Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Facebook Forum - Configuring and Troubleshooting AnyConnect Client Features

FacebookForum_Apr2012.jpg

Live chat with Cisco expert, Rahul Govindan on Configuring and Troubleshooting AnyConnect Client Features

Learn to configure and troubleshoot the various AnyConnect client features including features using Anyconnect xml profiles such as

Start Before Logon (SBL), on-connect scripting, certificate authentication etc as well as specific features on the Adaptive Security Appliances (ASA) such as Cisco Secure Desktop (CSD) /Hostscan and Dynamic access policies (DAP) with respect to the AnyConnect client.

When : April 17, 2012 3:30 pm IST. Local timezones

Click to RSVP >

  • VPN
1 REPLY
New Member

Re: Facebook Forum - Configuring and Troubleshooting AnyConnect

Here's a summary of the chat in a Q&A format.

Let's start with the basic question. What is VPN?

VPN stands for Virtual Private Network which is a way to provide secure access for users to connect to their corporate infrastructure. Anyconnect VPN client is one such client that provides the capability to connect securely for remote users. To learn more, read: https://supportforums.cisco.com/docs/DOC-8132

What is the AnyConnect Secure Mobility client and how is it different from legacy Cisco VPN client?

The Cisco AnyConnect Secure Mobility client is a multifunctional VPN client, providing remote users with secure VPN connections to a VPN headend device such as Cisco ASA and IOS routers. The Anyconnect client uses SSL (TLS and DTLS) or IPSEC (IKEv2) protcols to establish secure vpn connections, unlike the legacy Cisco VPN client that only uses IPSEC (IKEv1) to establish connectivity.

AnyConnect client comes with more advanced features such as Weblaunch, Start Before Logon (SBL) and Always On or Trusted Network Detection(TND) that allows for more secure and flexible vpn connectivity to end users.

Can you explain different types of VPN connection?

There are two types of VPN: (1)  Site to site VPN where we have a secure connectivity between 2 or more fixed sites and 2) Remote access vpn where individual users can access a corporate infrastructure by connecting securely to a vpn headend. Anyconnect VPN client is one such way to connect securely to a VPN headend by using SSL or ikev2 protocol. Say for example, you are at home and you want to connect to your office network, you would use a remote access vpn client to connect to a VPN gateway at the corporate site. Once connected, you would be able to access resources inside that protected network securely.

What are the license requirements for using AnyConnect Secure Mobility client?

AnyConnect requires an AnyConnect Essentials license or an AnyConnect Premium SSL VPN Edition license installed on ASA firewall to specify the maximum number of remote access sessions from desktops/laptops supported at a time. Anyconnect access from mobile devices requires an additional AnyConnect Mobile license to be installed on the ASA headend device.

AnyConnect essentials license provides basic AnyConnect client features (no Clientless and no Cisco Secure Desktop options) for a low price and the number of licenses is platform dependent.

Can you carry us through step by step using VPN

For a basic connection to the ASA headend using AnyConnect client, you would first need to configure the ASA to accept SSL sessions. There are a couple of settings like shared-key, vpn client ip address pool and client image that you would need to configure on the ASA. Once that is done, you can use a browser to login to the web page of the ASA and download the Anyconnect client on the user machine. Once a successful connection is made, you can then use the downloaded client for connecting from then on. This is just a brief overview of the steps required. The detailed steps are here: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

What are the AnyConnect features supported on iPhone/iPad?

You can also check out the following video showing you how to configure an AnyConnect session with the ASA headend. https://supportforums.cisco.com/videos/1605

Cisco AnyConnect provides reliable and easy-to-deploy encrypted network connectivity from any Apple iOS 4.x and 5.x devices by delivering persistent corporate access for users on the go. Some of Anyconnect features in the iOS devices are listed below:

- Automatically adapts its tunneling to the most efficient method possible based on network constraints, using TLS and DTLS
- Compatible with Apple iOS Connect On Demand VPN capability for automatic VPN connections when required by an application - Connect On Demand requires certificate authentication
- Network roaming capability allows connectivity to resume seamlessly after IP address change, loss of connectivity, or device standby.
- Supports certificate deployment using Apple iOS and AnyConnect integrated SCEP

Find additional information on all the types of VPNs supported here: http://www.cisco.com/en/US/products/ps5743/Products_Sub_Category_Home.html

What is AnyConnect Client XML profile and what are its functions?

You enable Cisco AnyConnect Secure Mobility client features in the AnyConnect profile XML file that provides basic information about connection setup, as well as advanced features such as Start Before Logon (SBL). The ASA and IOS device deploys the profile during AnyConnect installation and updates.

The profiles are similar to the pcf files used with the legacy Cisco vpn client and can control many more settings than just connection parameters. Multiple connection entries may be setup using a single xml profile (more than 1 not recommended though supported) unlike the single connection entry per pcf file restriction.

Please  explain the difference between ikev1 and 2.

There are many differences between ikev1 and ikev2, a few include fewer negotiation messages, better security against dos attacks, asymmetrical authentication...in short, ikve2 is better suited and protected as a security protocol and fills some of the gaps in ikev1

To learn more about ikev2, go to: https://supportforums.cisco.com/community/netpro/security/vpn/blog/2010/12/22/ike-version-2-at-a-glance

I want to know about the license requirements. Assume that I have a premium license for 100 users, if I configure my connection profile to uninstall the client application once used, will it be counted? Because I don’t allow permanent installation on the client PC

The 100 user Anyconnect premium license will allow a maximum of 100 concurrent users connected to the ASA using Anyconnect. So if you disconnect from the vpn, a license count will be freed by the user so that another user may use that count.

Here is a link to the VPN videos on Cisco support community. Do check it out. There are some really interesting and informative videos there: https://supportforums.cisco.com/community/netpro/security/vpn?view=video

Additional information on the licensing for remote access VPN : http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/overview_c78-527488_ns347_Networking_Solutions_Brochure.html

How can we deploy AnyConnect client to end users?

The Anyconnect Secure mobility client provides the added advantage of deploying the client software using a web browser launch from the user machine (Web launch). The Web launch method also can be used to push updates and changes to the client, xml profiles and CSD settings for the end user. Apart from Weblaunch, the client and components may be also packaged using MSI transforms and deployed using SMS/distribution software, as it was done with the legacy Cisco VPN client.

Can AnyConnect be used as an IPSec client?

From AnyConnect 3.0 onwards, the Secure mobility client can use IPSEC IKEv2 to establish secure connectivity for remote users. IKEv2 offers greater security when compared to the older IKEv1. Unlike IKEv1, IKEv2 is capable of supporting AnyConnect features such as hostscan, dynamic access policies, and secure mobility.

To view the archives on Facebook, go to:

http://www.facebook.com/note.php?note_id=377307092307900


To see the entire Facebook Forum, go to:

http://www.facebook.com/133380531411/posts/10150811466101412

2065
Views
0
Helpful
1
Replies