05-16-2012 07:02 AM - edited 02-21-2020 06:04 PM
Hi Guys
I have a Cisco ASA5520 with Software Version 8.2(5) in place, most my users are Mac Users and I am currently looking into Cisco AnyConnect in comparison to using VPN client.
I have a couple of questions
1) Does Cisco AnyConnect make use of IPsec or is it soley SSL VPN based?
2) From the license information I have below in my ASA I understand that I can have max 750 vpn peers however am I right in saying that this does not apply to Cisco AnyConnect peers? and that with Cisco AnyConnect I can only have 2 peers? Also what are the disabled anyconnect options for?
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
3) When trying to set up Cisco Anyconnect on the ASA using ASDM, I noticed I needed to upload AnyConnect client images however when I did this by uploading the .dmg file for mac machines I got the error message "not a valid SVC image". Is this because I am running 8.2?
Your help is much appreciated
Regards
Mohamed
Solved! Go to Solution.
05-16-2012 11:41 AM
Hi Mohammad,
I will answer your questions one by one:
1. Cisco Anyconnect version 3.0 and above support SSL as well as IPSECv2 connection. If you want the user to connect using IPSECv2 from the Anyconnect client then it will consume the SSL license and not the IPsec license however if you use IPSECv2 for connections like site to site vpn then it will consume normal IPSec VPN license.
2. a. SSL VPN Peers: This license gives you the information about the number of users who can connect using the SSL protocol i.e. using the Anyconnect client as well as web portal based client also known as clientless VPN. Here I see there are only 2 licenses so at any point of time only 2 users can connect successfully because 750 is the total number of license available for VPN connection on the ASA, only 698 will be available for the IPSec connections.
b. Anyconnect for mobile: This license is required whenever a user is connecting from a handheld device like: Iphone, Ipad, Tablets etc.
c. Anyconnect for Cisco VPN Phone: Cisco IP phones have the ability to connect to a remote ASA using the SSL protocol and to enable this feature you should have this license enabled on the ASA.
d. Anyconnect essentials: For Anyconnect there are two licenses a> Anyconnect Premium and b> Anyconnect Essentials. Anyconnect essentials is cheaper as compared Anyconnect premium license. This license is for those who do not use webvpn or clientless VPN. When this license is enabled, the user can only connect from the Anyconnect VPN client.
3. I am not sure what image you are using on the ASA. Please try the image named as anyconnect-macosx-i386-2.5.2010-k9.pkg.
To apply the changes using the command line, put this image on disk0: and then issue this command on the CLI.
svc image disk0:/anyconnect-macosx-i386-2.5.2010-k9.pkg
Let me know if this helps.
Thanks,
Vishnu Sharma
05-16-2012 12:07 PM
Hi Mohammed,
Yes you are right. If you requirement is to connect more clients at the same time then I would suggest you to purchase more licenses for Anyconnect and if you requirement is to connect only the anyconnect VPN client and not the clientless one then go for the Anyconnect essential license which is cheaper as compared to the premium license and will fullfill all your requirements too.
Thanks,
Vishnu Sharma
05-16-2012 11:41 AM
Hi Mohammad,
I will answer your questions one by one:
1. Cisco Anyconnect version 3.0 and above support SSL as well as IPSECv2 connection. If you want the user to connect using IPSECv2 from the Anyconnect client then it will consume the SSL license and not the IPsec license however if you use IPSECv2 for connections like site to site vpn then it will consume normal IPSec VPN license.
2. a. SSL VPN Peers: This license gives you the information about the number of users who can connect using the SSL protocol i.e. using the Anyconnect client as well as web portal based client also known as clientless VPN. Here I see there are only 2 licenses so at any point of time only 2 users can connect successfully because 750 is the total number of license available for VPN connection on the ASA, only 698 will be available for the IPSec connections.
b. Anyconnect for mobile: This license is required whenever a user is connecting from a handheld device like: Iphone, Ipad, Tablets etc.
c. Anyconnect for Cisco VPN Phone: Cisco IP phones have the ability to connect to a remote ASA using the SSL protocol and to enable this feature you should have this license enabled on the ASA.
d. Anyconnect essentials: For Anyconnect there are two licenses a> Anyconnect Premium and b> Anyconnect Essentials. Anyconnect essentials is cheaper as compared Anyconnect premium license. This license is for those who do not use webvpn or clientless VPN. When this license is enabled, the user can only connect from the Anyconnect VPN client.
3. I am not sure what image you are using on the ASA. Please try the image named as anyconnect-macosx-i386-2.5.2010-k9.pkg.
To apply the changes using the command line, put this image on disk0: and then issue this command on the CLI.
svc image disk0:/anyconnect-macosx-i386-2.5.2010-k9.pkg
Let me know if this helps.
Thanks,
Vishnu Sharma
05-16-2012 12:02 PM
Thank you very much for your excellent reply, just to further clarify so does this mean that under my current licensing I can only have 2 users connected using cisco anyconnect?
Sent from Cisco Technical Support iPhone App
05-16-2012 12:07 PM
Hi Mohammed,
Yes you are right. If you requirement is to connect more clients at the same time then I would suggest you to purchase more licenses for Anyconnect and if you requirement is to connect only the anyconnect VPN client and not the clientless one then go for the Anyconnect essential license which is cheaper as compared to the premium license and will fullfill all your requirements too.
Thanks,
Vishnu Sharma
06-04-2012 10:50 AM
Sirs,
Can I say that 2 is the number of "client VPN" I have license for (actuall default here), and 750 is the number of IPSec tunnels I have license for (also default) to connect site to site peers? In other works, one is for client (users) the other is for sites (devices). Is this assumption correct?
SSL VPN Peers : 2
Total VPN Peers : 750
Thank you,
04-28-2014 11:04 PM
Hi Vishnu,
Very precise and easy to understand explanation. Keep the good work going. I will be converting this discussion to document link of the same is mentioned below:
https://supportforums.cisco.com/document/12189306/does-cisco-anyconnect-enables-feature-ipsec
Regards,
Anim Saxena
Community Manager - Security
04-29-2014 12:58 AM
Thanks Anim!!
Vishnu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide