ā06-02-2010 01:08 PM
We have 3 VPN concetrators and an ASA 5520. My first question is, can we do SSL VPN with a Cisco ASA now? Do I need any specific Cisco software to accomplish this? And does it come with a product similar to host checker so one can perform NAC functions?
Second, is there an application out there that will convert a Cisco VPN Concentrator 3060 configuration to Cisco ASA 5520 configuration?
I appreciate all the time and effort you all put into this and thank you for all teh help in the past.
Dwane
ā06-02-2010 01:25 PM
Hi,
Yes you can do clientless or client-based SSL VPNs on ASAs.
Clientless SSL:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html
Client-based SSL (AnyConnect):
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/svc.html
I don't think we have access to such a tool, but I believe that TAC does (to convert the configuration from Concentrator to ASA).
Federico.
ā06-02-2010 01:55 PM
Dwane,
ASA has webvpn built in... and most of the stuff you did on vpn3k will also work on ASA (plus MUCH more).
However ASA licenses usage of webvpn.
There is Cisco Secure Desktop and Endpoint Assessment if you're interested with NAC-like features.
I vaguely remember someone mentioning some tool to migrate configuration from vpn3k to ASA could not find it however.
Hope this gets you started:
http://www.cisco.com/en/US/docs/security/asa/asa72/vpn3000_upgrade/upgrade/guide/midiffs.html
ā06-02-2010 03:19 PM
Hi Dwane,
there are a few but sparse documents, describing how to migrate remote access VPN from 3000 concentrators to ASA but the good news is that the main concepts didn't change a lot. A google search of "site:cisco.com migrating remote access vpn from concentrator to ASA will help a lot.
The main document is: http://www.cisco.com/en/US/docs/security/asa/asa70/vpn3000_upgrade/upgrade/guide/migr_vpn.html
I have to admit I'm not aware of any tool that would convert the config directly, I'm afraid you would need to build the new config yourself.
SSL VPNs are covered on the ASA even with more features than the original concentrator features but only two simultanous connections are included in the standard licences, upgrades can be purchased.
You do not need any special software for SSL VPNs, only the number of simultanous connections is an issue. ASA supports alls variants of Cisco SSL VPNs: clientless (portal, but with enhanced features), thin client (port redirect), CSD (Cisco Secure Desktop) and Cisco Anyconnect.
NAC is also supported from the first version (7.0).
Rgds, MiKa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide