07-01-2014 02:03 PM - edited 02-21-2020 07:42 PM
What download do I use to install a Cisco anyconnect to replace cisco vpn client? I want to try this on windows 7 & windows 8
I had a look at the downloads section but I wasn't sure what I needed to download
regards,
Kevin
07-01-2014 03:35 PM
It's not a straight replacement.
The legacy Cisco IPsec client works with an IPsec remote access (RA) VPN.
The AnyConnect Secure Mobility client supports two types of RA VPN configurations:
1. IPsec only with IKEv2 (requires updated software and configuration to replace an IPsec IKEv1 RA VPN)
2. Full-tunnel SSL VPN
So the head end (ASA or IOS router) needs to change configuration as well if you desire to change clients.
If you deploy via a package on the headend you would use:
anyconnect-win-3.1.05170-k9.pkg
If you deploy as a standalone package (i.e not downloading from head end) then use:
anyconnect-win-3.1.05170-pre-deploy-k9.iso
In the case of the ISO file you need to unpackage it (I find 7-zip works nicely) and run "setup.exe" from the included files (allows you to choose from among all the modules) or just the "anyconnect-win-3.1.05170-pre-deploy-k9.msi" (VPN module only). You can also burn the ISO to a DVD or CD if you're so inclined.
Note the above files are the current releases as of 1 July 2014. Future readers of this thread will have to check for current releases.
07-07-2014 09:02 AM
Are we definately talking about the same thing? At the moment i am using the Cisco Systems VPN client Version 5.0.07.0290 to login and authenticate on the Cisco ASA remotely. Then i have the firewall rules in place to talk to certain servers on the network.
I was under the impression i need to move to Cisco Anyconnect soon?
regards,
kevin
07-07-2014 05:24 PM
Yes,
You have to ensure your ASA is licensed for Anyconnect
do a 'show version' from the CLI on the ASA
AnyConnect Premium Peers : 500 perpetual
AnyConnect Essentials : Disabled perpetual
download the anyconnect-win-3.1.05170-k9.pkg to your ASA
configure your ASA for Anyconnect, the previous answer to this will help you.
once done all you need to do from your remote client is an HTTPS://to the public address of your ASA, accept the certificates etc, and the Anyconnect software will be down loaded to your client
HTH
Richard
07-07-2014 07:02 PM
Yes, migration off of the Cisco VPN client for a remote access VPN is the Cisco-recommended path for migration away from the legacy client which is discontinued and thus no longer being developed / updated for Windows 8 etc.
As Richard noted in his reply, it is separately licensed so it is more than simply changing a few configuration bits (although that is the bulk of the work and can be done in a basic way as Karthik explained in his earlier reply). There are also many many other options and enhanced fucntions one has implement on an AnyConnect-based remote access VPN that were never available on the legacy VPN client.
07-01-2014 11:08 PM
Hi Kevin,
Adding to the marvin's points... I prefer to keep present ipsec ra VPN and additionally you can configure cisco anyconnect ra vpn on to your asa..... do all the tests.... then you can removed the old ipsec ra vpn from the appliance....
the best method is if you add the required packages on the asa appliance.... if the end users authenticates with the new ssl vpn.... they will get auto downloaded with the anyconnect vpn client to their machine and getting that installed for them..... from there they can access the internal resources as defined in your policies....
You can defined the latest versions of client packages from the cisco site for win 7/8, linux , mac etc....
Make sure that you have the required anyconnect license to support your requirement....
For example:
ASA-SSLVPN# conf t
ASA-SSLVPN(config)# web
ASA-SSLVPN(config)# webvpn
ASA-SSLVPN(config-webvpn)# port 443
ASA-SSLVPN(config-webvpn)# enable outside
ASA-SSLVPN(config-webvpn)# tunnel-group
ASA-SSLVPN(config-webvpn)# tunnel-group-list enable
ASA-SSLVPN(config-webvpn)# anyconnect image flash:/anyconnect-win-2.5.2019-k9.pkg
ASA-SSLVPN(config-webvpn)# anyconnect enable
ASA-SSLVPN(config-webvpn)# exit
ASA-SSLVPN(config)#
Define an access-list for our split tunnel configuration:
ASA-SSLVPN(config)# access-list SPLIT_TUNNEL permit 2.2.2.0 255.255.255.0
ASA-SSLVPN(config)# sho access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list SPLIT_TUNNEL; 1 elements; name hash: 0x63aa8f22
access-list SPLIT_TUNNEL line 1 standard permit 2.2.2.0 255.255.255.0 (hitcnt=0) 0xde939712
ASA-SSLVPN(config)#
Create our group policy for our ssl vpn:
ASA-SSLVPN(config)# group-poli
ASA-SSLVPN(config)# group-policy SSLVPN_ASA internal
ASA-SSLVPN(config)# group-policy SSLVPN_ASA attributes
ASA-SSLVPN(config-group-policy)# split-tunnel-policy tunnelspecified
ASA-SSLVPN(config-group-policy)# split-tunnel-network-list value SPLIT_TUNNEL
ASA-SSLVPN(config-group-policy)# vpn-tunnel-protocol ?
group-policy mode commands/options:
ikev1 IKE version 1
ikev2 IKE version 2
l2tp-ipsec L2TP using IPSec for security
ssl-client SSL VPN Client
ssl-clientless SSL Clientless VPN
ASA-SSLVPN(config-group-policy)# vpn-tunnel-protocol ssl-client
ASA-SSLVPN(config-group-policy)# webvpn
ASA-SSLVPN(config-group-webvpn)# anyconnect ssl ?
config-group-webvpn mode commands/options:
compression Configure compression for AnyConnect with SSL
df-bit-ignore Configure DF-Bit Ignore for AnyConnect with SSL
dtls Configure DTLS for AnyConnect with SSL
keepalive Configure the keepalive for AnyConnect with SSL
rekey Configure rekey for AnyConnect with SSL
ASA-SSLVPN(config-group-webvpn)# anyconnect ssl dtls enable
ASA-SSLVPN(config-group-webvpn)# anyconnect ssl keepalive 15
ASA-SSLVPN(config-group-webvpn)# anyconnect ssl compression de
ASA-SSLVPN(config-group-webvpn)# anyconnect ssl compression deflate
ASA-SSLVPN(config-group-webvpn)# anyconnect keep-installer inst
ASA-SSLVPN(config-group-webvpn)# anyconnect keep-installer installed
ASA-SSLVPN(config-group-webvpn)# anyconnect ask enable
ASA-SSLVPN(config-group-webvpn)# exit
ASA-SSLVPN(config-group-policy)# exit
ASA-SSLVPN(config)#
We need to create an address pool to be assigned to our vpn users:
ASA-SSLVPN(config)# ip local pool
ASA-SSLVPN(config)# ip local pool SSLVPN_POOL 192.168.1.10-192.168.1.100
Now we create a tunnel-group and assign the group-policy:
ASA-SSLVPN(config)# tunnel-group SSLVPN type remote-access
ASA-SSLVPN(config)# tunnel-group SSLVPN general-attributes
ASA-SSLVPN(config-tunnel-general)# default-group-policy SSLVPN_ASA
ASA-SSLVPN(config-tunnel-general)# address-pool SSLVPN_POOL
ASA-SSLVPN(config-tunnel-general)# exit
ASA-SSLVPN(config)# tunnel-group SSLVPN webvpn-attributes
ASA-SSLVPN(config-tunnel-webvpn)# group-alias SSLVPN_GNS3
ASA-SSLVPN(config-tunnel-webvpn)# authentication aaa
ASA-SSLVPN(config-tunnel-webvpn)# exit
ASA-SSLVPN(config)#
We will create a new username to test our sslvpn:
ASA-SSLVPN(config)# username sslvpnuser password cisco
ASA-SSLVPN(config)# username sslvpnuser attributes
ASA-SSLVPN(config-username)# group-lock value SSLVPN
ASA-SSLVPN(config-username)# exit
Regards
Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide