A few VPN questions

Unanswered Question
Jun 2nd, 2010

We have 3 VPN concetrators and an ASA 5520.  My first question is, can we do SSL VPN with a Cisco ASA now?  Do I need any specific Cisco software to accomplish this?  And does it come with a product similar to host checker so one can perform NAC functions?

Second, is there an application out there that will convert a Cisco VPN Concentrator 3060 configuration to Cisco ASA 5520 configuration?

I appreciate all the time and effort you all put into this and thank you for all teh help in the past.


Dwane

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Wed, 06/02/2010 - 13:25

Hi,

Yes you can do clientless or client-based SSL VPNs on ASAs.

Clientless SSL:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html

Client-based SSL (AnyConnect):

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/svc.html

I don't think we have access to such a tool, but I believe that TAC does (to convert the configuration from Concentrator to ASA).

Federico.

Marcin Latosiewicz Wed, 06/02/2010 - 13:55

Dwane,

ASA has webvpn built in... and most of the stuff you did on vpn3k will also work on ASA (plus MUCH more).

However ASA licenses usage of webvpn.

There is Cisco Secure Desktop  and Endpoint Assessment if you're interested with NAC-like features.

I vaguely remember someone mentioning some tool to migrate configuration from vpn3k to ASA could not find it however.

Hope this gets you started:

http://www.cisco.com/en/US/docs/security/asa/asa72/vpn3000_upgrade/upgrade/guide/midiffs.html

m.kafka Wed, 06/02/2010 - 15:19

Hi Dwane,

there are a few but sparse documents, describing how to migrate remote access VPN from 3000 concentrators to ASA but the good news is that the main concepts didn't change a lot. A google search of "site:cisco.com migrating remote access vpn from concentrator to ASA will help a lot.

The main document is: http://www.cisco.com/en/US/docs/security/asa/asa70/vpn3000_upgrade/upgrade/guide/migr_vpn.html

I have to admit I'm not aware of any tool that would convert the config directly, I'm afraid you would need to build the new config yourself.

SSL VPNs are covered on the ASA even with more features than the original concentrator features but only two simultanous connections are included in the standard licences, upgrades can be purchased.

You do not need any special software for SSL VPNs, only the number of simultanous connections is an issue. ASA supports alls variants of Cisco SSL VPNs: clientless (portal, but with enhanced features), thin client (port redirect), CSD (Cisco Secure Desktop) and Cisco Anyconnect.

NAC is also supported from the first version (7.0).

Rgds, MiKa

Actions

This Discussion

Related Content