Re: ASA 5510 IPSec and SSL VPN?

bicarus01 · ‎06-09-2009

Hello everyone.

We currently have our ASA 5510 setup for IPSec VPN connectivity. We have some 64bit Vista users and since the Cisco client does not support 64bit Vista we opted to try to setup our ASA 5510 with Anyconnect.

My question is. Since we currently have IPSec VPN setup, can we also have the SSL VPN setup with AnyConnect?

(i'm not a cisco router person, so please excuse my inexperience)

Thanks :)

JORGE RODRIGUEZ · ‎06-09-2009

My question is. Since we currently have IPSec VPN setup, can we also have the SSL VPN setup with AnyConnect?

Brien, yes.. you can have both Ipsec VPN for your regular cisco vpn clients, SSL for Web VPN, and/or SSL Annyconnect client. You can have all these two VPN technologies running in your firewall.

Best thing is to go to this link and take a quick tour of SSL VPN technology.

SSL/IPsec VPN Services for the Cisco ASA Series

http://www.cisco.com/en/US/prod/vpndevc/ps6032/ps6094/ps6120/asa_ssl.html

Details in SSL licensing - by default ALL ASA comes with two FREE SSL licenses, that will provide 2 SSL concurrent connections , that is two users using WebVPN or Annyconnect, if you need more than two SSL connections you have to purchase more licenses.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e39_ns347_Networking_Solutions_Brochure.html

Clientless SSL VPN (WebVPN)

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml

See SSL VPN/Web VPN mid page down to learn different types of WebVPN/Annyconnect deployment scenarios

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

Regards

Jorge Rodriguez

bicarus01 · ‎06-09-2009

Is there anywhere I can check in our ASA to see if we have more SSL licenses?

Two licenses will limit the 4 or so 64bit users we have.. But if that's how it has to be we can schedule their VPN time.

Thanks for the info.. i'm looking through it now :)

Brian

JORGE RODRIGUEZ · ‎06-09-2009

Do show version , and look for SSL VPN peers.

example on asa5505:

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 20, DMZ Unrestricted

Inside Hosts : Unlimited

Failover : Active/Standby

VPN-DES : Enabled

VPN-3DES-AES : Enabled

SSL VPN Peers : 2

Total VPN Peers : 25

Dual ISPs : Enabled

VLAN Trunk Ports : 8

Shared License : Disabled

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

AnyConnect Essentials : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions : 2

Total UC Proxy Sessions : 2

Botnet Traffic Filter : Disabled

[edit]

Two licenses will limit the 4 or so 64bit users we have.. But if that's how it has to be we can schedule their VPN time.

I guess you could do that SSL vpn scheduling, you could actually schedule SSL vpn connection time in the tunnel profile per user .., unfortunately you cannot buy additional 2 SSL licenses, they are sold as bulk of 25, 50, and so on...

Jorge Rodriguez

bicarus01 · ‎06-09-2009

Thanks for the info..

It looks like we only have the 2 default SSL licenses.

Seems we will be having a Cisco guru here in the next week or so to check over our current config and see how it meets our needs.

Thanks for your time, it helped :)

JORGE RODRIGUEZ · ‎06-09-2009

You're welcome.

Jorge Rodriguez