12-23-2015 03:18 PM - edited 02-21-2020 08:36 PM
We have a couple ASA550's version 9 that I would like to setup a VPN client to use with for remote admin access. We have the included 2 VPN AnyConnect Premium Peers license so I'm assuming we can just use the Cisco AnyConnect VPN client. I went to Cisco's website and it says that I don't have entitlement to the latest 4.x Anyconnect VPN Client but I do have access to version 3.x.
Is the 3.x client compatible with the ASA's and also Windows 10?
If so, what is the correct file to use, there are many files listed for download in AnyConnect 3.x?
Also, what is the difference between the 3.x and 4.x AnyConnect client and why is Cisco restricting 4.x?
Jim
Solved! Go to Solution.
12-23-2015 06:41 PM
AnyConnect 4.x changed the licensing model. AnyConnect 4.x licenses are term based vs the perpetual 3.x licenses. There are a number of other differences mainly due to there being only two license types - Plus and Apex - no more Mobile, Advanced Endpoint Assessment, shared VPN etc. Cisco has been offering a nominal or no cost migration license through the end of 2015. (depending on what you have: Essentials to Plus or Apex to Premium)
AnyConnect 3.1 will work with Windows 10 and the latest ASA software (since Version 3.1.10010). Reference:
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#pgfId-320051
There are two ways it is distributed - as a standalone installation package or for distribution from the ASA headend. Both come in Windows, Mac OS X and Linux distributions. For a Windows client you would use either:
anyconnect-win-3.1.12020-pre-deploy-k9.iso
anyconnect-win-3.1.12020-k9.pkg
...for the current version in those respective form factors.
12-23-2015 04:17 PM
Have you got your ASA SmartNet contract loaded against your CCO username?
12-23-2015 06:41 PM
AnyConnect 4.x changed the licensing model. AnyConnect 4.x licenses are term based vs the perpetual 3.x licenses. There are a number of other differences mainly due to there being only two license types - Plus and Apex - no more Mobile, Advanced Endpoint Assessment, shared VPN etc. Cisco has been offering a nominal or no cost migration license through the end of 2015. (depending on what you have: Essentials to Plus or Apex to Premium)
AnyConnect 3.1 will work with Windows 10 and the latest ASA software (since Version 3.1.10010). Reference:
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#pgfId-320051
There are two ways it is distributed - as a standalone installation package or for distribution from the ASA headend. Both come in Windows, Mac OS X and Linux distributions. For a Windows client you would use either:
anyconnect-win-3.1.12020-pre-deploy-k9.iso
anyconnect-win-3.1.12020-k9.pkg
...for the current version in those respective form factors.
12-28-2015 10:14 AM
Thanks, that sounds like Cisco changing up their licensing model, and not necessarily for the better. Since we only have the included bundled AnyConnect licenses (either 2 or 4, not sure if the failover unit adds to my simultaneous connection license count) and 3.1 works with Windows 10 I will likely just use that for now.
I noticed that the ASA License shows an unlimited IPsec VPN license included. Is there a free IP Sec VPN client available that anyone has successfully used with the ASA's and Windows 10 64Bit? I know the latest Cisco one doesn't work (at least without a bunch of unsupported tweaks) and it has been a while since Cisco released the last IPsec VPN Client.
12-28-2015 10:24 AM
Yes they have definitely changed the licensing model. Each customer's environment varies but Cisco does have a licensing "story" that actually does show the new model is better for the majority of customers. (Of course it just coincidentally is much better for Cisco too :). ).
If you have an HA pair and no additional licenses activated you do get 2 + 2 = 4 "Premium" (old style of Premium and not the new Apex which also includes the Mobile and Advanced Endpoint Assessment bits that used to be separate) licenses for free.
The unlimited IPsec VPN license is really intended more for site-site VPN as the old Cisco IPsec VPN client is indeed end of sales and no longer developed for some time. Reference:
http://www.cisco.com/c/en/us/products/collateral/security/vpn-client/end_of_life_c51-680819.html
You're right one can tweak/hack a system to make it work on Windows 10 but that's not very sustainable.
SSL VPN with either clientless (AnyConnect Apex license required) or using the AnyConnect Secure Mobility Client (VPN module) is the strategic solution forward. (You can setup IPsec IKEv2 as an alternative to that but it still requires the AnyConnect license on the ASA.)
12-28-2015 10:42 AM
I haven't tried the SSL VPN route yet, but have thought about it. Since we don't have Apex licenses can I just configure the SSL VPN on the ASA's and connect to the ASA's and let it load the appropriate VPN client software, or do I still need to load the Anyconnect 3.1 client manually on a laptop?
12-28-2015 10:47 AM
If you want to download software from the ASA you need to put the image file (*.pkg) on the ASA. The one they ship with my default is typically pretty old (AnyConnect 2.5 last I checked).
If you have that version or later already manually installed, that's fine. If your local version is older, the ASA will automatically download and update it on your client PC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide