Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1062
Views
0
Helpful
6
Replies

SSL Clientless VPN Customization

Go to solution
johnlloyd_13
Level 9
Level 9

‎02-15-2014 02:20 PM

hi all,

i'm trying to learn to SSL clientless VPN customization on ASA 5520 but i can't seem to add any.

is there a command or pre-requisite prior to customization? could it be java or asdm issue?

ciscoasa# sh ve

Cisco Adaptive Security Appliance Software Version 8.4(2)

Device Manager Version 7.0(1)

ssl.jpg      

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to johnlloyd_13

‎02-17-2014 06:44 AM

"AnyConnect Premium Peers          : 2              perpetual" is the key bit there. Those are the two AnyConnect Premium peers included with all ASAs.

The "Other" and "Total" VPN peers account for the fact that you could also have up to 10 IPsec (remote access or site-site) VPNs plus the two remote access client VPNs active any any given time.

In general a remote access VPN can be:

a. Clientless SSL (only a browser required by the peer but, confusingly, requires AnyConnect Premium license on the ASA),

b. Full-tunnel SSL (launch via browser or directly from Anyconnect client, requires either AnyConnect Premium or Essentials on the ASA) , or

c. IPsec-based (using the legacy Cisco IPsec client with IKEv1 (no AnyConnect license required) or AnyConnect 3.0 or later client (with either Essentials or Premium license on the ASA) with IKEv2).

And there will be a test on all that.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-16-2014 06:35 AM

You haven't by chance restricted the use of the required AnyConnect Premium license with an Essentials license (and  "anyconnect essentials") command have you? The rest of the "sh(ow) ve(rsion)" output should indicate if the device has the necessary Premium license available.

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Marvin Rhoads

‎02-16-2014 07:10 AM

Hi Marvin,

Thanks for your reply! Actually, this is for my GNS3 lab. I would assume all licenses/feature are enabled (perpetual).

I haven't got the chance to try this out on my ASA 5505 and 5510 lab FW. But both are running Base licenses.

I was searching and I suspect i haven't setup any bookmark yet. Maybe will try again when I get the chance.


Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to johnlloyd_13

‎02-16-2014 07:59 AM

I don't use GNS3 as I have lab firewalls plus plenty of opportunity to implement as part of my day job.

While all features may be enabled, it is - at the end of the day - just an emulation. Not sure if it is related but some of the clientless and other VPN bits do depend on saving xml and other files onto the ASA disk.

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Marvin Rhoads

‎02-17-2014 01:13 AM

hi marvin,

i checked my 5505 and it got this.

does the licensed feature with "VPN" means or includes SSL VPN?

Licensed features for this platform:

Maximum Physical Interfaces       : 8              perpetual

VLANs                             : 3              DMZ Restricted

Dual ISPs                         : Disabled       perpetual

VLAN Trunk Ports                  : 0              perpetual

Inside Hosts                      : 10             perpetual

Failover                          : Disabled       perpetual

Encryption-DES                    : Enabled        perpetual

Encryption-3DES-AES               : Enabled        perpetual

AnyConnect Premium Peers          : 2              perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 10             perpetual

Total VPN Peers                   : 12             perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Disabled       perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Disabled       perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

Cluster                           : Disabled       perpetual

This platform has a Base license.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to johnlloyd_13

‎02-17-2014 06:44 AM

"AnyConnect Premium Peers          : 2              perpetual" is the key bit there. Those are the two AnyConnect Premium peers included with all ASAs.

The "Other" and "Total" VPN peers account for the fact that you could also have up to 10 IPsec (remote access or site-site) VPNs plus the two remote access client VPNs active any any given time.

In general a remote access VPN can be:

a. Clientless SSL (only a browser required by the peer but, confusingly, requires AnyConnect Premium license on the ASA),

b. Full-tunnel SSL (launch via browser or directly from Anyconnect client, requires either AnyConnect Premium or Essentials on the ASA) , or

c. IPsec-based (using the legacy Cisco IPsec client with IKEv1 (no AnyConnect license required) or AnyConnect 3.0 or later client (with either Essentials or Premium license on the ASA) with IKEv2).

And there will be a test on all that.

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Marvin Rhoads

‎02-18-2014 08:56 PM

thanks for this info!

will lab this up

0 Helpful
Customers Also Viewed These Support Documents