cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Cisco Anyconnect VPN

ali007
Beginner
Beginner

Hi,

 

We would like to move from Cisco web based VPN due to MS moving away from IE. So we would like to build an anyconnect  (client) SSL VPN on the same ASA with 2FA.

 

I was wondering if a, is it possible to have these two on the same firewall? b, do you know of a guide or step by step example of this that I can use?

 

thanks in advance.

kind regards,

 

8 REPLIES 8

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@ali007 yes, you can just setup an AnyConnect client based SSL-VPN on the same firewall, there is no specific requirement to running Client and Clientless at the same time.

 

More information on setting up AnyConnect SSL-VPN

https://integratingit.wordpress.com/2018/03/11/ccnp-simos-asa-anyconnect-ssl-vpn/

https://community.cisco.com/t5/security-documents/asa-best-practices-for-remote-access-vpn-performance/ta-p/4070579

https://duo.com/docs/cisco

 

thank Rob.

 

is there way a way we can utilise the same vpn but get it work on chrome/edge?

 

Regards,

 

@ali007 possibly not, as Cisco are no longer developing it and providing limited support on previous versions. It has been depreciated from ASA version 9.17. You should migrate to AnyConnect VPN or use another solution as Duo Network Gateway.

I have just been looking and cisco says it does support Chrome and firefox:

ASA Release 9.12
Browser Compatibility
For connections to the ASA using clientless SSL VPN, Cisco supports the following operating systems and browsers:


Note
See the Smart Tunnel Notes section below for exceptions and limitations of support.

OS / Browser Chrome Firefox Internet Explorer Safari Citrix Receiver
macOS 10.14 yes yes - 12.0 12.7
OS X 10.13 yes yes - 12.0 12.5
OS X 10.12 yes yes - 12.0 12.5
Windows 10 yes yes 11 - Win 4.9(14.9)
Windows 8.1 yes yes 11 - Win 4.9(14.9)
Windows 8 yes yes 11 - Win 4.9(14.9)
Windows 7 yes yes 11 - Win 4.9(14.9)

 

however, when we try chrome we get the attached error.

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

The error message is from trying to install the AnyConnect client software via Chrome (not supported). Meaning that the profile is using client-based and not clientless. A clientless profile won't try to install the client.

@Marvin Rhoads @Rob Ingram 

 

Any idea how can I get it to work with chrome, Edge or Firefox since we have established its client based? As cisco documentation does suggest that it support Firefox.

 

Thank you

ali007
Beginner
Beginner

thanks @Marvin Rhoads.  the reason I am confused about this is because of the following: 

 

"show vpn-sessiondb anyconnect " shows the following:

Protocol : IKEv2 IPsecOverNatT Clientless
License : AnyConnect Premium
Encryption : IKEv2: (1)AES256 IPsecOverNatT: (1)AES256 Clientless: (1)AES-GCM-256
Hashing : IKEv2: (1)SHA1 IPsecOverNatT: (1)SHA1 Clientless: (1)SHA384
Bytes Tx : 1280101 Bytes Rx : 218580
Group Policy : abc1234 Tunnel Group : DefaultWEBVPNGroup

however, the group policy used shows the following:

show running-config group-policy DfltGrpPolicy
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 1
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client

also, "show vpn-sessiondb webvpn" shows no client connected.

 

also, what can I do to get this working on Chrome/firefox?

 

look forward to hearing form you

.

 

 

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: