Anyconnect questions

Answered Question
Jan 22nd, 2010

Hi all. At our company we use Cisco VPN client that connect to ASA firewall with sofware version 8.0(3)6 on it but are now considering using Anyconnect client as more and more people are starting to use 64bit operating systems. As I have never used or configured Anyconnect clients I have a few questions:

1. First of is licenscing. How can I find out how many concurrent SSL connections are supported and if I need a better license?

2. Is connection with telnet,ssh etc. to resources supported on Anyconnect client?

3. Can we use our existing SecureACS server to authenticate users or is it better to create users on the ASA?

4. If creating users on the ASA can we make user always use the same profile? I ask this because not all of our users have the same rights and not everyone can use all of the resources when they connect so we would like to create multiple profiles and make certain users connect always using the same profile.


Thank you in advance for all your help.

I have this problem too.
0 votes
Correct Answer by Richard Burts about 6 years 10 months ago

Igor

Yes it looks like different semantics are used  comparing ASDM and the command line. Based on what you have posted it looks like your ASA has upgraded licenses to support 50 SSL VPN sessions.

HTH

Rick

Correct Answer by Richard Burts about 6 years 10 months ago

Igor

I have used AnyConnect with ASA for some customers and have had good experience with it. Here are answers to your questions:

1) Licensing. In the output of show version is information about the licensing of that ASA. In the version of code that you are running the default is to have licenses for 2 SSL sessions. This is enough for you to experiment with AnyConnect and learn how it works, but not enough to use with production users. So it is likely that you will need to upgrade the licensing for your ASA. There are several options for upgrading the SSL licenses and the most cost effective is the AnyConnect Essentials licensing.

2) I am not sure that I really understand what you are asking here. The connectivity options supported from AnyConnect are pretty much the same as the connectivity options supported by the traditional IPSec client. So once you have established an AnyConnect session and been assigned an IP address for the session, then you could certainly telnet or SSH to any network resource using the assigned IP address as the source address.

3) You should be able to use your existing SecureACS to authenticate users. You can also configure users on the ASA. I believe that it is preferable to use the existing authentication server rather than configuring users on the ASA.

4) I have not done this because I authenticate users from an external authentication server so I can not discuss this from experience. But in configuring users on the ASA there is an option to configure the users as "member of" a group. I would assume that you could use this to force a user to always use the same profile.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
Loading.
Correct Answer
Richard Burts Fri, 01/22/2010 - 05:37

Igor

I have used AnyConnect with ASA for some customers and have had good experience with it. Here are answers to your questions:

1) Licensing. In the output of show version is information about the licensing of that ASA. In the version of code that you are running the default is to have licenses for 2 SSL sessions. This is enough for you to experiment with AnyConnect and learn how it works, but not enough to use with production users. So it is likely that you will need to upgrade the licensing for your ASA. There are several options for upgrading the SSL licenses and the most cost effective is the AnyConnect Essentials licensing.

2) I am not sure that I really understand what you are asking here. The connectivity options supported from AnyConnect are pretty much the same as the connectivity options supported by the traditional IPSec client. So once you have established an AnyConnect session and been assigned an IP address for the session, then you could certainly telnet or SSH to any network resource using the assigned IP address as the source address.

3) You should be able to use your existing SecureACS to authenticate users. You can also configure users on the ASA. I believe that it is preferable to use the existing authentication server rather than configuring users on the ASA.

4) I have not done this because I authenticate users from an external authentication server so I can not discuss this from experience. But in configuring users on the ASA there is an option to configure the users as "member of" a group. I would assume that you could use this to force a user to always use the same profile.

HTH

Rick

igor.hamzic Fri, 01/22/2010 - 08:05

Rick,

thanks for your answers. They were really helpful. I followed your advice and found out CNLite-MC-SSLm-PLUS-2.01 microcode in the show version. Is that what you were reffering to with those 2 sessions?

As for telnet and ssh I read somewhere that you couldn't use those with Anyconnect but now that you confirmed that I can I think maybe understood it wrong.

Is there a minimum required SecureACS version that I should use with Anyconnect or would any version of the ACS do?

Thanks in advance for your help.

Richard Burts Fri, 01/22/2010 - 12:49

Igor

The reference to CNLite-MC-SSLm-PLUS-2.01 is referring to the microcode for the hardware encryption device on the ASA and does not have anything to do with the SSL licensing.

What I am talking about is something like this:

SSL VPN Peers                : 50

on this ASA the customer upgraded the SSL license from the default of 2 to 50.

I am not aware of any restriction on versions of SecureACS to authenticate for the ASA.

HTH

Rick

igor.hamzic Mon, 01/25/2010 - 01:13

Rick,

thanks for the answers. I checked the licences through the ASDM and it says I have 50 Clientless SSL VPN peers. Checking through the sh ver command it says the ASA has 50 WebVPN peers. I guess it's just different wording through ASDM and console.

Correct Answer
Richard Burts Mon, 01/25/2010 - 21:18

Igor

Yes it looks like different semantics are used  comparing ASDM and the command line. Based on what you have posted it looks like your ASA has upgraded licenses to support 50 SSL VPN sessions.

HTH

Rick

igor.hamzic Wed, 01/27/2010 - 02:30

Rick,

your answers have been extremely helpful. Thanks for everything. I'm off to test the Anyconnect client.

Igor

Richard Burts Wed, 01/27/2010 - 09:00

Igor

I am glad that my answers have been helpful (and thanks for the ratings).

Post the results of your testing and let us know how it turns out.

HTH

Rick

igor.hamzic Wed, 01/27/2010 - 09:12

Rick,

I will post the results when I have succesfully logged in using Anyconnect. Right now I have managed to get the SSL VPN service screen but cannot get authenticated through ACS. I'm testing several options now and I'll see how that goes.

Igor

igor.hamzic Thu, 01/28/2010 - 01:28

Rick,

I have managed to create an additional group for SSL access in addition to our regular policy for  classic Cisco VPN access but can't seem to authorize users using this new policy using our ACS 3.2. I'll keep on searching to try figure this out.

Igor

igor.hamzic Thu, 01/28/2010 - 06:18

I can't seem to get this to work. I have the following added to the ASA but I can't get past the logon screen that is to say can't authenticate using ACS.

I'm posting the relavant config and I would be thankful if anyone can point me in the right direction. I did the config through the ASDM wizard.

webvpn
enable outside
svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
svc image disk0:/anyconnect-linux-2.1.0148-k9.pkg 2
svc enable

group-policy SSL_VPN internal
group-policy SSL_VPN attributes
vpn-tunnel-protocol svc

tunnel-group SSL_VPN type remote-access

tunnel-group SSL_VPN general-attributes
address-pool VPNPool1
authentication-server-group RADIUS
default-group-policy SSL_VPN

Thanks in advance.

Igor

igor.hamzic Fri, 01/29/2010 - 06:45

I finally got this to work and connect without problem to the ACS. The problem was that when you use the wizard in ASDM it doesn't do everything it needs to be done for this to work. You need to create an allias for the group and you need to check an additional check box(image attached is from http://www.petenetlive.com/KB/Article/0000069.htm). After that it works great.

Rick thanks for all your help.

Richard Burts Fri, 01/29/2010 - 07:01

Igor

I am glad that you got it figured out and that it now works. Thank you for posting back to the forum to indicate that it was solved and what you needed to do to resolve this. It makes the forum more useful when people can read about a problem and can read what the problem was and how it was resolved. It would also help make this useful if you would mark this problem as solved.

HTH

Rick

Actions

This Discussion