Solved: If you want to download

NPT_2 · ‎12-23-2015

We have a couple ASA550's version 9 that I would like to setup a VPN client to use with for remote admin access. We have the included 2 VPN AnyConnect Premium Peers license so I'm assuming we can just use the Cisco AnyConnect VPN client. I went to Cisco's website and it says that I don't have entitlement to the latest 4.x Anyconnect VPN Client but I do have access to version 3.x.

Is the 3.x client compatible with the ASA's and also Windows 10?

If so, what is the correct file to use, there are many files listed for download in AnyConnect 3.x?

Also, what is the difference between the 3.x and 4.x AnyConnect client and why is Cisco restricting 4.x?

Jim

Marvin Rhoads · ‎12-23-2015

AnyConnect 4.x changed the licensing model. AnyConnect 4.x licenses are term based vs the perpetual 3.x licenses. There are a number of other differences mainly due to there being only two license types - Plus and Apex - no more Mobile, Advanced Endpoint Assessment, shared VPN etc. Cisco has been offering a nominal or no cost migration license through the end of 2015. (depending on what you have: Essentials to Plus or Apex to Premium)

AnyConnect 3.1 will work with Windows 10 and the latest ASA software (since Version 3.1.10010). Reference:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#pgfId-320051

There are two ways it is distributed - as a standalone installation package or for distribution from the ASA headend. Both come in Windows, Mac OS X and Linux distributions. For a Windows client you would use either:

anyconnect-win-3.1.12020-pre-deploy-k9.iso

anyconnect-win-3.1.12020-k9.pkg

...for the current version in those respective form factors.

View solution in original post

Philip D'Ath · ‎12-23-2015

Have you got your ASA SmartNet contract loaded against your CCO username?

Marvin Rhoads · ‎12-23-2015

AnyConnect 4.x changed the licensing model. AnyConnect 4.x licenses are term based vs the perpetual 3.x licenses. There are a number of other differences mainly due to there being only two license types - Plus and Apex - no more Mobile, Advanced Endpoint Assessment, shared VPN etc. Cisco has been offering a nominal or no cost migration license through the end of 2015. (depending on what you have: Essentials to Plus or Apex to Premium)

AnyConnect 3.1 will work with Windows 10 and the latest ASA software (since Version 3.1.10010). Reference:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#pgfId-320051

There are two ways it is distributed - as a standalone installation package or for distribution from the ASA headend. Both come in Windows, Mac OS X and Linux distributions. For a Windows client you would use either:

anyconnect-win-3.1.12020-pre-deploy-k9.iso

anyconnect-win-3.1.12020-k9.pkg

...for the current version in those respective form factors.

NPT_2 · ‎12-28-2015

Thanks, that sounds like Cisco changing up their licensing model, and not necessarily for the better. Since we only have the included bundled AnyConnect licenses (either 2 or 4, not sure if the failover unit adds to my simultaneous connection license count) and 3.1 works with Windows 10 I will likely just use that for now.

I noticed that the ASA License shows an unlimited IPsec VPN license included. Is there a free IP Sec VPN client available that anyone has successfully used with the ASA's and Windows 10 64Bit? I know the latest Cisco one doesn't work (at least without a bunch of unsupported tweaks) and it has been a while since Cisco released the last IPsec VPN Client.

Marvin Rhoads · ‎12-28-2015

Yes they have definitely changed the licensing model. Each customer's environment varies but Cisco does have a licensing "story" that actually does show the new model is better for the majority of customers. (Of course it just coincidentally is much better for Cisco too :). ).

If you have an HA pair and no additional licenses activated you do get 2 + 2 = 4 "Premium" (old style of Premium and not the new Apex which also includes the Mobile and Advanced Endpoint Assessment bits that used to be separate) licenses for free.

The unlimited IPsec VPN license is really intended more for site-site VPN as the old Cisco IPsec VPN client is indeed end of sales and no longer developed for some time. Reference:

http://www.cisco.com/c/en/us/products/collateral/security/vpn-client/end_of_life_c51-680819.html

You're right one can tweak/hack a system to make it work on Windows 10 but that's not very sustainable.

SSL VPN with either clientless (AnyConnect Apex license required) or using the AnyConnect Secure Mobility Client (VPN module) is the strategic solution forward. (You can setup IPsec IKEv2 as an alternative to that but it still requires the AnyConnect license on the ASA.)

NPT_2 · ‎12-28-2015

I haven't tried the SSL VPN route yet, but have thought about it. Since we don't have Apex licenses can I just configure the SSL VPN on the ASA's and connect to the ASA's and let it load the appropriate VPN client software, or do I still need to load the Anyconnect 3.1 client manually on a laptop?

Marvin Rhoads · ‎12-28-2015

If you want to download software from the ASA you need to put the image file (*.pkg) on the ASA. The one they ship with my default is typically pretty old (AnyConnect 2.5 last I checked).

If you have that version or later already manually installed, that's fine. If your local version is older, the ASA will automatically download and update it on your client PC.

What VPN Client for ASA 5550 Connection AnyConnect Premium?