Thanks for replying.  Now, do I need to update the .xml files if I change my firewall?  No change in IP addresses just hardware.

Cheers,

The problem is that the ASA pushes the .xml files to AnyConnect client PCs upon VPN establishment. So you would need to import the .xml file to the new ASA.  Updating the files will be done automatically when clients connect to the VPN.

--

Please remember to select a correct answer and rate helpful posts

What do you mean by "importing the .xml file to the new ASA"?

Will my activity of replacing the ASA be transparent to the remote users?  Do you mean that there will only be like a message on their laptop/PC's that a new .xml file will be downloaded and they just need to accept it and their remote access will work again?

Well. no.

New ASA's use AnyConnect as IPsec VPN client is no longer supported.  So if you have a .xml file, which is used with AnyConnect, already created on your old ASA (which i doubt you have) you would need to export it and import it to the new ASA.

You will need to configure your ASA for AnyConnect and make sure you have the right license for the number of users that will use AnyConnect.  Then your users can either connect to the public IP of your ASA VPN head end (https://x.x.x.x) and download the AnyConnect client from there or you will need to push the AnyConnect client out to your PCs using a centeralized software distribution (something like Software Center in Microsoft).

--

Please remember to select a correct answer and rate helpful posts

Ok, so if my clients were using Cisco Remote Vpn client software then I don't need to do any migrating?

So, all I need is to make sure Anyconnect is configured on the new ASA.  That the clients have Anyconnect VPN client software installed on their computers.  So, when they try to connect to the same IP using a different VPN client, the .xml file will then get downloaded from the ASA to their computers automatically?

Say for example that the clients never did use Anyconnect in the past.  And that I have migrated the same configurations for remote access to the new ASA.  Does that mean my users can still use the old VPN client software and will not experience any problems connecting to the new ASA?

Ok, so if my clients were using Cisco Remote Vpn client software then I don't need to do any migrating?

No, you will need to configure the ASA for AnyConnect, make sure you have the licenses you require for AnyConnect,

So, when they try to connect to the same IP using a different VPN client, the .xml file will then get downloaded from the ASA to their computers automatically?

If you want the AnyConnect clients to use a profile then you would need to configure the profile and associate it with the VPN connection profile. Now keep in mind it is not a requirement to use a profile, but in some situations it might be necessary because you need to increase authentication timeout, disable disconnect button, or whatever.

Does that mean my users can still use the old VPN client software and will not experience any problems connecting to the new ASA?

I have honestly never tried migrating IPsec Remote Access VPN to a "new" ASA, so I can not comment on if this would work or not. Now I am talking migrating it from an 8.2 ASA to a new version such as 9.6 or newer.  Anything that is end of support with Cisco gets upgraded to versions that are supported. 

--

Please remember to select a correct answer and rate helpful posts

Ok, just logged in to the new firewall and found out this...

AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual

So this means I need to ask our PM to purchase an AnyConnect license for x number of remote users is that right?

Is there a link where I can read upon on how to convert the configs from using Cisco Remote VPN Client to AnyConnect VPN client and what configs do I need to change in the ASA?

On the old ASA, I can see as ikev1 is the only configuration and no ikev2 present.  Will that present a problem since this ASA is a hub for other sites.

To add these are the configs I can see related to remote access:

tunnel-group RemoteVPN type remote-access

tunnel-group RemoteVPN general-attributes
address-pool VPNPOOL
authentication-server-group ADS-AUTH
default-group-policy Remote_VPN

aaa-server ADS-AUTH protocol radius
aaa-server ADS-AUTH (INSIDE) host 192.168.200.25
user-identity default-domain LOCAL
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication secure-http-client

Yes you will need to purchase a license for anyconnect for X number of users.

It's not that difficult to configure AnyConnect.

Here is a link on how to configure AnyConnect:

https://www.petenetlive.com/KB/Article/0000943

--

Please remember to select a correct answer and rate helpful posts

Hi,

The migration worked with the remote access, AND without changing the configs to add the anyconnect.  So my conclusion is that if you use ikev1, you will be able to use the old/deprecated Cisco VPN client software on your windows machine to connect to the VPN network.

Also the anyconnect will not work since the clients are not using anyconnect in the first place...

Cheers,