Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Need to upgrade the VPN security


we have an ASA 5505 base license 50 user v8.4(6) using classic IPsec VPN client. We have been told we need to upgrade the security of the VPN connection to support AES 256 bit encryption, and only accept this level of security, client is not allowed to connect if it is lower.

What do we need to do / buy for this? I have spent many hours looking and have only found a few pointers.

1. Upgrade the ASA software to the latest v9 (and ADSM too)

2. Move to Anyconnect client.

For the Anyconnect, I have found this URL which details that it can use 3DES or AES-256 but we need a strong encryption license.

Here is my SHOW VERSION. Does it already have the strong encryption lices as it shows VPN-3DES-AES as enabled?

ciscoasa(config)# sh ver

Cisco Adaptive Security Appliance Software Version 8.4(6)
Device Manager Version 7.1(3)

Compiled on Fri 26-Apr-13 09:00 by builders
System image file is "disk0:/asa846-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 146 days 23 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                             Number of accelerators: 1

0: Int: Internal-Data0/0    : address is 4c00.828f.c5bf, irq 11
1: Ext: Ethernet0/0         : address is 4c00.828f.c5b7, irq 255
2: Ext: Ethernet0/1         : address is 4c00.828f.c5b8, irq 255
3: Ext: Ethernet0/2         : address is 4c00.828f.c5b9, irq 255
4: Ext: Ethernet0/3         : address is 4c00.828f.c5ba, irq 255
5: Ext: Ethernet0/4         : address is 4c00.828f.c5bb, irq 255
6: Ext: Ethernet0/5         : address is 4c00.828f.c5bc, irq 255
7: Ext: Ethernet0/6         : address is 4c00.828f.c5bd, irq 255
8: Ext: Ethernet0/7         : address is 4c00.828f.c5be, irq 255
9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 50             perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has a Base license.

Serial Number: xxxxxxxxxx

Running Permanent Activation Key: 0xdd2feb61 0xc829523d 0x10d29548 0x8d6c2cfc 0xc835088e
Configuration register is 0x1
Configuration last modified by enable_15 at 09:05:27.051 CEST Wed Jan 15 2014

Do we need to buy Anyconnect Essentials or Premium? How can I configure the ASA to only allow AES 256 connections (is it even possible)? Finally, do we need to buy the Next Generation Encryption license to do this (I hope not - Cisco in not cheap).

Thanks very much.

Alasdair Barclay

Everyone's tags (3)
Super Bronze

Need to upgrade the VPN security


To my understanding the only license required for you to use AES-256 is to have the 3DES/AES license which to my understanding can be aquired for free if you device is not licensed for it. Your device seems to be licensed for it.

You don't need to update the ASA software. You won't need to move to use AnyConnect either even though it would be suggestable in the long run as the Cisco VPN Client is not really supported anymore even though I think it still works even with never OS.

What I think you would need to do is simply remove all ISAKMP Policys and IPsec Transform Sets that use something DES or 3DES on your firewall or rearrange the configurations so that no DES/3DES ISAKMP Policys are at higher priority than the AES ones and you could remove the DES/3DES transform sets from the Dynamic Map configurations I suppose.

I have not had the opportunity configure AnyConnect/IKEv2 so I can't really comment on that.

- Jouni

CreatePlease to create content