03-14-2014 04:01 AM - edited 03-07-2019 06:42 PM
why anyconnect is better than cisco vpn client ?
what is its advangatges ?
i think that both are remoteaccess vpn .
why its better ?
Solved! Go to Solution.
03-14-2014 06:11 AM
hi,
you're in luck, i just read the anyconnect chapter (VPN 642-648).
as per my notes, the anyconnect is becoming the preferred method of establishing full-tunnel VPN connection over the older IPsec VPN client software.
it's a better VPN solution because it's highly flexible and scalable. we can deploy it to our corporate users wherever they are (hence, the term 'anyconnect'), install and connect to HQ automatically, detect if the remote user/machine is in the office or not and install automatic policy updates.
it's super secure too. the anyconnect client operates by building a secure Sockets Layer/Transport Layer Security (SSL/TLS), Datagram Transport Layer Security (DTLS), or IKEv2 connection and tunneling remote user application traffic through the established session.
03-14-2014 06:11 AM
hi,
you're in luck, i just read the anyconnect chapter (VPN 642-648).
as per my notes, the anyconnect is becoming the preferred method of establishing full-tunnel VPN connection over the older IPsec VPN client software.
it's a better VPN solution because it's highly flexible and scalable. we can deploy it to our corporate users wherever they are (hence, the term 'anyconnect'), install and connect to HQ automatically, detect if the remote user/machine is in the office or not and install automatic policy updates.
it's super secure too. the anyconnect client operates by building a secure Sockets Layer/Transport Layer Security (SSL/TLS), Datagram Transport Layer Security (DTLS), or IKEv2 connection and tunneling remote user application traffic through the established session.
03-14-2014 06:52 AM
hi ,
thanks alot John ,
plz let me ask u another question ,
now i have a license on the asa that allow me to extend the number of ssl client to 25 clients .
the question is ,
if i want to make ssl vpn server on the asa 5505
do i need to buy ssl certificate ???
can i do it without this oruchased certificate ?
why i need this certificate ?
i mean in ssl vpn , i did it without this certificate , why in anyconnect server it is mandatory ???
agian , can i bypass the ssl certificate request int eh asa for the cnnyconnect setver ??
regards
03-14-2014 07:47 AM
hi,
by default, the ASA outside interface has no SSL certificate to present to its outside users. you can use the self-generated SSL certificate but it gets renewed each time ASA reboots. this will cause and display an error on user's web browser (which we don't want by the way).
it's our job to present outside users with a safe and protected web experience and to do that you'll need to a paid SSL certificate.
i'll also share this info/URL in my notes, wherein you can find more info and get a free SSL certificate (trial version) for your ASA:
http://www.entrust.net/cisco/
also, i haven't got in too deep with anyconnect yet and just started with basics of SSL VPN. please feel free to check out my blog from time to time:
http://ccnpsecuritywannabe.blogspot.com/2014/03/deploying-clientless-ssl-vpn-webvpn.html
03-16-2014 08:08 AM
Regarding "bying a certificate":
There are CA-vendors that give you valid/trusted certificates for free or for a quite small fee. Personally I got mine from startssl.com where certs for one year are free. There are more vendors with free certs like this, but with them I don't have any experience.
03-15-2014 03:53 PM
The other thing is that, Cisco does not support traditional VPN on Windows 8.X. I have run in to lots of issues trying to install Cisco VPN client on Windows 8.x clients.. it sometimes work and sometimes it needs registry hacks etc.. really painful setup for the network engineer. So Anyconnect is preffered.
Also, since SSL uses port 443/SSL by default, it does not need any ALG (Application Layer Gateway) functionality in remote end user's routers to operate, and will simply work with normal PAT which is always on.. with traditional IPSec VPN, since it uses ESP, you need to have AGL turned on on the user's GW router (this is normally called IPSec VPN pass through mode) and this sometimes doesn't work the way you want specially on the older residential routers. When this happens you really don't have any other option for those users.. and your only response would be "Sorry your router does not support this kind of VPN or your router does something strange with the VPN so Please upgrade your router" which is something the normal residential user don't want to hear.. and something you want to tell them..
So SSL VPN is the way to go..
please rate helpful posts :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide