Facebook Forum - Configuring and Troubleshooting AnyConnect Client Features
Live chat with Cisco expert, Rahul Govindan on Configuring and Troubleshooting AnyConnect Client Features
Learn to configure and troubleshoot the various AnyConnect client features including features using Anyconnect xml profiles such as
Start Before Logon (SBL), on-connect scripting, certificate authentication etc as well as specific features on the Adaptive Security Appliances (ASA) such as Cisco Secure Desktop (CSD) /Hostscan and Dynamic access policies (DAP) with respect to the AnyConnect client.
Re: Facebook Forum - Configuring and Troubleshooting AnyConnect
Here's a summary of the chat in a Q&A format.
Let's start with the basic question. What is VPN?
VPN stands for Virtual Private Network which is a way to provide secure access for users to connect to their corporate infrastructure. Anyconnect VPN client is one such client that provides the capability to connect securely for remote users. To learn more, read: https://supportforums.cisco.com/docs/DOC-8132
What is the AnyConnect Secure Mobility client and how is it different from legacy Cisco VPN client?
The Cisco AnyConnect Secure Mobility client is a multifunctional VPN client, providing remote users with secure VPN connections to a VPN headend device such as Cisco ASA and IOS routers. The Anyconnect client uses SSL (TLS and DTLS) or IPSEC (IKEv2) protcols to establish secure vpn connections, unlike the legacy Cisco VPN client that only uses IPSEC (IKEv1) to establish connectivity.
AnyConnect client comes with more advanced features such as Weblaunch, Start Before Logon (SBL) and Always On or Trusted Network Detection(TND) that allows for more secure and flexible vpn connectivity to end users.
Can you explain different types of VPN connection?
There are two types of VPN: (1) Site to site VPN where we have a secure connectivity between 2 or more fixed sites and 2) Remote access vpn where individual users can access a corporate infrastructure by connecting securely to a vpn headend. Anyconnect VPN client is one such way to connect securely to a VPN headend by using SSL or ikev2 protocol. Say for example, you are at home and you want to connect to your office network, you would use a remote access vpn client to connect to a VPN gateway at the corporate site. Once connected, you would be able to access resources inside that protected network securely.
What are the license requirements for using AnyConnect Secure Mobility client?
AnyConnect requires an AnyConnect Essentials license or an AnyConnect Premium SSL VPN Edition license installed on ASA firewall to specify the maximum number of remote access sessions from desktops/laptops supported at a time. Anyconnect access from mobile devices requires an additional AnyConnect Mobile license to be installed on the ASA headend device.
AnyConnect essentials license provides basic AnyConnect client features (no Clientless and no Cisco Secure Desktop options) for a low price and the number of licenses is platform dependent.
Can you carry us through step by step using VPN
For a basic connection to the ASA headend using AnyConnect client, you would first need to configure the ASA to accept SSL sessions. There are a couple of settings like shared-key, vpn client ip address pool and client image that you would need to configure on the ASA. Once that is done, you can use a browser to login to the web page of the ASA and download the Anyconnect client on the user machine. Once a successful connection is made, you can then use the downloaded client for connecting from then on. This is just a brief overview of the steps required. The detailed steps are here: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml
What are the AnyConnect features supported on iPhone/iPad?
Cisco AnyConnect provides reliable and easy-to-deploy encrypted network connectivity from any Apple iOS 4.x and 5.x devices by delivering persistent corporate access for users on the go. Some of Anyconnect features in the iOS devices are listed below:
- Automatically adapts its tunneling to the most efficient method possible based on network constraints, using TLS and DTLS - Compatible with Apple iOS Connect On Demand VPN capability for automatic VPN connections when required by an application - Connect On Demand requires certificate authentication - Network roaming capability allows connectivity to resume seamlessly after IP address change, loss of connectivity, or device standby. - Supports certificate deployment using Apple iOS and AnyConnect integrated SCEP
What is AnyConnect Client XML profile and what are its functions?
You enable Cisco AnyConnect Secure Mobility client features in the AnyConnect profile XML file that provides basic information about connection setup, as well as advanced features such as Start Before Logon (SBL). The ASA and IOS device deploys the profile during AnyConnect installation and updates.
The profiles are similar to the pcf files used with the legacy Cisco vpn client and can control many more settings than just connection parameters. Multiple connection entries may be setup using a single xml profile (more than 1 not recommended though supported) unlike the single connection entry per pcf file restriction.
Please explain the difference between ikev1 and 2.
There are many differences between ikev1 and ikev2, a few include fewer negotiation messages, better security against dos attacks, asymmetrical authentication...in short, ikve2 is better suited and protected as a security protocol and fills some of the gaps in ikev1
I want to know about the license requirements. Assume that I have a premium license for 100 users, if I configure my connection profile to uninstall the client application once used, will it be counted? Because I don’t allow permanent installation on the client PC
The 100 user Anyconnect premium license will allow a maximum of 100 concurrent users connected to the ASA using Anyconnect. So if you disconnect from the vpn, a license count will be freed by the user so that another user may use that count.
The Anyconnect Secure mobility client provides the added advantage of deploying the client software using a web browser launch from the user machine (Web launch). The Web launch method also can be used to push updates and changes to the client, xml profiles and CSD settings for the end user. Apart from Weblaunch, the client and components may be also packaged using MSI transforms and deployed using SMS/distribution software, as it was done with the legacy Cisco VPN client.
Can AnyConnect be used as an IPSec client?
From AnyConnect 3.0 onwards, the Secure mobility client can use IPSEC IKEv2 to establish secure connectivity for remote users. IKEv2 offers greater security when compared to the older IKEv1. Unlike IKEv1, IKEv2 is capable of supporting AnyConnect features such as hostscan, dynamic access policies, and secure mobility.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...