RA VPN using AnyConnect in 2nd site

mattsmithspad@hotmail.com · ‎05-15-2013

Hi

I am looking into a DR plan where should a primary site go down users with the Cisco anyconnect client will be able to VPN to a second site.

The ASA I am configuring is a 5512x for the 2nd site.

The main site has a pair of 5510's in a HA pair.

Is it possible to setup a secondary Remote Access VPN connection for users to connect to? If I was to configure Anyconnect RA VPN on the ASA on the 2nd I would need to purchase an SSL cert in order to configure this?

Any advice would be greatly appreciated!

Many thanks

jj27 · ‎05-15-2013

Yes, that's a common practice. Most companies with a DR site have vpn.company.com and vpn2.company.com or something similar. vpn going to the primary site and vpn2 going to the DR site. You do not need a signed SSL certificate for AnyConnect to work, but it is a lot less of a pain if you use one.

mattsmithspad@hotmail.com · ‎05-15-2013

Hi

Thanks for that, that was my thinking, I have been playing with the anyconnect setup and couldnt see how you can get around using an SSL certificate (in the ASDM) - Any pointers?

cheers

jj27 · ‎05-15-2013

By default it should use the self-signed certificate created by the ASA. I'm not a big fan of the ASDM so I'll have to poke around in mine and see if I can find what you're talking about.

jj27 · ‎05-15-2013

Just go to Device Certificates and Identity certificates. Create a self-signed certificate.

mattsmithspad@hotmail.com · ‎05-15-2013

Cool, I will have a play tomorrow and let you know.

Thanks!

Richard Burts · ‎05-15-2013

Matt

AnyConnect does work with an ASA using a self signed certificate. But when you do the user gets a warning when AnyConnect initiates the connection, basically saying they are connecting to an untrusted site and asking the user for permission to proceed. If your users are used to AnyConnect just connecting and then suddenly they get this warning it may cause some consternation.

Depending on how important a smooth user experience is to you and to your management, it may be worth the price to purchase a public certificate for the DR ASA.

You probably want to look into the configuration of the profile used with AnyConnect on the ASA. One of the options there is to configure a backup server. If the primary server is not available AnyConnect will just connect to the DR site and the user does not have to do anything (and they probably would not notice anything unless they are especially observant of details during connection).

HTH

Rick

HTH

Rick

mattsmithspad@hotmail.com · ‎05-16-2013

Thanks Rick

Not sure if this will work as they do use RSA keys, I am going to re IP the RSA server as its virtual which I hope to test in the coming days. I know what you mean with SSL vs no SSL so I will leave to management to decide!

Matt

Richard Burts · ‎05-16-2013

Matt

I have implemented this for a customer who does use RSA one time password token codes to authenticate and it works fine. The primary ASA (failover pair) is configured to authenticate using RSA (via Radius) and the backup ASA (failover pair) is also configured to authenticate using RSA (via Radius) and the Radius server is configured to recognize both ASA as authentiction clients. We have an authentication server at the primary site and a backup authentication server at the DR site. ASAs are configured with both servers so each ASA can authenticate with either of the servers (and in fact I think that they use both and do some load sharing). Works very smoothly.

HTH

Rick

HTH

Rick

mattsmithspad@hotmail.com · ‎05-22-2013

Hi

thanks for the advice above, RSA replication did not work the way we wanted it to (using 3rd party tools) however I have setup a Radius server which works with the ASA. Will test the Anyconnect RA VPN when I am back on site.

cheers,

Matt