Unanswered Question
Jul 25th, 2008

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on how to deploy the Cisco IPSec remote access VPN solution in the Cisco IOS and Cisco ASA VPN devices with Cisco expert Jazib Frahim. Jazib, has been with Cisco Systems for more than six years. He started out as a Technical Assistance Center (TAC) engineer in the LAN switching team. He then moved to the TAC security team, where he was a technical and team leader for the security products. Jazib is currently working as a senior network security engineer in the Worldwide Security Services Practice of Cisco's Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks with a focus in network security.

Remember to use the rating system to let Jazib know if you have received an adequate response.

Jazib might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through August 8, 2008. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (5 ratings)
jfrahim Mon, 07/28/2008 - 08:49

Hi there,

I cannot comment on it as it is still in the developmental stages. You can inquire about a tentative schedule from your local Cisco account team.



jfrahim Wed, 07/30/2008 - 05:05

Hi there,

This forum discusses IPSec remote access technology. I am sure this question can be addressed in the correct forum


woodsbc Fri, 07/25/2008 - 18:43


Is the AnyConnect client that is currently only able to connect via SSL to ASA and IOS going to be 'upgraded' to run IPSec in a future update?



jfrahim Mon, 07/28/2008 - 08:50

Hi Brian,

Cisco has plans to enable the IPSec client functionality in the future releases of the AnyConnect client

Hope that helps


woodsbc Mon, 07/28/2008 - 09:07


Thanks for the reply. Any idea on when that effort might be realized? Will the use of the IPSec through AnyConnect require a concurrent license on the ASA platform similar to what is required today (SSL VPN license) or will the IPSec 'feature' be free like the Cisco VPN client is today?



jfrahim Mon, 07/28/2008 - 09:41

Hi Brian,

I am going to check with a product manager about it. Will let you know once I hear something about it


jfrahim Mon, 07/28/2008 - 10:33


Just checked with the PM and there is no timeframe when the IPSec functionality is going to be a part of the AnyConnect client. Additionally, there is no decision yet in terms of the future AnyConnect licencing.

Hope that helps


snahosany Sat, 07/26/2008 - 11:39

Dear Jazib:

I have a little problem with remote access vpn using PPTP on a PIX 506E firewall. Actually i have a site-to-site vpn setup on the pix that connects to an ASA on the other side. When i tried to configure remote access PPTP vpn on the PIX, the clients can actually connect but cannot access the internal network behind the PIX. Cannot ping any machines inside, cannot access any server inside. I am attaching the PIX config, could you please help me out.



jfrahim Mon, 07/28/2008 - 09:05

Hello Nawaz,

I do not see a reason why your PPTP tunnel would not pass traffic. I am just wondering if you have a NAT device or a firewall sitting between the client and the PIX. During the tunnel negotiations, the PPTP devices use TCP port 1723 for communication. One the tunnel is established, they use GRE (IP Protocol 47) for data transport. It is possible that a NAT/firewall device could be blocking that traffic

Hope that helps



snahosany Mon, 07/28/2008 - 10:24


Thanks for your reply, no there is no nat device between the client and the pix. I was wondering if i should enable the ip protocol 47 through the pix by using the fixup protocol 47. I am re-attaching the pix config which is the latest one, could you have a look at the nonat access-list and its usage. I have a doubt about it specially using the nonat acl in ipsec config. Thanks in advanced for your reply.

jfrahim Mon, 07/28/2008 - 10:35

the fixup is used to the connections through the PIX firewall. Sine the PPTP connections are terminated on the PIX, you do not need any fixups for this. I would suggest that you enable packet capture to determine if the PPTP packets are even getting to the PIX firewall.


vanoverschelde Sun, 07/27/2008 - 09:12

We have several ASA5505 scattered around behind NAT and DHCP.

We can make a successfull L2L connection to our central ASA5520 cluster.

We want to use DHCP relay but cannot use it because in order for the dhcp requests to be sent over the ipsec tunnel, the external (dhcp) address needs to be included in the ipsec tunnel config.

This is not a problem (we can use the interface command) but on our central cluster, it is.

We cannot atticipate the external ip + routing problems can arise.

When will it be possible to use the interal ip as source address for the dhcp relay packets?

When will it be possible, if you use the internal dhcp server of the asa, to dynamicaly register the leases on a bind dns server (on the other side of the tunnel)?

jfrahim Mon, 07/28/2008 - 09:52

Hi there,

REgarding the features that you asked, I do not see anything in the immediate roadmap. I would suggest that you would with the local Cisco Account team to have these features be considered for the future releses of the ASA.

Hope that helps


Lucas Phelps Mon, 07/28/2008 - 09:31

What the difference between the AnyConnect Client and the Standard VPN Client? And whats an example of when you would use one rather than the other.


jfrahim Mon, 07/28/2008 - 09:37

The Cisco AnyConnect client is used for SSL VPN connections while the standard Cisco VPN client is used for IPSec connections. In the future, the AnyConnect client is supposed to provide both the SSL VPN as well as the IPsec client functionality.

Hope that helps


sushilmenon Mon, 07/28/2008 - 23:04

hi jazib good to see u back in forums. hey can u pls tell when dmvpn or getvpn and gre support will there in cisco asa .

will routing protocol support and vpn support will be there in multiple context mode like other firewalls do.

is cisco doing thing in this.i feel cisco ios has more flexilibity and scalability with new features as compared to cisco asa.

would love to see cisco asa having the features supported on their ios.



jfrahim Tue, 07/29/2008 - 05:48

Hi Sushil,

Cisco is dedicating a lot of resources in the development of the Cisco ASA family of products. Unfortunately, I cannot discuss what features and enhancements will be included in the future releases. You can direct product roadmap specific questions to your local Cisco account team and I am sure they will address them.

I am sure you would understand.



jfrahim Tue, 07/29/2008 - 05:50

If you want a clientless solutions or if you want ease of deployment of the clients, or if you want to use CSD and many other reasons.


jjohnson36 Tue, 08/05/2008 - 07:14


Can you tell me briefly about AnyConnect client? How does AnyConnect client work? Do you still require user name and password the same way as VPN Client for authentication? Thanks.


jjohnson36 Thu, 08/07/2008 - 07:04


Thanks for the information. I understand that I need the licenses for SSL VPN. How do the licenses work? If I have 100 concurrent users, do I need 100 licenses?

Can you setup both SSL VPN and VPN client on the ASA?



jfrahim Tue, 07/29/2008 - 09:49

Hi there,

I am not sure what you mean by "The local peer is but seen as by the remote peer". How is that possible. Are you doing sone sort of address tranalstaion that is doing that?

Could you explain this in more details


rsgamage1 Tue, 07/29/2008 - 12:40

Hi Jazib,

Well this is the objective, indeed by means of some address translation mechanism.

Consider a network migration scenario, where the previously used local IPsec peer( is changed to a new device(, thus this change remains transparent to the remote end. no longer speaks IPsec with the remote peer, though pretends to do so. It is actually which acts on behalf of

Actually, this achievable by using Iptables as I indicated in my previous post. However the plan is to deploy it using Cisco, provided that is feasible.

Hope it's clearer now. Look forward to a reply.


richard.gosling Tue, 07/29/2008 - 07:38


I have a Cisco ASA 5520 my company requires a remote client VPN conecting to it, thats the easy bit.

This will be using the outside interface only using intra-interface etc etc.

The question is can you then get the Remote vpn client to invoke another tunnel to another router from the ASA.

We all ready have serveral site to site VPN's hairpining on the outside interface of the ASA.

Many thanks

jfrahim Tue, 07/29/2008 - 09:45

You can certainly do that. Make sure that you add the ip pool subnet into your encryption list for the Lan-Lan tunnel and you have "same-security-traffic permit intra-interface" command enabled.

Hope that helps


richard.gosling Tue, 07/29/2008 - 10:43

Hi Jazib,

Thanks for that, so you put the DHCP pool into an access-list for intresting traffic and create a IPSec tunnel to the other Router.

Many thanks Richard

eric.chen Tue, 07/29/2008 - 10:06

Hi, Jazib,

Can FWSM and IPSec Module installed and worked together in Cat6500 without creating vulnerability? If so, what's the easiest way to manage both modules besides CLI?

Thank you!!


JORGE RODRIGUEZ Tue, 07/29/2008 - 10:24

Hi, Jazib

After you get Eric's question before mine!

I have seen quite few inquiry in the VPN security forums about Cisco VPN client

support for the x64 bit windows platforms, is it fair to say that Cisco will not in the near

future come up with Cisco VPN client for the X64 machines or is it under developement.

If not under developement is it also fair to say that the current solution for VPN client on x64bit OS is and will continue to be the SSL vpn and Annyconnect solution , and that perhaps cisco may in near future move away from the Cisco VPN client and use SSL Annyconnect as the future client for all platforms?

Can you elaborate what is future plans for this so that we can plan accordingly in recommendations.



jfrahim Wed, 07/30/2008 - 05:28

Hi Jorge,

I cant discuss the future roadmaps of Cisco devices or products. You best bet is to consult the local Cisco Account team and they can update you regarding the roadmap of the VPN client.

My appologies


jfrahim Wed, 07/30/2008 - 05:13

Yes, You can have both modules in the same chassis. You can use CSM (cisco security manager) to manage both of them


jmarsh@forsmars... Tue, 07/29/2008 - 12:45

I need to set up a lan to lan ipsec vpn between an 1811 and 871. Can I connect them to each other in some way to test the VPN connection without having to use another piece of networking equipment or the internet.

jfrahim Wed, 07/30/2008 - 05:37

you can do an extended ping to initiate the traffic from the private LAN. You can do an extended ping by typing "ping" and pressing enter


bgtabudlo Tue, 07/29/2008 - 18:33

Hi Jazib, I dont know if this is the right forum to post my question/problem.

I want to setup IP phones(Avaya) to my remote sites and would be intigrating to my existing IPVPN WAN connection which carry DATA-only. Now, to be sure that there would be no "choppy" or garbled voice transmission, Im thinking of implementing VPN to my Cisco routers (Cisco 1801 and 1841). This way, I could created a VPN tunnel exclusively for the voice connection. Is this possible? If so, could you give me an example with this kind of setup? BTW, my bandwidth is 256kpbs.

Thanks very much and looking forward to your response(s).

jfrahim Wed, 07/30/2008 - 06:32

Hi there,

You can create an IPSec tunnel between your Cisco 1801 and 1841 routers, and then apply appropriate QoS policies to give your voice priority so that you do not get choppy voice. Just make sure that you do not oversubscribe the 256k circuit


bgtabudlo Wed, 07/30/2008 - 21:07

Hi Jazib.

I think the IOS of my routers dont have VPN support, Cisco 2801 IOS is C2801-SPSERVICESK9-MZ.124-3i.bin

what particular IOS should I use to support VPN?

Sorry it should have been a 2801 not 1801.


dianewalker Tue, 07/29/2008 - 19:59

Hi Jazib,

I have two ASA 5550's and 100 remote branch offices and 2000 users. We plan to setup Load Balancing between the two ASA's. We want the remote branch offices to be able to access a payroll system at the Corporate office. Therefore, the data needs to be encrypted. The remote branch offices only need to connect to the Corporate office to do payroll and nothing else. What method of deployment do you recommend? Site-to-Site VPN, AnyConnect Client, VPN client or other methods. Do you recommend mixed clients such as Site-to-Site and VPN client? Any other suggestions are greatly appreciated. Thanks.


ggilbert Wed, 07/30/2008 - 09:21


Just from the perspective of requirements and access criteria along with management/flexibility conditions, I would recommend Anyconnect client for the 2000 users.

For your branch office, if all the users in the branch office are going to access the app, then a small router with EzVPN technology can be implemented. EzVPN technology can be configured in two modes.

a. Client mode

b. Network Extension mode (NEM)

In client mode, the head end device (ASA) assign an IP address to the remote branch device and uses that IP address to pass traffic to the headend side (PAT).

In NEM, the SA is created between the remote network to the head end network, so the IP address is not assigned to the remote end devices.

or you can use Site to Site tunnels as well. But in this case of 100 sites, you have to create 100 tunnel-groups for all the remote ends, if they are static L2L tunnels.

The better option would be EzVPN where you can just create one tunnel-group or many tunnel-groups and have the remote branches connect to the ASA using the tunnel-group.

Hope this explains.

Jazib - Please feel free to add your comments / recommendation.


dianewalker Wed, 07/30/2008 - 10:16

Thanks for your response, Gilbert

Sorry for not making it clear. Each Remote Branch Office has from 10 - 50 users. But only one or two users at each Remote Branch office need to do payroll. So, only one or two users at each Branch Office need to connect to the Corporate Office simultaneously during payroll period. We have 2000 users for 100 Remote Branch Offices. So, during payroll period or year-end closing, all 2000 users will do payroll at the same time. Since it is payroll, the data need to be encrypted. Do you still recommend AnyConnect client and a small router with EzVPN?

Do you install a small router with EzVPN at each Remote Branch Office or at the Corporate Office? What type of router with EzVPN do you recommend? Thanks.

Jazib, please feel free to add your comments or recommendation.



ggilbert Wed, 07/30/2008 - 10:43


Cisco Anyconnect Client is SSL encrypted.

So, in total if there only 2000 users who have to access your payroll server from those 100 remote branch offices, I would just use the Cisco anyconnect client.

Cisco anyconnect client and EzVPN are two different technologies.

Cisco Anyconnect client is a client downloaded to the end users machine.

EzVPN is a hardware device (either PIX,ASA or IOS), which will be used to connect to the head end device.

Hope this makes things clear.



dianewalker Thu, 07/31/2008 - 12:06


Thank you very much for your explanation.

1. Does Cisco AnyConnect client require any type of authentication to login? For example, with VPN client, the user requires the user name and password. If user name and password are required, for 2000 users, I need to create 2000 user names and passwords in Active Directory

2. If user name and password are required for Cisco AnyConnect client, are there any other methods that do not require user name and password besides EzVPN?

3. Instead of using Cisco AnyConnect client, I use Cisco VPN client. Do you foresee any problems?

I am trying to find the easy solution for my type of environment. Whatever suggestions that you can give are greatly appreciated.



Valeriu Filipescu Wed, 07/30/2008 - 04:58


I deployed an Remote Access VPN solution with authentication on certificates released by Microsoft server. All works fine 1 year until RA certificate expires. After that I need to reinstall CEPSetup and renew certificates.

Is a posibility to renew RA valability without reinstall? Which are the best practices in working with mscep and Microsost CA?

jfrahim Wed, 07/30/2008 - 21:09

Hi there,

I do not think the ASA auto-enroll, but let me look into this. I will get back to you


venom43212 Wed, 07/30/2008 - 07:36

Hi Jazib, hoping you may have some insight. I am trying to create an L2L connection from a 3K5 Concentrator to a vendor with a Checkpoint NGR55. At implementation, we were able to access all NATed applications on their side, they weren't able to access ours. The message we saw on both sides was:

Received non-routine Notify message: Invalid ID info (18)

Which indicates mismatched attributes between the peers. These have been verified on both sides. We have our local network list specified as all of the individual hosts that are translated in the static NAT rules. For them, we have static translations and two global PATs...the network list for them specifies their entire /24 network that was used in the global PAT. My understanding is that the more specific network will be applied and if not found, the PAT will be used and I can see this happening in the event log.

The setup again in brief: L2L VPN tunnel from 3K5 to NGR55. We have static NAT translations for our inside to vendor's outside...for example; Source: (our inside) translated to (our outside) with a remote (vendor's outside). In our local network list we have Becuase we do have a global PAT for our inside to vendor's network, in the remote network list, we have only The order of operations should take the more specific hosts under this subnet. We can access everything on vendor's side fine, they can't access anything on our side. The addresses listed above aren't the actual ones in use, but should demonstrate the setup. The L2L connection is currently working both ways on an ASA, but we want to move it over to the concentrator. Thanks in advance.

jjohnson36 Wed, 07/30/2008 - 11:50


We have a VPN 3005 Concentrator. The users wanted to be able to access their internal network (Exchange server, file sharing, printers, etc.) while connecting through VPN. I followed the attached document. The users were able to access the Corporate Office network. However, they were not able to access their internal network while connecting through VPN. Am I missing something? Do you have any suggestions?




This Discussion