Cisco Support Community
Community Member

VPNs:replacing a 3000 concentrator with ASAs

Hi Everyone

Ive got a bit of a basic question but cant seem to find the answer via google. Not touched firewalls for years so im a bit rusty.

Anyway, I need to replace a vpn 3000 concentrator with 2 asa 5540s in active/standby configuration. The firewalls will be doing nothing but allowing remote IPSEC users and anyconnect users into the internal network.

Basically the asa's will sit behind the dmz (behind checkpoint firewalls). The concentrator 3000 at the moment is communicating with active directory using kerberos for authentication.

What ide like to know is, Can i simply do the same with the ASA's? Can i just authenticate users using kerberos and leave it at that? or will i need to  use LDAP to set up Authorisation?

Basically Im hoping its going to be as easy as copying the kerberos info from the concentrator to the ASAs and allowing remote vpn users to get access to everything in the internal network.

As you can see, im more or less starting from scratch with firewalls so any help is appreciated. Thanks

Cisco Employee

Re: VPNs:replacing a 3000 concentrator with ASAs

Are you doing any authorization at the moment with VPN3000, or only authentication?

Here is a sample configuration on ASA to use Kerberos to authenticate and LDAP for authorization:

However, pls kindly advise if you are actually using authorization on VPN3000 and what authorization you are actually doing. The reason I ask is you might be able to do it differently with ASA configuration.

Cisco Employee

Re: VPNs:replacing a 3000 concentrator with ASAs


ASA can do kerberos as AAA server:

ciscoasa(config)# aaa-server NAME protocol kerberos

However kerberos is not used for authorization of VPN users though.

Summary of support per server per functions.

It can be still user to authenticate users.

Best idea, if you ask me, for authentication and authorization together is to use Radius, IAS servers I believe have option to do it.


Community Member

Re: VPNs:replacing a 3000 concentrator with ASAs

Thanks for that!

Ive checked the VPN concentrator and it has only been configured with authentication via kerberos. What i need to configure is a basic setup on the firewalls so that remote users can log in via IPSEC (using vpn client) and cisco anyconnect. Can I simply use Kerberos to authenticate via active directory and leave it at that? Im not very familiar with Active directory and LDAP etc so ide rather not implement that if i dont have to.

Cisco Employee

Re: VPNs:replacing a 3000 concentrator with ASAs

Absolutely yes. You can just configure Kerberos for authentication if you don't require any authorization.

CreatePlease to create content