Performance : Anyconnect vs. IPSEC

Similar Messages

• Can AnyConnect & Cisco IPsec co-exist on client pc?

  Hi- a home user has to connect to one
  business using AnyConnect and to us using Cisco IPsec client.
  When installing AnyConnect, it wiped out the IPSec client. Can they co-exist on his pc and function side by side?
  I'm sure they can't be used simultaneously, but can't both clients be installed for very different connections?
  He's running 32-bit xp.
  Thanks.

  Kathy
  I am surprised that installation of AnyConnect removed the traditional IPSec client. I have not had that experience. I have several PCs running Windows XP SP3 which have both AnyConnect and IPSec clients installed. Either client works just fine (but not both at the same time).
  HTH
  Rick

• Samsung Tab 10.1 WiFi Balck 2014 Edition - Anyconnect and IPSec don't work

  I have an employee with a Samsung Tab 10.1 2014  black wifi only edition tablet. She has tried to use both an IPsec connection and the Anyconnect for ICS+ (and the Anyconnect normal Android client and also the OpenConnect open source alternative to Anyconnect).
  The problematic behavior is the same on any VPN connection. The vpn client connects and then no traffic makes use of it. I can see the VPN session on the firewall and it shows no decrypted/decapsulated packets. Additionally, the tablet loses all internet access once the VPN connects (whether it is IPsec or Anyconnect) even though the VPN is set to use split tunneling (and I can see in the connection details that it is only set to tunnel a couple of /24 networks in the 10.x.x.x range).
  I have at least 20 other users that use the same VPN session groups with a variety of Windows, iOS and Android devices and so far, this Samsung tablet is the only problem.
  I have tried different accounts on this tablet and I have tried this employee's account on other devices and the problem remains only on the tablet. Her account works great logging in on my Samsung Galaxy S4 using both IPsec and Anyconnect client software. My account shows the same problem as her account when used on her tablet.
  I have applied all available updates on her tablet, it is currently running Android 4.4.2 and there are no updates available from Samsung for it.
  My phone is running 4.4.4 but the client app versions are the same on both devices.
  She has even exchanged the tablet for a replacement of the same model.
  Can anyone suggest any additional troubleshooting or cause for this problem?
  Basically it is as if the vpn client software works fine but the Android operating system simply ignores it except to stop all internet access.

  The warranty entitles you to complimentary phone support.
  If you bought the product in the U.S. directly from Apple (not from a reseller), you have 14 days from the date of delivery in which to exchange or return it for a refund. In other countries, the return policy may be different. If you bought from a reseller, its return policy applies.

• Anyconnect and IPSec on ASA5505

  hello,
  ASA 5505 has only 2 SSL VPN peers and 25 VPN peers. When we connect to our company via AnyConnect I can see that these persons use protocol IKEv2 IPsecOverNatT. so it's suggested that they don't use SSL VPN. But when the third person is trying to connect via AnyConnect, receives information about failied login.
  is it possible to set up AnyConnect or on ASA that everyone who is defined on ASA uses only IPsec, not SSL VPN?
  I'm using
  ASA version: 9.1
  ASDM version: 7.1
  thanks for your help 
  Robert

  For AnyConnect you need an additional license if you want to exceed two concurent users. This is also for IPSec.
  You have two choices:
  1) Buy the license L-ASA-AC-E-5505= it's about $50)
  2) Configure IKEv1 and use the traditional IPSec VPN-Client (EOS/EOL is announced for the Cisco client, but there are many other clients available)
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Monitoring Center for Performance 2 GRE IPSec

  Hi, guys
  Would you please tell me if "Monitoring Center for Performance 2" as it is bundled with VMS 2.3 supports monitoring for GRE IPSec?
  I know for sure that "Cisco Performance Monitor 3.0", which is bundled with CSM has this functionality.
  Thanks in advance,
  Mladen

  Yes , Performance Monitor as part of VMS 2.3.
  Use this document for :Release Notes for Monitoring Center for Performance 2.0.2 on Windows and Solaris
  http://www.cisco.com/en/US/docs/security/security_management/vms/mcp/2.0.2/release/notes/release.html

• Disable VPN IPSec in Mac OSX

  My company need the following register edit changes to create VPN connection in Windows OS to connect my company's network.
  Start a registry editor (e.g., regedit.exe).
  Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters subkey.
  From the Edit menu, select New, DWORD Value.
  Enter a name of ProhibitIpSec and press Enter.
  Double-click the new value, set it to 1, and click OK.
  Now i change to Mac in OS 10.8.x; when i try to config the VPN connection, it keeps asking me the pre-share key (even in Android device).
  Can anyone teach me how to do it on Mac, IOS

  If you disable all of the remote access types (anyconnect, clientless, ipsec, etc.) it will still allow users to connect.  Instead you have to get on the CLI and go into the group policy "group-policy attributes"  then type "vpn-simultaneous-logins 0"
  According to the command output below this should disable all logins:
  VPN(config-group-policy)# vpn-simultaneous-logins ?
  group-policy mode commands/options:
    <0-2147483647>  Maximum number of simultaneous logins allowed, enter 0 to
                    disable login and prevent user access
  Note:  that doesn't disconnect the clients that are already connected.  You will have to do the following for the tunnel-group "vpn-sessiondb logoff tunnel-group "

• IPSEC or authentication between CE routers

  Hi am doing a research project for my masters degree and i was thinking of comparing the performance of deploying IPSEC and authentication between CE routers. so can someone provide me with some links on this and tell me how can i gather data from actual routers to compare the performance.
  Thanks in advance
  Srijal Gupta

  http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455af8.html.
  HTH

• IPSec ikev2 between ASA and Cisco Router

  Hi,
  i try to do IPSec with ikev2 (SHA2) between ASA and Cisco Router, without success. Any one can help me ?
  - Remote site (Router) with dynamic public IP -> Dynamic crypto map on the ASA
  - Authentication with Certificats
  - integrity sha2
  I try a lot of configurations without success.
  Thanks for your help.
  Mic

  The more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
  crypto ikev1 policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 28800
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 28800
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 43200
  The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
  There are two (three) better options:
  Best option with very little needed configuration:
  Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
  Best option with a little stronger crypto but more configuration:
  Move to AnyConnect with IPsec/IKEv2. 
  Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.
  For option 1) and 2) there is an extra license needed, but thats not very expensive.

• ASA and ACS 5 multiple VPN profiles for one user

  Hi there
  I have a question about ACS 5.3 and ASA VPN profile authorization. I am not sure if it is possible to allow one single user for a set of VPN profiles on ASA, let's make an example:
  ACS 5.3 group hierarchy:
  - VPN users global
  -- VPN users A
  -- VPN users B
  ASA VPN profiles:
  - VPN profile A
  - VPN profile B
  - VPN profile Z
  VPN authorizations:
  1. VPN users global should have access to VPN profiles A, B and Z (here we create an authorization profile with no class an no lock attributes, so the group is allowed for all VPN profiles)
  2. VPN users A should have access to VPN profile A (here we create a authorization profile with class and lock attributes for profile A)
  3. VPN users B should have access to VPN profiles B and Z (is this possible and how does the authorization profile have to look like?)
  Thanks a lot in advance and best regards
  Dominic

  Hi Dominic,
  first of all, let's clarify that on the ASA you have tunnel-groups (named connection profiles in ASDM) and group-policies. These often, but not always, have a one-to-one mapping.
  The Tunnel-Group (TG) is either selected by the user (either from a drop down list or by entering a specifiv group-url), or automatically selected by a certificate map (i.e. based on a certain field in the user cert, the user is mapped to one TG or another). The TG mainly specifies what kind of authentication is used.
  The Group-Policy (GP) by default is the one specified in the TG, but it can be overridden by e.g. Radius.
  So from the ASA's standpoint itself your posibilities are rather limited: the ASA will just apply whatever group-policy you push from Radius (in IETF attribute 25 aka "Class"), and in addition it will deny access to a user if the TG he selected does not match the value of the group-lock attribute. Group-lock can only contain one TG name, so you cannot do something like "allow both B and Z".
  In other words you can not achieve your goal if the Radius server has a "static" set of attributes per user.
  However, as of ASA 8.4.3 the ASA now sends 2 vendor-specific attributes in the Access-Request:
  vendor ID = 3076, attribute 146 is "Tunnel Group Name" (string).
  vendor ID = 3076, attribute 150 is "Client Type" (integer)
  0 = No Client specified  1 = Cisco VPN Client (IKEv1)  2 = AnyConnect Client SSL VPN  3 = Clientless SSL VPN  4 = Cut-Through-Proxy  5 = L2TP/IPsec SSL VPN  6 = AnyConnect Client IPsec VPN (IKEv2)
  So if you can configure the Radius server to "dynamically" permit/deny access based on the TG attribute I suppose you could achieve what you want.
  If/how ACS can do this, I personally don't know; I suggest you ask in the AAA forum if you need help with that part.
  hth
  Herbert

• Ikev2 VPN without using a SSL license? (ASA-5512)

  Hi All,
  I've enabled Cisco "Anyconnect Premium Peers" for client less ssl vpn connections, the obvious catch is that for ikev2 Anyconnect sessions it wants to use up the SSL license pool instead of the IPSEC pool  (which I have lots of connection licenses for "Total VPN Peers : 250".
  * Is there any way to configure Anyconnect to connect via IPSEC and use an IPSEC license (while keeping the Anyconnect Premium Peers enabled)?
  * Do I have to consider 3rd party vpn clients, outside Anyconnect?
  cya
  Craig

  Remote-Access sessions with IKEv2 will always consume a Premium license. Changing to a different client won't help unless you change to a client that uses the legacy EasyVPN technology. But that shouldn't be the solution.
  If you enable AnyConnect Essentials, you can use AnyConnect with IPSec up to the platform-limit but you can't use the premium-features (like clientless) anymore at the same time.
  In a situation like that where lots of AnyConnect-Sessions were needed and only a couple of clientless sessions, I installed AnyConnectEssentials on the main ASA and deployed another ASA only for clientless VPN. Due to the high cost of the VPN-premium licenses it was much cheaper then buying Premium licenses for all VPN users.
  Sent from Cisco Technical Support iPad App

• WLC integration with LDAP

  Hi all and thank you in advance for any you help/advice you might be able to offer....
  I'm having problems getting a WLC (7.0.220.0) working using LDAP (Windows 2008). This evening, in an effort to troubleshoot the problem further, I have configured the customer's ASA to use LDAP too and run a test....as you can see below, the test works flawlessly (on the ASA).
  aaa-server LDAP_TEST protocol ldap
  aaa-server LDAP_TEST host x.x.x.x
  server-port 389
  ldap-base-dn OU=Users,OU=IT Dept (South),DC=yyy,DC=co,DC=zzz
  ldap-scope subtree
  ldap-login-password *
  ldap-login-dn CN=ldap,OU=Users,OU=IT Dept (South),DC=yyy,DC=co,DC=zzz
  server-type microsoft
  ASA/act# test aaa-server authentication LDAP_TEST host x.x.x.x username ldap password password
  INFO: Attempting Authentication test to IP address <x.x.x.x> (timeout: 12 seconds)
  INFO: Authentication Successful
  ASA/act#
  Now, my understanding is that the ASA only supports PAP (clear text) as Authentication method when communicating to an LDAP server....while on the Controller, I am using EAP-FAST....so my understanding would be that only EAP-FAST/GTC or EAP-FAST/MSCHAPv2 (IF the LDAP server is setup to return a clear text password) are supported.
  On the Controller, I am using the very same settings as I have used on the ASA (for the LDAP server configuration). However, users are still unable to Authenticate....they Associate, but do not Authenticate. The clients are all Windows 7 and are setup to use the in-built Cisco EAP-FAST as Authentication method. We are not using certificates.
  The thing is that I'm pretty sure that both the Windows 7 clients and the Controller are setup correctly but, as I said, the clients are still unable to authenticate.
  I guess that my questions are these:
  - on the client side, you can setup the laptops to use "Any method" as authentication method...but how does this exactly work? do they try both EAP-GTC and EAP-MSCHAPv2 (i.e. if it can't authenticate through EAP-GTC will then try EAP-MSCHAPv2?)
  - is it better to hardcode the clients to use EAP-GTC or EAP-MSCHAPv2 (instead of default "Any method")....when working on an LDAP environment
  - how can I check that the MS 2008 server is indeed setup to "return a clear text password" if using EAP-FAST/MSCHAPv2 (and I do realize that this is probably a question for a Microsoft forum)
  - how can I check the the LDAP server is configured to support EAP-GTC and/or EAP-MSCHAPv2??
  Thanks again.

  This is not an acceptable answer.  Steve, do you work for Cisco, or are you commenting on personal experience & knowledge?
  I have had a working RADIUS configuration for 2 years+ of an ASA 5510 for authentication of AnyConnect SSL & IPSEC VPN clients with AD, and a WLC 2106 for authentication of WPA2-Enterprise w/802.1x certificates with AD.  Both were configured to communication to the same RADIUS server that is a Windows Server 2003 DC with IAS/RADIUS and a CA installed.  During the planning for installing a new Windows Server 2008 R2 DC, I decided to attempt to remove my reliance on RADIUS since authenticating directly with LDAP is becoming more common.  I was successfully able to configure our ASA to do direct LDAP queries to AD, but similar to "superduperlopez" and "rschwenderman", I have been unable to configure the WLC the same way.
  I feel like the following line in Cisco's documentation is unsatisfactory:  "For example, Microsoft Active Directory is not supported because it does not return a clear-text password."
  I would take this to mean that the ASA is working correctly due to either:
  A) The ASA is accepting clear-text passwords from AD, and AD is configured to pass clear-text passwords, or
  B) The ASA is not accepting clear-text passwords from AD, and AD is not configured to pass clear-text passwords
  Now this would lead me to the following:
  A) Cisco has not properly updated the WLC documentation to instruct users how to correctly configured the WLC to do backend LDAP queries, or
  B) Cisco has not implemented the technology changes that were made in the ASA to the WLC
  This frustrates the average network admin, as it is seen by us as "If the ASA can do it, why can't the WLC".  Also, don't get this confused with any "client" issues, as all that is being asked for is the WLC to using a different backend "authentication" server while not modifying the client side at all.  The concept of "Local EAP" seems to fit, but doesn't work.
  I would really appreciate someone giving some insight on this topic, as there are three customers on this forum post that have had the same problem withing the last 2 months.
  The previous posters, and myself, are not looking for someone to retype the documentation, but rather explain how it is working on one of Cisco's security products, but not the other.

• TN3270 Plugin / ASA SSL Portal

  Hi Guys, I'm working on the ssl portal of my company  and  we need to have an  3270 emulator available in it, Do you know if there is a tn3270 plugin for cisco asa ssl portal? or is there a workaround to make it work?
  Thanks in advance,
  Regards
  Oscar

  Hello,
  Regarding the plugin, Nop.. There are no that much available plug-ins.
  So you have to other options:
  1- Smart tunnel ( You do not need to have administrative rights over the remote system, you only need to have the application locally installed)
  2- Port-forwarding ( You do  need to have administrative rights over the remote system and have the application locally installed)
  If those does not fit your expectations I will go for a tunnel all vpn ( Anyconnect or Ipsec remote access)
  Hope I could help.
  Julio
  Do rate all the helpful posts

• Setting up IPsec VPNs to use with Cisco Anyconnect

  So I've been having trouble setting up vpns on our ASA 5510. I would like to use IPsec VPNs so that we don't have to worry about licensing issues, but from what I've read you can do this with and still use Cisco Anyconnect. My knowledge on how to set up VPNs especially in iOS verion 8.4 is limited so I've been using a combination of command line and ASDM.
  I'm finally able to connect from a remote location but once I connect, nothing else works. From what I've read, you can use IPsec for client-to-lan connections. I've been using a preshared key for this. Documentation is limited on what should happen after you connect? Shouldn't I be able to access computers that are local to the vpn connection? I'm trying to set this up from work. If I VPN from home, shouldn't I be able to access all resources at work? I think because I've used the command line as well as ASDM I've confused some of the configuration. Plus I think some of the default policies are confusing me too. So I probably need a lot of help. Below is my current configuration with IP address altered and stuff that is completely non-related to vpns removed.
  NOTE: We are still testing this ASA and it isn't in production.
  Any help you can give me is much appreciated.
  ASA Version 8.4(2)
  hostname ASA
  domain-name domain.com
  interface Ethernet0/0
  nameif inside
  security-level 100
  ip address 192.168.0.1 255.255.255.0
  interface Ethernet0/1
  nameif outside
  security-level 0
  ip address 50.1.1.225 255.255.255.0
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  no nameif
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  boot system disk0:/asa842-k8.bin
  ftp mode passive
  dns domain-lookup outside
  dns server-group DefaultDNS
  same-security-traffic permit intra-interface
  object network NETWORK_OBJ_192.168.0.224_27
  subnet 192.168.0.224 255.255.255.224
  object-group service VPN
  service-object esp
  service-object tcp destination eq ssh
  service-object tcp destination eq https
  service-object udp destination eq 443
  service-object udp destination eq isakmp
  access-list ips extended permit ip any any
  ip local pool VPNPool 192.168.0.225-192.168.0.250 mask 255.255.255.0
  no failover
  failover timeout -1
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.224_27 NETWORK_OBJ_192.168.0.224_27 no-proxy-arp route-lookup
  object network LAN
  nat (inside,outside) dynamic interface
  access-group outside_in in interface outside
  route outside 0.0.0.0 0.0.0.0 50.1.1.250 1
  sysopt noproxyarp inside
  sysopt noproxyarp outside
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment self
  subject-name CN=ASA
  crl configure
  crypto ca server
  shutdown
  crypto ca certificate chain ASDM_TrustPoint0
  certificate d2c18c4e
      308201f3 3082015c a0030201 020204d2 c18c4e30 0d06092a 864886f7 0d010105
      0500303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
      f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
      6f6d301e 170d3131 31303036 31393133 31365a17 0d323131 30303331 39313331
      365a303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
      f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
      6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b2
      8acbe1f4 5aa19dc5 d3379bf0 f0e1177d 79b2b7cf cc6b4623 d1d97d4c 53c9643b
      37f32caf b13b5205 d24457f2 b5d674cb 399f86d0 e6c3335f 031d54f4 d6ca246c
      234b32b2 b3ad2bf6 e3f824c0 95bada06 f5173ad2 329c28f8 20daaccf 04c51782
      3ca319d0 d5d415ca 36a9eaff f9a7cf9c f7d5e6cc 5f7a3412 98e71de8 37150f02
      03010001 300d0609 2a864886 f70d0101 05050003 8181009d d2d4228d 381112a1
      cfd05ec1 0f51a828 0748172e 3ff7b480 26c197f5 fd07dd49 01cd9db6 9152c4dc
      18d0f452 50f5d0f5 4a8279c4 4c1505f9 f5e691cc 59173dd1 7b86de4f 4e804ac6
      beb342d1 f2db1d1f 878bb086 981536cf f4094dbf 36c5371f e1a0db0a 75685bef
      af72e31f a1c4a892 d0acc618 888b53d1 9b888669 70e398
    quit
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside client-services port 443
  crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 10
  console timeout 0
  management-access inside
  ssl trust-point ASDM_TrustPoint0 outside
  webvpn
  enable outside
  anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
  anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
  anyconnect profiles VPN disk0:/devpn.xml
  anyconnect enable
  tunnel-group-list enable
  group-policy VPN internal
  group-policy VPN attributes
  wins-server value 50.1.1.17 50.1.1.18
  dns-server value 50.1.1.17 50.1.1.18
  vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
  default-domain value digitalextremes.com
  webvpn
    anyconnect profiles value VPN type user
    always-on-vpn profile-setting
  username administrator password xxxxxxxxx encrypted privilege 15
  username VPN1 password xxxxxxxxx encrypted
  tunnel-group VPN type remote-access
  tunnel-group VPN general-attributes
  address-pool (inside) VPNPool
  address-pool VPNPool
  authorization-server-group LOCAL
  default-group-policy VPN
  tunnel-group VPN webvpn-attributes
  group-alias VPN enable
  tunnel-group VPN ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  class-map ips
  match access-list ips
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
    inspect http
  class ips
    ips inline fail-open
  class class-default
    user-statistics accounting

  Hi Marvin, thanks for the quick reply.
  It appears that we don't have Anyconnect Essentials.
  Licensed features for this platform:
  Maximum Physical Interfaces       : Unlimited      perpetual
  Maximum VLANs                     : 100            perpetual
  Inside Hosts                      : Unlimited      perpetual
  Failover                          : Active/Active  perpetual
  VPN-DES                           : Enabled        perpetual
  VPN-3DES-AES                      : Enabled        perpetual
  Security Contexts                 : 2              perpetual
  GTP/GPRS                          : Disabled       perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 250            perpetual
  Total VPN Peers                   : 250            perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  This platform has an ASA 5510 Security Plus license.
  So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license?

• Anyconnect VPN via IPSec - Certificate issue

  Hi,
  I'm currently setting up a VPN-firewall and ran into problems with the certificates. I only want to enable IPSec connections via Anyconnect to the firewall. The client and the profile will be rolled out manually, so there is no need for anything web-based (portal, web-installer, SSL, etc.).
  The VPN-firewall is reached through the normal outside-firewall (NAT) via FQDN (vpn.abc.com).
  The normal setup is finished, but I have problems regarding the certificate. First I generated a CSR with "cn=fw001.abc.com", installed, bound to interface - but when I try to connect, I get the certificate error ("cert doesn't match server name" and "ca not trusted"). Then I tried a new CSR with "cn=vpn.abc.com", but it's still the same. Tomorrow I will try to get the CA-certificate to get rid of the "ca not trusted" message, but this one with the server name will still remain.
  I mean, the connection works, but it's this popup-window with the certificate warning that bothers me.
  I already had a similar configuration on another site, but there I had a wildcard certificate (*.xyz.com), which I installed as identity certificate and it worked properly.
  Questions:
  1.) Does anybody know what could be the issue here?
  2.) Do I need a certificate on the outside firewall? 
  Thanks in advance!

  Thanks for the response.
  First of all I need to state once again that I get 2 warnings:
  1.) Certificate does not match the server name.
  2.) Certificate is from an untrusted source.
  I know the procedure regarding certificates, I generated a request and got the proper signed licence, but the issue is the "server name not matching"-message. I created the CSR with the CN=vpn.abc.com, and got it signed with this CN. In the connection profile, the tunnel destination is also set to the domain and not the IP:
  "<HostAddress>vpn.abc.com</HostAddress>"
  But nevertheless, I get the message that the certificate doesn't match the server name. 
  I'm aware that the CA must be trusted on the PC, but this explains only the second message (untrusted) and not the mismatching name.
  Like I said I also tried it with CN=hostname.abc.com and sent the CSR to the signing, but it was the same issue. What name must I use so that the first message isn't showing up? 

• Edit Anyconnect IPSEC Client text

  Hi
  I am trying to edit the text in the any connect client for new and existing users of the client who make IPSEC connections to my ASA.
  I have followed the following cisco document:-
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac11customize.html
  I want to edit the text in the box which prompts you for group, username and password having clicked connect following the applications launch. I want Password: to change to Token Number:
  Following the above document I have edited the template in
  Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Customization/Localization > GUI Text and Messages
  I changed the following  by adding an entry in the quotation marks for msgstr
  #: 0300000000000000e4fe180003000000
  #: 0300000000000000e4fe180003000000
  msgid "Password:"
  msgstr "Token Number:"
  Following saving the changes on the ASA I have uninstalled the IPSEC Any Connect client on my client machine and reinstalled it. The change is not recognised in the reinstalled client and I presume this is because the information isn't pulled down from the ASA each time a new connection is established.
  Any help would be great
  thanks

  Can anyone offer any advice as to how to change the text in the any connect login box?