cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1468
Views
10
Helpful
5
Replies

Client VPN on 2921

aleksa
Level 1
Level 1

Hi all,

must say I'm confused, I come from time of successfully connecting clients to IOS routers using Cisco VPN client, it worked great.

Now I'm a bit lost.

Need to configure client VPN for dozen of remote users to a 2921

RTR#sh inventory
NAME: "CISCO2921/K9", DESCR: "CISCO2921/K9 chassis, Hw Serial#: XXXXXXX, Hw Revision: 1.0"
PID: CISCO2921/K9 , VID: V08 , SN: XXXXXXXX

NAME: "C2921/C2951 AC Power Supply", DESCR: "C2921/C2951 AC Power Supply"
PID: PWR-2921-51-AC , VID: V03 , SN: XXXXXXXXXX


What are my options?

1. AnyConnect - I understand this is VPN client software, installed on a PC. Licensing limitations?

2. SSL VPN - a browser based clientless VPN?

I understand there may be license limitations? Do they apply to SSL VPN only or to AnyConnect as well?

Thanks!

1 Accepted Solution

Accepted Solutions

The Anyconnect client itself needs to be purchased for the number of users in your environment. You have an option of Anyconect Plus or Apex license, comparison of which is given here:

http://www.petenetlive.com/KB/Article/0001013

This license is not applied to the IOS router.

The headend IOS router does not require another license for Anyconnect clients to connect to it if you have:

1) version 15.3(3)M or later

2) securityk9 license

Hope this helps.

View solution in original post

5 Replies 5

Rahul Govindan
VIP Alumni
VIP Alumni

For IOS routers, Anyconnect is the way to go. You can do both SSL and IPsec (Ikev2) using the Anyconnect client. To answer your questions:

1) Licensing comes along with security k9 license in the newer releases. The different license behaviors for different IOS versions are documented here:

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200533-AnyConnect-Configure-Basic-SSLVPN-for-I.html#anc4

Anyconnect has to be installed on the client and the above link should be a good start.

2) Clientless is really limited on the IOS routers, would not recommend using this on IOS routers.

Hi Rahul,

thanks for the link, it's definitely a good document to read before and during deployment.

Since I'm not too comfortable with this, can you clarify, 

is it true that any way you look at it, customer will have to buy licenses to be able to use AnyConnect VPN client?

The way I understood, the configuration of the client VPN is facilitated by evaluation to be followed by purchasing the license, so you can put system into production and then follow up with purchase at a later date?

Thanks!

The Anyconnect client itself needs to be purchased for the number of users in your environment. You have an option of Anyconect Plus or Apex license, comparison of which is given here:

http://www.petenetlive.com/KB/Article/0001013

This license is not applied to the IOS router.

The headend IOS router does not require another license for Anyconnect clients to connect to it if you have:

1) version 15.3(3)M or later

2) securityk9 license

Hope this helps.

There is one more option to consider: The router also supports the legacy EzVPN without additional licensing costs. You can't use AnyConnect for this, EzVPN runs with many OS build-in clients and external clients like the one from Shrew. But less costs is the only  benefit, everything else is better with AnyConnect.

aleksa
Level 1
Level 1

Thanks,

could you recommend a configuration example for IPSEC IKE configuration on IOS router for Anyconnect client?

All I find is about using SSL WebVPN...

Cheers,

Alex

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: