cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2443
Views
0
Helpful
7
Replies

Cisco Anyconnect and IPSEC vpn coexist on ASA 5520?

rajarora4
Level 1
Level 1

Can a Cisco ASA 5520 that has been configured as an IPSEC VPN gateway and servicing IPSEC vpn clients also be configured as an ANYCONNECT VPN gateway and service anyconnect vpn cleints simultaneously? Any negative impacts on performance or any other issues that anyone is aware of?

1 Accepted Solution

Accepted Solutions

I assume by 2 connection limit you are referring to the 2 licenses for anyconnect?  You should investigate using the anyconnect essentials license, which is relatively cheap (100-200 dollars I think) and will allow you to go to the platform limit with anyocnnect.

You shouldn't have any issue using the IPSEC client with LDAP.  This is quite common - my company does both IPSEC and Anyconnect off the same interface using ldap authentication (even the same group-policy) for both.

--Jason

View solution in original post

7 Replies 7

Jason Gervia
Cisco Employee
Cisco Employee

Raj,

This is perfectly acceptable and there are no averse performance or effects.  Lots of companies (including my own) do this.

--Jason

I currently have the ASA 5510 configured this way, 8.0(4).  One thing that I can't find an anwser for is if both clients can use LDAP.  I have the anyconnect client using LDAP, but limited by the 2 connection limit.  I am hoping to use the 5.0.07 client with LDAP and not have that limitation.  Does anybody know if that works?

Thanks for the reply, we are trying to connect IPADs to our corporate network and wanted to use Anyconnect for that. We currently use LDAP on the IPSEC vpn side for our windows machines for username/password. I plan on using LDAP with anyconnect for the IPADs as well so yeah, if anyone knows of any limitation with this or if this will not work, that information would be greatly appreciated.

I assume by 2 connection limit you are referring to the 2 licenses for anyconnect?  You should investigate using the anyconnect essentials license, which is relatively cheap (100-200 dollars I think) and will allow you to go to the platform limit with anyocnnect.

You shouldn't have any issue using the IPSEC client with LDAP.  This is quite common - my company does both IPSEC and Anyconnect off the same interface using ldap authentication (even the same group-policy) for both.

--Jason

Thanks Jason. Appreciate the help.

Raj

As a follow up, I was just missing one command to make LDAP work with the IPSEC 5.x client.  I had to enable user authentication on the tunnel group; no  isakmp ikev1-user-authentication none.  Once that was done, a box pops up after the initial connection for your AD user name and password.  I am checking into the AnyConnect Essential Licensing too to get beyond the 2 connection limit.  I was quoted a one-time fee of about $2k for a 25 user license.

Thanks,

Kyle

It was recommended we use the Premium licenses instead of the Essentials but I am researching the differences. So far it looks like the premium is needed if you ever want to use the clientless features of the ASA.

Brent

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: