Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5997
Views
15
Helpful
5
Replies

Cisco VPN client and Any connect

Go to solution
IIJA_SI_Techsupport
Level 1
Level 1

‎07-12-2016 08:35 AM

 
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-12-2016 09:20 AM

Yes, you can configure both IPsec IKEv1 remote access VPN (uses old Cisco VPN client) and SSL VPN (uses AnyConnect client or, if licensed, can be clientless) simultaneously on a given ASA.

You'd want to use AnyConnect 4.x (4.3 is the current release) for best compatibility and functionality,

You don't need ASDM to set it up except for clientless although many people prefer to use ASDM as the GUI is quite useful for the remote access VPN features.

View solution in original post

Go to solution
mdussana
Level 1
Level 1

‎07-12-2016 09:42 AM

Hi,

The ASA5505 and any other ASA is capable to handle two (and more) VPN clients at the same time. Cisco VPN Client and AnyConnect shouldn't conflict at all. Your ASA5505 should come with 2 SSL users license, so you can try this out first without purchasing any additional license

The configuration should be something like:

webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.07021-k9.pkg
 anyconnect enable

tunnel-group RemoteAccessVPN type remote-access
tunnel-group RemoteAccessVPN general-attributes
 default-group-policy RemoteAccessPolicy
 address-pool POOL

group-policy RemoteAccessPolicy internal
group-policy RemoteAccessPolicy attributes
 vpn-tunnel-protocol ikev1 ssl-client ssl-clientless

As you see, AnyConnect and Cisco VPN Client share same Tunnel Group and Group Policy, so they also share same pool, nat exemption statements, VPN filters.

Refer to: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70847-local-lan-pix-asa.html#anc9

View solution in original post

5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-12-2016 09:20 AM

Yes, you can configure both IPsec IKEv1 remote access VPN (uses old Cisco VPN client) and SSL VPN (uses AnyConnect client or, if licensed, can be clientless) simultaneously on a given ASA.

You'd want to use AnyConnect 4.x (4.3 is the current release) for best compatibility and functionality,

You don't need ASDM to set it up except for clientless although many people prefer to use ASDM as the GUI is quite useful for the remote access VPN features.

Go to solution
IIJA_SI_Techsupport
Level 1
Level 1
In response to Marvin Rhoads

‎09-20-2016 08:16 AM

thank you for everyone.

I understand that Cisco ASA can handle remote access VPN and SSL VPN.

Maybe it depends on ASA version.

the latest version of Firmware (e.g.  9.X ) would not let us to use VPN-client.

Officially,Cisco doesn't support VPN-client except 7.1(x) - 7.2(x) as below link.

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asa-vpn-compatibility.html

I am going to upgrade from 8.4(7)28  to 9.1.X for ASA.

Currently our user use VPN-Client.

But  I will let user to use any connect this time, same time hope the existing user will  keep to use VPN-Client as well.

if there is any comment and information you know,I would be happy to know. 

Thank you

ASA ASDM Cisco Any connect
7.1(x) - 7.2(x) 5.1(x) - 5.2(x) Cisco SSL VPN client 1.X
9.1 7.1 AnyConnect 4.0 for mobile devices
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to IIJA_SI_Techsupport

‎09-20-2016 08:38 AM

You are confusing the Cisco SSL VPN client 1.x (a pre-AnyConnect SSL VPN client) with the Cisco VPN client.

The Cisco VPN client works with IPsec IKEv1 - not SSL - encryption. It is not officially supported on any platform since it is past end of life (end of support was July 2014).

However it will still work even with ASA and Pix hardware from release 7.x up through the latest ASA software (ASA 9.6(2) as of this posting).

Go to solution
IIJA_SI_Techsupport
Level 1
Level 1
In response to Marvin Rhoads

‎09-20-2016 09:15 AM

Thank you for correcting me.

Yes I misunderstood, I checked configuration of ASA again.

it is written  vpn-tunnel-protocol ikev1 .

it means that we are using IPSecVPN.

So we are not using SSL this time.

As you mentioned ,we will just add SSL this time as vpn-tunnel-protocol 

0 Helpful

Go to solution
mdussana
Level 1
Level 1

‎07-12-2016 09:42 AM

Hi,

The ASA5505 and any other ASA is capable to handle two (and more) VPN clients at the same time. Cisco VPN Client and AnyConnect shouldn't conflict at all. Your ASA5505 should come with 2 SSL users license, so you can try this out first without purchasing any additional license

The configuration should be something like:

webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.07021-k9.pkg
 anyconnect enable

tunnel-group RemoteAccessVPN type remote-access
tunnel-group RemoteAccessVPN general-attributes
 default-group-policy RemoteAccessPolicy
 address-pool POOL

group-policy RemoteAccessPolicy internal
group-policy RemoteAccessPolicy attributes
 vpn-tunnel-protocol ikev1 ssl-client ssl-clientless

As you see, AnyConnect and Cisco VPN Client share same Tunnel Group and Group Policy, so they also share same pool, nat exemption statements, VPN filters.

Refer to: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70847-local-lan-pix-asa.html#anc9

Customers Also Viewed These Support Documents