Showing results for 
Search instead for 
Did you mean: 

Active/Standard ASA - Two-Factor VPN Capabilities?

Level 1
Level 1

Hi Folks,

I have been asked to deploy a small-scale remote access solution to one of our existing network perimeters.  I have been carrying out some online research and think I have identified a low-cost solution, but I'd appreciate it if my thinking could be confirmed by the experienced support community!

Current Setup: ASA 5520 8.4(2) pair configured in Active/Standby acting as perimeter firewall

Requirement:  Deploy Remote Access VPN with Two-Factor Authentication

Userbase: 5 - 10 users

VPN-Exposed Destination: A single host on inside - ports 3389/tcp (Remote Desktop) and 22/tcp (SFTP)

Solution Consideration: Needs to be as low cost as possible!

The 2FA solution I am leaning towards is the ASA's local user database (what you know) in conjunction with per-user certificates (what you have) - does this seem feasible?

I also have three queries:

First Question - I believe that as the ASA is operating as A/S failover, I cannot use the ASA's local CA server - could someone please confirm if this is a case of "can not" or "should not"?  I believe the CA database cannot be replicated between the ASA units, but temporarily losing VPN capability in the event of a failover situation is an acceptable risk for this environment.

Second Question - If the local ASA CA is not an option, are there any potential pitfalls I should be aware of with leveraging a Windows Server 2003 R2 domain controller CA on the inside of the firewall as an alternative?

Final Question - I was hoping that Cisco's IPSEC VPN Client would allow for two-factor authentication, but it appears this is not the case and only the SSL VPN supports this.  This will unfortuntely require a license purchase; would the AnyConnect Essentials (ASA-AC-E-55XX=) suffice, as I believe this will be the lowest cost option?  We want to keep it as simple as possible, and purely require the users to have directly-routed access to the inside host on the two ports stated (we don't want to use the 'clientless' HTTPS-based VPN portal, for example).

Also, apologies for the cross-post; I'd originally posted this in the "Remote Access" forums but there doesn't appear to be much activity there and I didn't receive a response.

Many thanks in advance,


2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee