06-02-2009 05:12 AM - edited 02-21-2020 04:15 PM
Hi there,
We have a requirement to disable aggressive mode on a Cisco ASA5520 we have several Cisco IPSEC Remote VPN clients using pre shared keys, I'm aware that disabling aggressive mode will require digital certificates on the IPSEC VPN clients. Instead of using digital certificates on all the clients would using the Cisco Any Connect VPN client instead of the Cisco IPSEC client allow me to disable aggressive mode on the ASA?
Are there any advantages or disadvantages in using the Cisco Any Connect Client?
Kind Regards
Tim
06-02-2009 11:37 AM
Tim
Aggressive mode is an alternative in the ISAKMP negotiation process. ISAKMP is part of IPSec. The AnyConnect client uses SSL instead of IPSec. So there is no ISAKMP associated with AnyConnect. So if you transition the clients to AnyConnect you can disable Aggressive mode and not impact any users.
HTH
Rick
06-02-2009 10:02 PM
Perhaps the biggest disadvantage is that you have to pay for each SSL VPN client (Anyconnect) and the IPSEC clients are free with the box. If that is not an issue, then Anyconnect would be a good option. It would even support Visa64bit whereas the IPSEC client does not. SSL is also easier to traverse through firewalls.
And as Rick mentioned, SSL VPNs use HTTPS whereas IPSEC VPNs use IPSEC (ESP/UDP 500 etc). So there is no relation between the agressive mode setting and SSL VPNs.
Regards
Farrukh
06-03-2009 01:53 AM
Thanks Rick & Farrukh for your comments they are very helpfull.
I'm currently running an ASA5520 with the VPN Plus license, would this allow the use of 50 SSL VPN Clients (Anyconnect)? or does this just allow 50 clientless SSL VPN peers?
-------------------------
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 750
WebVPN Peers : 50
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
This platform has an ASA 5520 VPN Plus license.
-------------------------------
Any help is very much appriciated.
Regards
Tim
06-03-2009 02:01 AM
Both would be allowed.
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide