02-27-2012 11:00 AM - edited 02-21-2020 05:54 PM
Can a Cisco ASA 5520 that has been configured as an IPSEC VPN gateway and servicing IPSEC vpn clients also be configured as an ANYCONNECT VPN gateway and service anyconnect vpn cleints simultaneously? Any negative impacts on performance or any other issues that anyone is aware of?
Solved! Go to Solution.
02-27-2012 01:49 PM
I assume by 2 connection limit you are referring to the 2 licenses for anyconnect? You should investigate using the anyconnect essentials license, which is relatively cheap (100-200 dollars I think) and will allow you to go to the platform limit with anyocnnect.
You shouldn't have any issue using the IPSEC client with LDAP. This is quite common - my company does both IPSEC and Anyconnect off the same interface using ldap authentication (even the same group-policy) for both.
--Jason
02-27-2012 11:14 AM
Raj,
This is perfectly acceptable and there are no averse performance or effects. Lots of companies (including my own) do this.
--Jason
02-27-2012 11:38 AM
I currently have the ASA 5510 configured this way, 8.0(4). One thing that I can't find an anwser for is if both clients can use LDAP. I have the anyconnect client using LDAP, but limited by the 2 connection limit. I am hoping to use the 5.0.07 client with LDAP and not have that limitation. Does anybody know if that works?
02-27-2012 12:03 PM
Thanks for the reply, we are trying to connect IPADs to our corporate network and wanted to use Anyconnect for that. We currently use LDAP on the IPSEC vpn side for our windows machines for username/password. I plan on using LDAP with anyconnect for the IPADs as well so yeah, if anyone knows of any limitation with this or if this will not work, that information would be greatly appreciated.
02-27-2012 01:49 PM
I assume by 2 connection limit you are referring to the 2 licenses for anyconnect? You should investigate using the anyconnect essentials license, which is relatively cheap (100-200 dollars I think) and will allow you to go to the platform limit with anyocnnect.
You shouldn't have any issue using the IPSEC client with LDAP. This is quite common - my company does both IPSEC and Anyconnect off the same interface using ldap authentication (even the same group-policy) for both.
--Jason
02-27-2012 02:10 PM
Thanks Jason. Appreciate the help.
Raj
02-28-2012 06:34 AM
As a follow up, I was just missing one command to make LDAP work with the IPSEC 5.x client. I had to enable user authentication on the tunnel group; no isakmp ikev1-user-authentication none. Once that was done, a box pops up after the initial connection for your AD user name and password. I am checking into the AnyConnect Essential Licensing too to get beyond the 2 connection limit. I was quoted a one-time fee of about $2k for a 25 user license.
Thanks,
Kyle
02-29-2012 09:49 AM
It was recommended we use the Premium licenses instead of the Essentials but I am researching the differences. So far it looks like the premium is needed if you ever want to use the clientless features of the ASA.
Brent
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide