cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
73621
Views
15
Helpful
6
Replies

Cisco AnyConnect does it do IPsec?

Mohamed Hamid
Level 1
Level 1

Hi Guys

I have a Cisco ASA5520 with Software Version 8.2(5) in place, most my users are Mac Users and I am currently looking into Cisco AnyConnect in comparison to using VPN client.

I have a couple of questions

1) Does Cisco AnyConnect make use of IPsec or is it soley SSL VPN based?

2) From the license information I have below in my ASA I understand that I can have max 750 vpn peers however am I right in saying that this does not apply to Cisco AnyConnect peers? and that with Cisco AnyConnect I can only have 2 peers? Also what are the disabled anyconnect options for?

Licensed features for this platform:

Maximum Physical Interfaces    : Unlimited

Maximum VLANs                  : 150

Inside Hosts                   : Unlimited

Failover                       : Active/Active

VPN-DES                        : Enabled

VPN-3DES-AES                   : Enabled

Security Contexts              : 2

GTP/GPRS                       : Disabled

SSL VPN Peers                  : 2

Total VPN Peers                : 750

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials          : Disabled

Advanced Endpoint Assessment   : Disabled

UC Phone Proxy Sessions        : 2

Total UC Proxy Sessions        : 2

Botnet Traffic Filter          : Disabled

3) When trying to set up Cisco Anyconnect on the ASA using ASDM, I noticed I needed to upload AnyConnect client images however when I did this by uploading the .dmg file for mac machines I got the error message "not a valid SVC image". Is this because I am running 8.2?

Your help is much appreciated

Regards

Mohamed

2 Accepted Solutions

Accepted Solutions

Vishnu Sharma
Level 1
Level 1

Hi Mohammad,

I will answer your questions one by one:

1. Cisco Anyconnect version 3.0 and above support SSL as well as IPSECv2 connection. If you want the user to connect using IPSECv2 from the Anyconnect client then it will consume the SSL license and not the IPsec license however if you use IPSECv2 for connections like site to site vpn then it will consume normal IPSec VPN license.

2. a.  SSL VPN Peers: This license gives you the information about the number of users who can connect using the SSL protocol i.e. using the Anyconnect client as well as web portal based client also known as clientless VPN. Here I see there are only 2 licenses so at any point of time only 2 users can connect successfully because 750 is the total number of license available for VPN connection on the ASA, only 698 will be available for the IPSec connections.

   b.  Anyconnect for mobile: This license is required whenever a user is connecting from a handheld device like: Iphone, Ipad, Tablets etc.

   c. Anyconnect for Cisco VPN Phone: Cisco IP phones have the ability to connect to a remote ASA using the SSL protocol and to enable this feature you should have this license enabled on the ASA.

   d.  Anyconnect essentials: For Anyconnect there are two licenses a> Anyconnect Premium and b> Anyconnect Essentials. Anyconnect essentials is cheaper as compared Anyconnect premium license. This license is for those who do not use webvpn or clientless VPN. When this license is enabled, the user can only connect from the Anyconnect VPN client.

3. I am not sure what image you are using on the ASA. Please try the image named as anyconnect-macosx-i386-2.5.2010-k9.pkg.

    To apply the changes using the command line, put this image on disk0: and then issue this command on the CLI.

   svc image disk0:/anyconnect-macosx-i386-2.5.2010-k9.pkg

Let me know if this helps.

Thanks,

Vishnu Sharma

View solution in original post

Hi Mohammed,

Yes you are right. If you requirement is to connect more clients at the same time then I would suggest you to purchase more licenses for Anyconnect and if you requirement is to connect only the anyconnect VPN client and not the clientless one then go for the Anyconnect essential license which is cheaper as compared to the premium license and will fullfill all your requirements too.

Thanks,

Vishnu Sharma

View solution in original post

6 Replies 6

Vishnu Sharma
Level 1
Level 1

Hi Mohammad,

I will answer your questions one by one:

1. Cisco Anyconnect version 3.0 and above support SSL as well as IPSECv2 connection. If you want the user to connect using IPSECv2 from the Anyconnect client then it will consume the SSL license and not the IPsec license however if you use IPSECv2 for connections like site to site vpn then it will consume normal IPSec VPN license.

2. a.  SSL VPN Peers: This license gives you the information about the number of users who can connect using the SSL protocol i.e. using the Anyconnect client as well as web portal based client also known as clientless VPN. Here I see there are only 2 licenses so at any point of time only 2 users can connect successfully because 750 is the total number of license available for VPN connection on the ASA, only 698 will be available for the IPSec connections.

   b.  Anyconnect for mobile: This license is required whenever a user is connecting from a handheld device like: Iphone, Ipad, Tablets etc.

   c. Anyconnect for Cisco VPN Phone: Cisco IP phones have the ability to connect to a remote ASA using the SSL protocol and to enable this feature you should have this license enabled on the ASA.

   d.  Anyconnect essentials: For Anyconnect there are two licenses a> Anyconnect Premium and b> Anyconnect Essentials. Anyconnect essentials is cheaper as compared Anyconnect premium license. This license is for those who do not use webvpn or clientless VPN. When this license is enabled, the user can only connect from the Anyconnect VPN client.

3. I am not sure what image you are using on the ASA. Please try the image named as anyconnect-macosx-i386-2.5.2010-k9.pkg.

    To apply the changes using the command line, put this image on disk0: and then issue this command on the CLI.

   svc image disk0:/anyconnect-macosx-i386-2.5.2010-k9.pkg

Let me know if this helps.

Thanks,

Vishnu Sharma

Thank you very much for your excellent reply, just to further clarify so does this mean that under my current licensing I can only have 2 users connected using cisco anyconnect?

Sent from Cisco Technical Support iPhone App

Hi Mohammed,

Yes you are right. If you requirement is to connect more clients at the same time then I would suggest you to purchase more licenses for Anyconnect and if you requirement is to connect only the anyconnect VPN client and not the clientless one then go for the Anyconnect essential license which is cheaper as compared to the premium license and will fullfill all your requirements too.

Thanks,

Vishnu Sharma

Sirs,

Can I say that 2 is the number of "client VPN" I have license for (actuall default here), and 750 is the number of IPSec tunnels I have license for (also default) to connect site to site peers? In other works, one is for client (users) the other is for sites (devices). Is this assumption correct?

SSL VPN Peers                  : 2

Total VPN Peers                : 750

Thank you,

Hi Vishnu,

Very precise and easy to understand explanation. Keep the good work going. I will be converting this discussion to document link of the same is mentioned below:

https://supportforums.cisco.com/document/12189306/does-cisco-anyconnect-enables-feature-ipsec

 

Regards,

Anim Saxena

Community Manager - Security

Thanks Anim!!

 

Vishnu