Hi all. At our company we use Cisco VPN client that connect to ASA firewall with sofware version 8.0(3)6 on it but are now considering using Anyconnect client as more and more people are starting to use 64bit operating systems. As I have never used or configured Anyconnect clients I have a few questions:
1. First of is licenscing. How can I find out how many concurrent SSL connections are supported and if I need a better license?
2. Is connection with telnet,ssh etc. to resources supported on Anyconnect client?
3. Can we use our existing SecureACS server to authenticate users or is it better to create users on the ASA?
4. If creating users on the ASA can we make user always use the same profile? I ask this because not all of our users have the same rights and not everyone can use all of the resources when they connect so we would like to create multiple profiles and make certain users connect always using the same profile.
Thank you in advance for all your help.
Yes it looks like different semantics are used comparing ASDM and the command line. Based on what you have posted it looks like your ASA has upgraded licenses to support 50 SSL VPN sessions.
I have used AnyConnect with ASA for some customers and have had good experience with it. Here are answers to your questions:
1) Licensing. In the output of show version is information about the licensing of that ASA. In the version of code that you are running the default is to have licenses for 2 SSL sessions. This is enough for you to experiment with AnyConnect and learn how it works, but not enough to use with production users. So it is likely that you will need to upgrade the licensing for your ASA. There are several options for upgrading the SSL licenses and the most cost effective is the AnyConnect Essentials licensing.
2) I am not sure that I really understand what you are asking here. The connectivity options supported from AnyConnect are pretty much the same as the connectivity options supported by the traditional IPSec client. So once you have established an AnyConnect session and been assigned an IP address for the session, then you could certainly telnet or SSH to any network resource using the assigned IP address as the source address.
3) You should be able to use your existing SecureACS to authenticate users. You can also configure users on the ASA. I believe that it is preferable to use the existing authentication server rather than configuring users on the ASA.
4) I have not done this because I authenticate users from an external authentication server so I can not discuss this from experience. But in configuring users on the ASA there is an option to configure the users as "member of" a group. I would assume that you could use this to force a user to always use the same profile.