Welcome to the Cisco Networking Professionals Ask the Expert conversation. is an opportunity to get an update on the Cisco Remote Access VPN (SSL) and introduction to the brand new AnyConnect Secure Mobility with Cisco expert Kiran Sirupa. Kiran is a technical marketing engineer in the product marketing team for the Cisco Adaptive Security Appliance (ASA). He also works on documentation, partner and system engineer trainings. Sirupa has been working in the Cisco Security Technologies Group (STG) for the past 6 years.
Remember to use the rating system to let Kiran know if you have received an adequate response.
Kiran might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through March 26, 2010. Visit this forum often to view responses to your questions and the questions of other community members.
security is really not my specialty but I do use VPN heavily, from the client side. Now, I did notice that Cisco is stopping development for VPN client (SE in local Cisco office confirmed there will be no 64-bit version of VPN client, for Windows 7) and there is a lot of rumors around this anyconnect. Can you put some light on this, what is currently changing, where all this is going, how this approach is different from VPN client access? I'm trying to see bigger picture here, like what is going to happen with UC clients (like IP Communicator or Webex Connect) for different platforms. Could you please comment this?
Short Answer: AnyConnect provides everything the VPN Client provided and more. Cisco VPN client is not EOL'ed. However, Cisco strongly encourages transition to AnyConnect Client for support for new and 64-bit platforms. If you are concerned about licensing costs with SSL, checkout AnyConnect Essentials license which provides full tunnel connectivity at a nominal price. I believe the UC and various other Cisco initiatives are using the SSL based AnyConnect client. See below for detailed advantages of this new client.
AnyConnect is the SSL based VPN Client. You will have the same functionality as offered by the Cisco VPN Client. That is, your user will be to establish a full tunnel to the corporate and receive a routable IP address. Hence, all the applications will work. In addition, AnyConnect provides many advanced features that enable better connectivity and stronger security protection for your remote users.
AnyConnect (AC) is supported on multitude of platforms including Windows Vista, Windows-7, Mac OS X 10.5/10.6, Linux and Windows-Mobile based Smart Phones. AC supports 64-bit platforms and Cisco is committed to support AnyConnect to provide the maximum coverage for platforms.
Since AC is using SSL as a transport, you will not have to worry about various firewalls blocking IPSec.
Compared to Cisco VPN Client, AnyConnect is a light-weight (2MB) client which means less overhead on the user PC or smart phone.
AC introduced features such as Automatic Head-end selection (AHS), Auto-Reconnect, Trusted Network Detection, Always-On VPN, SCEP Proxy, which significantly improve user experience along with original VPN Client features such as Local LAN Access, Start-Before-Logon, Split-DNS etc.
AnyConnect supports dynamic and auto-upgrade without admin privileges, hence relieving the IT departments from administrative overhead to push new software versions.
With the Introduction of new "AnyConnect Secure Mobility" solution, your remote users are provided the same level of protection as your corporate users. The remote user traffic from AnyConnect client is inspected by the Web Security Appliance at the corporate. The WSA provides protection for the user from visiting known website with malware based on reputation database downloaded from Cisco Security Intelligence Operations center. You can also enforce customize acceptable use policy controls for the remote users.
If you buy AnyConnect Premium license, you can also take advantage of Cisco Secure Desktop which helps scan the end-user device for posture assessment such as registry, certificate, file, and also verify the versions of Anti-Virus, Anti-Spam and Personal Firewall. Administrator can also force remediation/update before the user allowed to connect.
In short, AnyConnect = More platform support + Better User Experience + Better Security protection.
Besides cost, can you tell me the difference between AnyConnect Client and AnyConnect Essentials?
When you buy AnyConnect Client - it is actually called SSL VPN premium license - You get AnyConnect Client + Clientless SSL + Cisco Secure Desktop. When you buy AnyConnect Essentials, you get the AnyConnect client only. There is no Clientless or CSD support.
Since AnyConnect client requires licensing, can you tell me when you would or would not use SSL clientless?
Clientless is best suited when you want to provide customized limited access to your partners and vendors. With Clientless SSL, the user can utilize a regular browser on any device and access corporate resources securely. Clientless supports all the webified applications, access to CIFS/FTP file folders, Java applets for RDP, VNC, SSH and Citrix applications. If you have any client-server applications that use TCP, you can use the "Smart Tunnel" feature to support those applications. Also, I have seen companies providing access to core applications such as email (OWA), chat and internal web-portal for quick remote access for their employees on the go. With Clientless its easy to provision and de-provision the VPN access. There is no client to install, not network ACLs to worry about etc. The Cisco Secure Desktop which comes with clientless access provides a virtual encrypted workspace to minimize the loss of sensitive data on non-corporate assets.
AnyConnect is best suited for employees accessing from corporate resource and those who require full-tunnel access for remote office like experience. As I detailed in an above thread, AnyConnect provides seamless connectivity and persistent security. With AnyConnect there are two types of licenses: AnyConnect Essentials and AnyConnect premium.
When you buy Essentials license you only get the client. With premium, you get Client + Clientless + Cisco Secure Desktop.
Thanks for your prompt response and information. I thought SSL clientless is free. So, the only free VPN client is IPSEC VPN client.
We have an ASA 5550 and it comes with 2 SSL clients. Does it mean we can implement SSL VPN, SSL clientless, and Cisco Secure Desktop for those 2 licenses?
Yes, for those 2 licenses, you can implement Clientless, AnyConnect Client and CSD.
The AnyConnect essentials is really nominal (< $200) for the low-end ASA 5505-20 and less than $500 for the high-end devices (5550-80). And, this license will enable the maximum VPN sessions on each platform. 5510 = 250 license, 5580 = 10,000 licenses.
In addition, you can request your Cisco Account Team (or SE) to issue a 3-month evaluation license for either AnyConnect Essentials or AnyConnect Premium (which includes Clientless SSL). Please note that at any time you can either activate Essential license or the premium license on the ASA. You can't have both active.
I want to setup VPN for disaster recovery. What client would you recommend? Would you recommend AnyConnect client?
We have an ASA 5550 at the office and ASA 5520 at the disaster recovery site. If I copy the config file from the ASA 5550 to 5520, do you think the groups, group policies, tunnel groups, etc. still work? (Sorry for asking a dumb question). I am not sure the differences between 5550 and 5520 besides the capablities of handling more users.
I would recommend a VPN Flex license for your ASA at the DR site. This license can be used in emergency situations. This will allow you to burst the number of SSL VPN license on the ASA for 60-days. The license is tied to the ASA and can be only used on that device.
As an example, a customer has an ASA with a 500 user permanent SSL license. The customer experiences a snow storm and 2500 employees need to work from home. You can apply a 2500-user license on 1-day, and then revert back to the permanent licenses the following day. You will have 59 days remaining on the license. When the count goes down to zero you would have to purchase another Flex license.
Anyconnect Premium license are required when using VPN flex licensing.
Thanks for your prompt response and information. Please clarify something for me. Since Anyconnect Premium licenses are required when using VPN Flex licensing, you are actually paying for the Anyconnect Premium licenses whether you use it or not. Is this correct? If it is, Anyconnect Premium licenses are quite expensive. Please let me know since I am planning on having a ASA at the DR site. Would you use AnyConnect client for DR? Do you have any other recommendations for DR?
I checked with my colleagues on this:
(a) You were correct in being able to copy over your groups, tunnels, etc over to the 5520. Also, on the 5550, edit the profiles of the groups that will get routed over to the 5520. You will need to edit the 'BackupServer List'. I;ve also enclosed a link from the AnyConnect 2.4 Admin Guide for more information:
(b) If you decided to go with a VPN flex license, you would not need to purchase separate 'premium' licenses. I apologize from my previous posting. VPN flex licensing would be used in pandemic situations.
Option (a) would probably work best for you.
Thanks for your prompt response and information. You answered the questions that I had on my mind.
Thanks again for the info about SSL VPN Premium and AnyConnect Essentials licenses. I have another question.
Since the ASA comes with two licenses for SSL, if I buy additional 1000 AnyConnect Essentials licenses for the ASA 5550, I will get 1002 AnyConnect licenses? Anyway, I just want to know if I can still use SSL clientless and Cisco Secure Desktop for those two built-in licenses?
Unfortunately, we can't have both AnyConnect Essentials and AnyConnect Premium (the 2 default) active at the same time. So, you will either have 1000 AnyConnect Essentials or the default 2 Premium licenses, but not both. I know it is disappointing, but we have technical limitations which prevent us from supporting both at the same time.
By the way, AnyConnect Essentials is a feature license, not a per-user count license. That means if you buy AnyConnect Essentials for a 5520, you will automatically enable 750 users for AnyConnect Essentials access. Please note that the combined VPN user count (IPSec Client + AnyConnect Essentials) can't go beyond the maximum VPN for each platform. You can find them in the ASA datasheet below..
Thanks very much for your prompt response and information. One more question. I have two ASA's and set them up as VPN Load Balancing. Do I need to purchase AnyConnect Essentials licenses for both ASA's in order for load balancing for AnyConnect client to work? I am running IPSEC VPN client.
As you are aware, there are 2 SSL VPN license on every ASA by default. So, if you install AnyConnect Essentials on only one of the cluster members (let's call it SSLASA), the master ASA may occasionally redirect some of your AnyConnect sessions to cluster members other than the SSLASA. If you don't configure the same SSL VPN configuration on all other cluster members, then your AnyConnect session will fail to connect. So, it is better to have same AnyConnect Essentials on both devices. Alternatively, you have to configure same SSL settings on your other cluster members even though they have only 2 SSL licenses.
Let me know for further clarity.
We have been using another vendor's web filtering solution for several years, and have built our policies around the way it works, its site categorizations, etc. Although I am interested in the Secure Mobility functionality, and would be OK with deploying an IronPort to facilitate that, I have no intention or desire to maintain two seperate web filtering policies. Can I forward ICAP requests from the IronPort to my existing proxy servers? In other words, is Secure Mobility interoperable with other web filtering solutions, or is Cisco suggesting that I rip-and-replace my existing filtering gear in order to use ACSM?
I don't think this would be possible, I will need to check this out.
However, at the heart of the CASM solution, is the AnyConnect client that accepts its 'secure connectivity' policies from the ASA head-end, and can be independent of web filtering solutions.
The AnyConnect Secure Mobility solution is tightly integrated with WSA. The major advantage is that AnyConnect/ASA passes remote username to the WSA preventing subsequent authentication on WSA. WSA also supports location aware policies so you can provide different level of access based on the user is local or remote. The WSA also provides extensive reporting for remote user traffic.
If you really want to keep your existing web filtering solution, you could configure that proxy to be an up-stream proxy for the WSA. But, the ASA or WSA wouldn't be able to forward remote user information to your upstream proxy and you wouldn't be able to enforce any custom policies based on user group or whether they local versus remote. Of course, your other proxy will query the user to enter authentication credentials. Let me know if you need further details about this, I can provide licensing information.
Currently we have 2 ASA5520 in Active/Standby
configuration and we use both the AnyConnect and SSL (WebVPN) for a handful of
users. Licensing is as follows:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 25
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Enabled
This platform has an ASA 5520 VPN Plus license.
We are currently in the process of upgrading to ASA 8.3 once the memory upgrade comes in. We do not use CSA in our organization. Can you briefly explain any advantage of ACEssentials and ACPremium over the AnyConnect client we are currently using. If we were to go with ACPremium, does that require additional hardware for the CSA piece?
Either AC Essentials or AnyConnect Premium plays a major part in Cisco's Secure Borderless Network Strategy. (Please see
AC Essentials provides soley full tunnel connectivity and does not support advanced SSL VPN features such as Cisco Secure Desktop (CSD), Host Scanning, or clientless VPN tunnels which are found in AC Premium.
Both are independent of CSA. Cisco Security Agent is a separate software solution offering Day-Zero protection.
(please see www.cisco.com/go/csa for more information)
If you are uprading your ASA 8.3 talk to your Cisco account team, to see if your interesting in participating in the AnyConnect 2.5 beta program.
AnyConnect 2.5 offers the following new VPN features: Optimal Head-End Selection, Always-On Connection-Failure Policies, Hotspot Detection & Remedition policies.
We setup private IP addresses for VPN client (10.10.xxx.xxx). What would happen if the Remote site has either the same private IP address or the same private subnet (10.10.xxx.xxx)? Would the client still be able to get to my network regardless of the client type (Cisco VPN client, SSL client, SSL clientless)?
You'll see the client will able to establish the VPN session, but will not be able to connect to your network.
You'll see the following syslog message on your ASA "Asymmetric NAT rules matched for forward and reverse flows;
Connection for icmp src outside:10.10.x.x dest inside:10.10.x.x (type 8, code 0) denied due to NAT reverse path failure" .
IF NAT is configured on the ASA and you do not want to change the source IP of traffic going over the VPN tunnel, you
would need to configure NAT exempt rules. I've attached the following link for an example:
Is it possible to create an AnyConnect group policy that would restrict access to users from known (trusted) public IP addresses and other AnyConnect group policies that are less restrictive as to source IP of connection attempts to the ASA.
We can use Cisco Secure Desktop and Dynamic Access Policies together to achieve this. But, this requires AnyConnect Premium license.
Step-1: Configure Cisco Secure Desktop to scan for IP address and define a Policy as either "Trusted" or "Untrusted".
Step-2: Create a Dynamic Access Policy such that if the Cisco.TunnelGroup= Trusted_TG, but if if the CSD Policy is !=Trusted, then set the connection to "Terminate". However, this assumes you have a way to map users automatically to a Tunnel Group.
Let me know if this satisfies your query.