec client to the cisco anyconnect solution . Anyconnect doesn't have the limitations ipsec client has . 

For example :

1-  End point assessment features (hostscan , prelogin check .... )

2- More control on the client machine (Trusted network detection and always on).

3- IKEv2 support .

4- optimal gateway selection .

This is just an example  :)

one big difference was that the legacy client provided ipsec tunnel functionality which has been added to anyconnect when we started supporting ikev2 .

I encourage you  to go through the following :

http://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/qa_c67-712937.html?cachemode=refresh

http://www.cisco.com/c/en/us/solutions/enterprise-networks/anyconnect-secure-mobility-solution/index.html

 

Please feel free to post any concerns related to this .

 

regards.

Mohammad.

 

Ronald RiemVis
Level 1
Level 1

Dear Mr Mohammad Alhyari,

I have installed the Cisco mobility client 3.1.01065 in a win 7 (x64) system and try to connect to a SRP527 router.

When enter the WAN IP address from the SRP I get: could not connect to server.

With my XP computer where version 5 is installed all is working fine and the VPN is activated. How do I get the things running with the Win 7 system?

Hi Ronald,

It might be a connectivity issue from your machine to the router on TCP port 443 .  can you telnet from the machine to the Router on that port ? If you use your Browser, Do you see a response for https://WAN-ADDRESS ?

 

Please show me your configuration if possible .

 

Cheers.

Hi Mohammad,

I can telnet to that port from remote but will see no answer, port 443 is accepted

What would be the sequence from the client side to make the connection possible based on user group and single user?

The client will make his own script after a success full connection?

I can send pictures from the GUI interface, I have no configuration files to show you

Hi Ronald .

Thanks for the reply . Nothing is needed from the client side other than installing the anyconnect secure mobility client . And for anyconnect there is no group password as in the ipsec client .

On the router you need to configure it for anyconnect .The most important point is to make sure the hardware you are using supports anyconnect .Here is the datasheet for ssl vpn:

http://www.cisco.com/c/en/us/products/collateral/security/ios-sslvpn/product_data_sheet0900aecd80405e25.htmlRegards.

As you can see the SPR500 series is not included there . 

Thanks again for your participation. 

Ronald,

Your XP computer with version 5 would be version 5 of the Cisco IPsec (IKEv1) VPN client.

AnyConnect Secure Mobility Client is a client primarily for SSL VPN (although it also works with the newer and less common IPsec IKEv2).

The router would need to have a configuration change to additionally support AnyConnect-based clients.

Thanks Marvin,

The SRP500 series is out  of service but loaded with the latest firmware.

I only have the choice for a group + password and users + password.

Is there no way to make a configuration file which I can use on the client side to connect to that router?

 

 

Review Cisco Networking for a $25 gift card