Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on how to deploy the Cisco IPSec remote access VPN solution in the Cisco IOS and Cisco ASA VPN devices with Cisco expert Jazib Frahim. Jazib, has been with Cisco Systems for more than six years. He started out as a Technical Assistance Center (TAC) engineer in the LAN switching team. He then moved to the TAC security team, where he was a technical and team leader for the security products. Jazib is currently working as a senior network security engineer in the Worldwide Security Services Practice of Cisco's Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks with a focus in network security.
Remember to use the rating system to let Jazib know if you have received an adequate response.
Jazib might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through August 8, 2008. Visit this forum often to view responses to your questions and the questions of other community members.
I cannot comment on it as it is still in the developmental stages. You can inquire about a tentative schedule from your local Cisco account team.
hI I GOT A 1841 WITH THE FOLLOWING ios
Does it support static route redistribution into EIGRP ? Thanks
This forum discusses IPSec remote access technology. I am sure this question can be addressed in the correct forum
Is the AnyConnect client that is currently only able to connect via SSL to ASA and IOS going to be 'upgraded' to run IPSec in a future update?
Cisco has plans to enable the IPSec client functionality in the future releases of the AnyConnect client
Hope that helps
Thanks for the reply. Any idea on when that effort might be realized? Will the use of the IPSec through AnyConnect require a concurrent license on the ASA platform similar to what is required today (SSL VPN license) or will the IPSec 'feature' be free like the Cisco VPN client is today?
Just checked with the PM and there is no timeframe when the IPSec functionality is going to be a part of the AnyConnect client. Additionally, there is no decision yet in terms of the future AnyConnect licencing.
Hope that helps
I have a little problem with remote access vpn using PPTP on a PIX 506E firewall. Actually i have a site-to-site vpn setup on the pix that connects to an ASA on the other side. When i tried to configure remote access PPTP vpn on the PIX, the clients can actually connect but cannot access the internal network behind the PIX. Cannot ping any machines inside, cannot access any server inside. I am attaching the PIX config, could you please help me out.
I do not see a reason why your PPTP tunnel would not pass traffic. I am just wondering if you have a NAT device or a firewall sitting between the client and the PIX. During the tunnel negotiations, the PPTP devices use TCP port 1723 for communication. One the tunnel is established, they use GRE (IP Protocol 47) for data transport. It is possible that a NAT/firewall device could be blocking that traffic
Hope that helps
Thanks for your reply, no there is no nat device between the client and the pix. I was wondering if i should enable the ip protocol 47 through the pix by using the fixup protocol 47. I am re-attaching the pix config which is the latest one, could you have a look at the nonat access-list and its usage. I have a doubt about it specially using the nonat acl in ipsec config. Thanks in advanced for your reply.
the fixup is used to the connections through the PIX firewall. Sine the PPTP connections are terminated on the PIX, you do not need any fixups for this. I would suggest that you enable packet capture to determine if the PPTP packets are even getting to the PIX firewall.
We have several ASA5505 scattered around behind NAT and DHCP.
We can make a successfull L2L connection to our central ASA5520 cluster.
We want to use DHCP relay but cannot use it because in order for the dhcp requests to be sent over the ipsec tunnel, the external (dhcp) address needs to be included in the ipsec tunnel config.
This is not a problem (we can use the interface command) but on our central cluster, it is.
We cannot atticipate the external ip + routing problems can arise.
When will it be possible to use the interal ip as source address for the dhcp relay packets?
When will it be possible, if you use the internal dhcp server of the asa, to dynamicaly register the leases on a bind dns server (on the other side of the tunnel)?
REgarding the features that you asked, I do not see anything in the immediate roadmap. I would suggest that you would with the local Cisco Account team to have these features be considered for the future releses of the ASA.
Hope that helps
What the difference between the AnyConnect Client and the Standard VPN Client? And whats an example of when you would use one rather than the other.
The Cisco AnyConnect client is used for SSL VPN connections while the standard Cisco VPN client is used for IPSec connections. In the future, the AnyConnect client is supposed to provide both the SSL VPN as well as the IPsec client functionality.
Hope that helps
hi jazib good to see u back in forums. hey can u pls tell when dmvpn or getvpn and gre support will there in cisco asa .
will routing protocol support and vpn support will be there in multiple context mode like other firewalls do.
is cisco doing thing in this.i feel cisco ios has more flexilibity and scalability with new features as compared to cisco asa.
would love to see cisco asa having the features supported on their ios.
Cisco is dedicating a lot of resources in the development of the Cisco ASA family of products. Unfortunately, I cannot discuss what features and enhancements will be included in the future releases. You can direct product roadmap specific questions to your local Cisco account team and I am sure they will address them.
I am sure you would understand.
If you want a clientless solutions or if you want ease of deployment of the clients, or if you want to use CSD and many other reasons.
Can you tell me briefly about AnyConnect client? How does AnyConnect client work? Do you still require user name and password the same way as VPN Client for authentication? Thanks.
I hope this link helps in answering your AnyConnect client queries
Thanks for the information. I understand that I need the licenses for SSL VPN. How do the licenses work? If I have 100 concurrent users, do I need 100 licenses?
Can you setup both SSL VPN and VPN client on the ASA?
Could you give your expert comments on the following case?
Thanks for your time.
I am not sure what you mean by "The local peer is 10.0.1.2 but seen as 188.8.131.52 by the remote peer". How is that possible. Are you doing sone sort of address tranalstaion that is doing that?
Could you explain this in more details
Well this is the objective, indeed by means of some address translation mechanism.
Consider a network migration scenario, where the previously used local IPsec peer(184.108.40.206) is changed to a new device(10.0.1.2), thus this change remains transparent to the remote end.
220.127.116.11 no longer speaks IPsec with the remote peer, though pretends to do so. It is actually 10.0.1.2 which acts on behalf of 18.104.22.168.
Actually, this achievable by using Iptables as I indicated in my previous post. However the plan is to deploy it using Cisco, provided that is feasible.
Hope it's clearer now. Look forward to a reply.
I have a Cisco ASA 5520 my company requires a remote client VPN conecting to it, thats the easy bit.
This will be using the outside interface only using intra-interface etc etc.
The question is can you then get the Remote vpn client to invoke another tunnel to another router from the ASA.
We all ready have serveral site to site VPN's hairpining on the outside interface of the ASA.
You can certainly do that. Make sure that you add the ip pool subnet into your encryption list for the Lan-Lan tunnel and you have "same-security-traffic permit intra-interface" command enabled.
Hope that helps