Solved: AnyConnect using ASA for product evaluation

Deepak Ambotkar · ‎08-28-2012

Hello Security folks,

I am evaluating Cisco Anyconnect VPN solution using ASA. I have few questions needs to be answered asap.

1st-

Can we combine business partners and employee client connections on a single ASA in a secure manner?

2nd-

How the Anyconnect functions for selecting the nearest gateway (optimized gateway selection) to a user works? - I have below link which has a very good explanation but I am looking for the best response.

(https://supportforums.cisco.com/docs/DOC-15326)

3rd-

Can you please highlight the important features which are not supported in other vendors SSL solutions?

Thanks & Regards,

Deepak A.

Karsten Iwen · ‎08-28-2012

Not the contexts, they can't be used when you need VPN.

You can configure different Tunnel-groups that you assign to your different user-groups. So the authentication will be based on the right AAA-server (if you have different servers for users and partners). Based on that you assign the right group-policies where the rights and restrictions are configured. So it's like the different ipsec-profiles. For AnyConnect the same tools (tunnel-groups and group-policies) are used as for the old VPN-Client.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎08-28-2012

Can we combine business partners and employee client connections on a single ASA in a secure manner?

Yes, that can be done with specific VPN-configs for partners and different configs for employee. That's a common scenario.

but I am looking for the best response

???

Can you please highlight the important features which are not supported in other vendors SSL solutions?

It's going to marketing now? Hmmmm, the most important is that others vensors don't have a little bridge on their devices ... But perhaps you find a better answer in the partner-area where these competitive datasheets are available.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Deepak Ambotkar · ‎08-28-2012

Hi Karsten,

Thank you very much for the reply.

Could you please explain what do you mean by -> "specific VPN-configs"? Do you mean configuring contexts or just different VPN profiles like we use different crypto ipsec profiles for different customers on single device?

Thanks,

Deepak A.

Karsten Iwen · ‎08-28-2012

Not the contexts, they can't be used when you need VPN.

You can configure different Tunnel-groups that you assign to your different user-groups. So the authentication will be based on the right AAA-server (if you have different servers for users and partners). Based on that you assign the right group-policies where the rights and restrictions are configured. So it's like the different ipsec-profiles. For AnyConnect the same tools (tunnel-groups and group-policies) are used as for the old VPN-Client.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Deepak Ambotkar · ‎08-28-2012

Karsten,

Thanks a lot. Thats all i needed to know.

Regards,

Deepak

Deepak Ambotkar · ‎08-28-2012

Hi Karsten,

I have one more small question. When I use my ASA for terminating multiple customer Anyconnect VPN's on a single device, in that case there might be overlapping IP addresses so how will the ASA determine or separate the traffic for different customers since we will not be using contexts here. Also can we use context and terminate Anyconnect VPN related to the specific customers into them?

This might sound stupid however I have never worked on scenario like this before so please clariy.

Thanks,

Deepak A.

Karsten Iwen · ‎08-28-2012

You can't have overlapping addresses on the ASA without running into a NAT-nightmare. Overlapping networks for different customers are possible with the security-contexts, but with theese no VPN is supported. You probably need more then one ASA in that scenario.

Deepak Ambotkar · ‎08-29-2012

Karsten,

That helps me. I think I can try to use Cisco IOS router where I can implement Anyconnect at the same time I can have VRF features too. But there are some limitations with the Cisco IOS as below, I will decide the best product satisfying my needs.

Q. Is AnyConnect supported on Cisco IOS® devices?

A. Yes.

As of Cisco IOS Software Release 12.4(15)T in browser-initiated mode only as per the Release 12.4T New Security Features Notes.

As of Cisco IOS Software Release 12.4(20)T, standalone mode is also supported.

For more information, refer to SSL VPN Remote User Guide.

Notes:

Support for DTLS is introduced from Cisco IOS version 15.1(2)T. Refer to the svc dtls command for more information.

Client keepalives are not supported on Cisco IOS devices until the 12.4(20)T release.

Updates to the hardware crypto that can cause disconnects have been resolved with 12.4(T2) for 87x platforms.

Start Before Logon is currently not supported by Cisco IOS.

Q. Is it possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router?

A. No. It is not possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router. AnyConnect on iPad/iPhone can connect only to an ASA that runs version 8.0(3).1 or later. Cisco IOS is not supported by the AnyConnect VPN Client for Apple iOS.

Karsten Iwen · ‎08-29-2012

But keep in mind that there is no AnyConnect Essentials license for the router. If you need many simultanious connections, multiple ASAs could be cheaper then the licensing on the router.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni