Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Anyconnect VPN Basic Query

I have two queries with regards to Anyconnect VPN in ASDM.

VPN Wizard --> Anyconnect VPN Wizard --> VPN Protocols

a) SSL, anyconnect will use SSL and I only need to allows 443 port to the ASA right?
With SSL, can I use SBL feature?


b) IPSec, anyconnect will use IPSec and I need to allow IKE, ESP & AH.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Anyconnect VPN Basic Query

Yes, regarding your assumptions when you are behind another firewall. For SSL it's just TCP port 443. For IPSec you will need to allow ESP (IP Protocol ID 50), AH (IP Protocol ID 51) and ISAKMP (UDP port 500). You may also need TCP port 443 for the initial handshake with IPSec VPN and UDP port 4500 (IPSec NAT traversal).

SSL is the "traditional" AnyConnect client access method and is also used for clientless SSL VPN (license required). It is sometimes preferred for simplicity and familiarity.

IPSec is arguably more secure and only recently available with AnyConnect as it has a dependency on using IKEv2.

Either gets the job done.

3 REPLIES
Hall of Fame Super Silver

Anyconnect VPN Basic Query

When you go through the wizards it will, among other things, cause the ASA to listen on the ports appropriate for the options chosen (SSL and IPsec).

You can use SSL with SBL.

New Member

Re: Anyconnect VPN Basic Query

I will keep ASA behind another firewall in a DMZ. So my above assumptions are corret right?

Also which one (SSL or IPSec) is preferred since both support SBL?

Hall of Fame Super Silver

Re: Anyconnect VPN Basic Query

Yes, regarding your assumptions when you are behind another firewall. For SSL it's just TCP port 443. For IPSec you will need to allow ESP (IP Protocol ID 50), AH (IP Protocol ID 51) and ISAKMP (UDP port 500). You may also need TCP port 443 for the initial handshake with IPSec VPN and UDP port 4500 (IPSec NAT traversal).

SSL is the "traditional" AnyConnect client access method and is also used for clientless SSL VPN (license required). It is sometimes preferred for simplicity and familiarity.

IPSec is arguably more secure and only recently available with AnyConnect as it has a dependency on using IKEv2.

Either gets the job done.

175
Views
0
Helpful
3
Replies
CreatePlease to create content