Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k

ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on how to deploy the Cisco IPSec remote access VPN solution in the Cisco IOS and Cisco ASA VPN devices with Cisco expert Jazib Frahim. Jazib, has been with Cisco Systems for more than six years. He started out as a Technical Assistance Center (TAC) engineer in the LAN switching team. He then moved to the TAC security team, where he was a technical and team leader for the security products. Jazib is currently working as a senior network security engineer in the Worldwide Security Services Practice of Cisco's Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks with a focus in network security.

Remember to use the rating system to let Jazib know if you have received an adequate response.

Jazib might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through August 8, 2008. Visit this forum often to view responses to your questions and the questions of other community members.

109 REPLIES

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Hi, Jazib

When the 8.2 software for ASA will be ready?

Bronze

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Hi there,

I cannot comment on it as it is still in the developmental stages. You can inquire about a tentative schedule from your local Cisco account team.

regards,

Jazib

New Member

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

hI I GOT A 1841 WITH THE FOLLOWING ios

Version 12.3(14)T2

Does it support static route redistribution into EIGRP ? Thanks

Benny@majesticdata.co.za

Bronze

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Hi there,

This forum discusses IPSec remote access technology. I am sure this question can be addressed in the correct forum

-Jazib

New Member

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Jazib,

Is the AnyConnect client that is currently only able to connect via SSL to ASA and IOS going to be 'upgraded' to run IPSec in a future update?

Thanks.

Brian

Bronze

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Hi Brian,

Cisco has plans to enable the IPSec client functionality in the future releases of the AnyConnect client

Hope that helps

-Jazib

New Member

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Jazib,

Thanks for the reply. Any idea on when that effort might be realized? Will the use of the IPSec through AnyConnect require a concurrent license on the ASA platform similar to what is required today (SSL VPN license) or will the IPSec 'feature' be free like the Cisco VPN client is today?

Thanks.

Brian

Bronze

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Hi Brian,

I am going to check with a product manager about it. Will let you know once I hear something about it

-Jazib

Bronze

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Brian,

Just checked with the PM and there is no timeframe when the IPSec functionality is going to be a part of the AnyConnect client. Additionally, there is no decision yet in terms of the future AnyConnect licencing.

Hope that helps

-Jazib

New Member

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Dear Jazib:

I have a little problem with remote access vpn using PPTP on a PIX 506E firewall. Actually i have a site-to-site vpn setup on the pix that connects to an ASA on the other side. When i tried to configure remote access PPTP vpn on the PIX, the clients can actually connect but cannot access the internal network behind the PIX. Cannot ping any machines inside, cannot access any server inside. I am attaching the PIX config, could you please help me out.

Regards,

Nawaz

Bronze

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Hello Nawaz,

I do not see a reason why your PPTP tunnel would not pass traffic. I am just wondering if you have a NAT device or a firewall sitting between the client and the PIX. During the tunnel negotiations, the PPTP devices use TCP port 1723 for communication. One the tunnel is established, they use GRE (IP Protocol 47) for data transport. It is possible that a NAT/firewall device could be blocking that traffic

Hope that helps

-Jazib

-Jazib

New Member

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Jazib:

Thanks for your reply, no there is no nat device between the client and the pix. I was wondering if i should enable the ip protocol 47 through the pix by using the fixup protocol 47. I am re-attaching the pix config which is the latest one, could you have a look at the nonat access-list and its usage. I have a doubt about it specially using the nonat acl in ipsec config. Thanks in advanced for your reply.

Bronze

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

the fixup is used to the connections through the PIX firewall. Sine the PPTP connections are terminated on the PIX, you do not need any fixups for this. I would suggest that you enable packet capture to determine if the PPTP packets are even getting to the PIX firewall.

-Jazib

New Member

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

We have several ASA5505 scattered around behind NAT and DHCP.

We can make a successfull L2L connection to our central ASA5520 cluster.

We want to use DHCP relay but cannot use it because in order for the dhcp requests to be sent over the ipsec tunnel, the external (dhcp) address needs to be included in the ipsec tunnel config.

This is not a problem (we can use the interface command) but on our central cluster, it is.

We cannot atticipate the external ip + routing problems can arise.

When will it be possible to use the interal ip as source address for the dhcp relay packets?

When will it be possible, if you use the internal dhcp server of the asa, to dynamicaly register the leases on a bind dns server (on the other side of the tunnel)?

Bronze

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Hi there,

REgarding the features that you asked, I do not see anything in the immediate roadmap. I would suggest that you would with the local Cisco Account team to have these features be considered for the future releses of the ASA.

Hope that helps

-Jazib

New Member

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

What the difference between the AnyConnect Client and the Standard VPN Client? And whats an example of when you would use one rather than the other.

Thanks!

Bronze

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

The Cisco AnyConnect client is used for SSL VPN connections while the standard Cisco VPN client is used for IPSec connections. In the future, the AnyConnect client is supposed to provide both the SSL VPN as well as the IPsec client functionality.

Hope that helps

-Jazib

New Member

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

hi jazib good to see u back in forums. hey can u pls tell when dmvpn or getvpn and gre support will there in cisco asa .

will routing protocol support and vpn support will be there in multiple context mode like other firewalls do.

is cisco doing thing in this.i feel cisco ios has more flexilibity and scalability with new features as compared to cisco asa.

would love to see cisco asa having the features supported on their ios.

regards

sushil

Bronze

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Hi Sushil,

Cisco is dedicating a lot of resources in the development of the Cisco ASA family of products. Unfortunately, I cannot discuss what features and enhancements will be included in the future releases. You can direct product roadmap specific questions to your local Cisco account team and I am sure they will address them.

I am sure you would understand.

Thanks

-Jazib

New Member

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

When would you prefer SSL over IPSEC?

Bronze

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

If you want a clientless solutions or if you want ease of deployment of the clients, or if you want to use CSD and many other reasons.

-Jazib

New Member

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Jazib,

Can you tell me briefly about AnyConnect client? How does AnyConnect client work? Do you still require user name and password the same way as VPN Client for authentication? Thanks.

Jill

Bronze

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Hi Jill,

I hope this link helps in answering your AnyConnect client queries

http://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml#intro

Thanks

-Jazib

New Member

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Jazib,

Thanks for the information. I understand that I need the licenses for SSL VPN. How do the licenses work? If I have 100 concurrent users, do I need 100 licenses?

Can you setup both SSL VPN and VPN client on the ASA?

Thanks.

Jill

New Member

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Bronze

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Hi there,

I am not sure what you mean by "The local peer is 10.0.1.2 but seen as 185.0.1.5 by the remote peer". How is that possible. Are you doing sone sort of address tranalstaion that is doing that?

Could you explain this in more details

-Jazib

New Member

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Hi Jazib,

Well this is the objective, indeed by means of some address translation mechanism.

Consider a network migration scenario, where the previously used local IPsec peer(185.0.1.5) is changed to a new device(10.0.1.2), thus this change remains transparent to the remote end.

185.0.1.5 no longer speaks IPsec with the remote peer, though pretends to do so. It is actually 10.0.1.2 which acts on behalf of 185.0.1.5.

Actually, this achievable by using Iptables as I indicated in my previous post. However the plan is to deploy it using Cisco, provided that is feasible.

Hope it's clearer now. Look forward to a reply.

Thanks,

New Member

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

Hi

I have a Cisco ASA 5520 my company requires a remote client VPN conecting to it, thats the easy bit.

This will be using the outside interface only using intra-interface etc etc.

The question is can you then get the Remote vpn client to invoke another tunnel to another router from the ASA.

We all ready have serveral site to site VPN's hairpining on the outside interface of the ASA.

Many thanks

Bronze

Re: ASK THE EXPERT - CISCO IPSec REMOTE ACCESS VPNS

You can certainly do that. Make sure that you add the ip pool subnet into your encryption list for the Lan-Lan tunnel and you have "same-security-traffic permit intra-interface" command enabled.

Hope that helps

-Jazib

329
Views
19
Helpful
109
Replies
CreatePlease to create content