Ikev2 VPN without using a SSL license? (ASA-5512)
Hi All,
I've enabled Cisco "Anyconnect Premium Peers" for client less ssl vpn connections, the obvious catch is that for ikev2 Anyconnect sessions it wants to use up the SSL license pool instead of the IPSEC pool (which I have lots of connection licenses for "Total VPN Peers : 250".
* Is there any way to configure Anyconnect to connect via IPSEC and use an IPSEC license (while keeping the Anyconnect Premium Peers enabled)?
* Do I have to consider 3rd party vpn clients, outside Anyconnect?
cya
Craig
Remote-Access sessions with IKEv2 will always consume a Premium license. Changing to a different client won't help unless you change to a client that uses the legacy EasyVPN technology. But that shouldn't be the solution.
If you enable AnyConnect Essentials, you can use AnyConnect with IPSec up to the platform-limit but you can't use the premium-features (like clientless) anymore at the same time.
In a situation like that where lots of AnyConnect-Sessions were needed and only a couple of clientless sessions, I installed AnyConnectEssentials on the main ASA and deployed another ASA only for clientless VPN. Due to the high cost of the VPN-premium licenses it was much cheaper then buying Premium licenses for all VPN users.
Sent from Cisco Technical Support iPad App
Similar Messages
-
Access VPN without using credentials
We have cisco ASA 5585 and we are using CISCO ANYCONNECT VPN. I need to get one VPN user to access the VPN without using credentials, i think
this should done through Certificate. But I need to know the exact methodNo,sorry. Only Z2 has tap to wake.
All we have to decide is what to do with the time that is given to us - J.R.R. Tolkien -
Hi,
We are planning on putting Active/Standby pairs of ASA CSC bundles at three of our sites. We would also like to use these pairs as SSL head end devices.
The question is whether we really need to purchase two sets of SSL licenses (and for that matter CSC user licenses) when only one device will ever be active in the proposed scenario?
I would be very grateful if anyone can clear this up as I have not been able to find anything definitive on Cisco's web or through their distribution channels.
Thanks
RichardsHi Raj,
Thanks for the response,i was worried that this was the case. Are you totally sure, have you deployed a similar scenario?
We're looking at the 500 user license (list at $30k) so it is harsh that we need to purchase the license twice. I'm sure Cisco will rectity this over time though.
Thanks -
How to Implement SSL with Oracle Applications R12 without using Load Balanc
How to Implement SSL with Oracle Applications R12.1.3 without using Load Balancer
Please refer to (Enabling SSL in Release 12 [ID 376700.1]).
Thanks,
Hussein -
We have a 5520 ASA with a 100 user ssl license. We need to increase this but 250 is overkill. Is there an option to just add 50 more licenses or do we have to go up to 250?
Sent from Cisco Technical Support iPhone AppThat's right - the next level after 100 is 250. Please refer to this post for more details.
-
Browsing Oracle application using CISCO SSL VPN forms not opening
Hi all,
Any idea why am not able to access my application using CISCO SSL VPN.Normal clients are able to use our application there is no problem.i have modifyed the "certdb.txt",still i am having the same problem.here am attaching the Java console output.
java.net.ConnectException: Operation timed out: connect
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(Unknown Source)
at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at oracle.jinitiator.protocol.https.HttpsClient.doConnect(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.<init>(Unknown Source)
at sun.net.www.http.HttpClient.<init>(Unknown Source)
at sun.plugin.protocol.jdk12.http.HttpClient.<init>(Unknown Source)
at oracle.jinitiator.protocol.https.HttpsClient.<init>(Unknown Source)
at oracle.jinitiator.protocol.https.HttpsClient.New(Unknown Source)
at oracle.jinitiator.protocol.https.HttpsURLConnection$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.jinitiator.protocol.https.HttpsURLConnection.connect(Unknown Source)
at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream(Unknown Source)
at oracle.jre.protocol.jar.HttpUtils.followRedirects(Unknown Source)
at oracle.jre.protocol.jar.JarCache$CachedJarLoader.download(Unknown Source)
at oracle.jre.protocol.jar.JarCache$CachedJarLoader.load(Unknown Source)
at oracle.jre.protocol.jar.JarCache.get(Unknown Source)
at oracle.jre.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
at oracle.jre.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
at sun.misc.URLClassPath$JarLoader.getJarFile(Unknown Source)
at sun.misc.URLClassPath$JarLoader.<init>(Unknown Source)
at sun.misc.URLClassPath$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath.getLoader(Unknown Source)
at sun.misc.URLClassPath.getLoader(Unknown Source)
at sun.misc.URLClassPath.getResource(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at sun.plugin.security.PluginClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
WARNING: Unable to cache https://212.72.22.86/+CSCO+1a756767633A2F2F62656E6A726F322E7A75712E70622E627A++/forms/java/frmwebutil.jar
java.net.ConnectException: Operation timed out: connect
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(Unknown Source)
at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at oracle.jinitiator.protocol.https.HttpsClient.doConnect(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
at sun.net.www.http.HttpClient.<init>(Unknown Source)
at sun.net.www.http.HttpClient.<init>(Unknown Source)
at sun.plugin.protocol.jdk12.http.HttpClient.<init>(Unknown Source)
at oracle.jinitiator.protocol.https.HttpsClient.<init>(Unknown Source)
at oracle.jinitiator.protocol.https.HttpsClient.New(Unknown Source)
at oracle.jinitiator.protocol.https.HttpsURLConnection$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.jinitiator.protocol.https.HttpsURLConnection.connect(Unknown Source)
at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream(Unknown Source)
at oracle.jre.protocol.jar.HttpUtils.followRedirects(Unknown Source)
at oracle.jre.protocol.jar.JarCache$CachedJarLoader.download(Unknown Source)
at oracle.jre.protocol.jar.JarCache$CachedJarLoader.load(Unknown Source)
at oracle.jre.protocol.jar.JarCache.get(Unknown Source)
at oracle.jre.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
at oracle.jre.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
at sun.misc.URLClassPath$JarLoader.getJarFile(Unknown Source)
at sun.misc.URLClassPath$JarLoader.<init>(Unknown Source)
at sun.misc.URLClassPath$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath.getLoader(Unknown Source)
at sun.misc.URLClassPath.getLoader(Unknown Source)
at sun.misc.URLClassPath.getResource(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at sun.plugin.security.PluginClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
WARNING: Unable to cache https://212.72.22.86/+CSCO+1a756767633A2F2F62656E6A726F322E7A75712E70622E627A++/forms/java/frmall_jinit.jar
java.net.ConnectException: Operation timed out: connectHi,
From your description, my understanding is that you get invalid workflowinstanceid error when you click on workflow link like "inprogress” in the current list.
Please check the URL of workflow “inprogress” (also URL for workflow approval instance to open task form) to see if it’s correct.
Please use your company network directly instead of CISCO SSL VPN, then access SharePoint portal url “https://vpnssl.companyname.com/”, see if the issue still occur.
Also, check the ULS log on the SharePoint server based on the Correlation ID value, get more detailed information about this error message.
And you could refer to this similar issue:
https://social.technet.microsoft.com/Forums/en-US/08aa6b33-cef6-4b01-8af7-6c25ed7d9953/invalid-workflowinstanceid-parameter-in-url?forum=sharepointgeneralprevious.
Best Regards
Vincent Han
TechNet Community Support -
I can't set up gmail in my iPad 2. Keep on saying ' can't connect with SSL and ask me whether to connect without using SSL, then I press 'yes' and it said again IMAP is not working and tell me to see network connection and incoming mail server. No idea how to do anymore. Already tried to figure out. But not work. Can anyone pls help me?
Nope, doesn't pass verification. I get the spinner for a minute or so, then the alert about setting it up without SSL. Are you suggesting I disable Fetch and Push BEFORE I enter the account details? Because I never get past the account details screen, unless I choose "Set up without SSL" after the warning.
-
Mac won't connect to the web without using a vpn...
I know...it doesn't make sense. I have been buying and using a vpn service, IPVanish, for 3 months now and I have always just had it turned on. But now I no longer use it because of payment issues and it not being that great and since then my computer can't connect to the internet without using some sort of vpn. I can use skype, my email, steam, really anything except my web browser. I go to start it up w/o being connected to a vpn and it wont load a webpage. Does anyone know what to do...if so please help!!
Back up all data.
From the menu bar, select
▹ System Preferences ▹ Network
If the preference pane is locked, click the lock icon in the lower left corner and enter your password to unlock it. Then click the Advanced button and select the Proxies tab. If any proxy options are selected, make a note of them and then deselect them. You don’t need to change the bypass or FTP settings. Click OK and then Apply. Test. The result may be that you can't connect to any web server. Restore the previous settings if that happens. -
How used single ssl for tow exchange server without clustering
how used single ssl for tow exchange server without clustering
exchange 2003 std fron-end server
used for add new server for owa failover or standbyOlivia, hopefully by now you have solved your issue but just for the sake of answering that question here so that people having the same issue can later find it I'll go through the motions:
there are a couple of ways you can achieve this.
A. get a certificate for free out there
B. generate your own self signed "fake" certificate.
certutil will certainly let you do this, here's how:
1. First, create a file/directory layout to store your certificates
mkdir -p /path/to/certificates/selfsignedCA2. Initialize a database for the certificate you want to create
certutil -N -d /path/to/certificates/selfsignedCA -P "ca-"3. Create a self-signed CA certificate
certutil -S -x -n "ca-cert" -s "cn=SelfSigned CA Certificate,dc=yourSuffix" -t CTPu -v 120 -d /path/to/certificates/selfsignedCA -P "ca-" -5Note: when prompted, select choice (5) SSL CA and 'y' for critical extensions
4. Export the your newly created self-signed CA certificate in PEM format
certutil -L -d /path/to/certificates/selfsignedCA -P "ca-" -n "ca-cert" -a > /path/to/certificates/selfsignedCA.pemthat should get you going
-=arnaud=- -
The SSL lock icon does not appear in new Firefox 4 during use of SSL. Why was it removed? Only method of determining successful SSL use is through the use of a sniffer and netstat. There is no obvious lock anywhere in the browser while using SSL
ALSO.... STOP CHANGING THE ORDER OF THE OPEN NEW TAB/OPEN NEW WINDOW UNDER THE FILE->list.The "Site Identity button", which provides a lot more pertinent information about a web site, was introduced in Firefox 3, and was used along with the "Security Lock icon"; that "Lock icon" was finally removed from Firefox 4 versions. <br />
https://support.mozilla.com/en-US/kb/Site+Identity+Button <br />
http://www.dria.org/wordpress/archives/2008/05/06/635/ <br />
This extension will add a "lock" in the S-I-B display.<br />
https://addons.mozilla.org/en-US/firefox/addon/padlock-icon/ -
Setting up IPsec VPNs to use with Cisco Anyconnect
So I've been having trouble setting up vpns on our ASA 5510. I would like to use IPsec VPNs so that we don't have to worry about licensing issues, but from what I've read you can do this with and still use Cisco Anyconnect. My knowledge on how to set up VPNs especially in iOS verion 8.4 is limited so I've been using a combination of command line and ASDM.
I'm finally able to connect from a remote location but once I connect, nothing else works. From what I've read, you can use IPsec for client-to-lan connections. I've been using a preshared key for this. Documentation is limited on what should happen after you connect? Shouldn't I be able to access computers that are local to the vpn connection? I'm trying to set this up from work. If I VPN from home, shouldn't I be able to access all resources at work? I think because I've used the command line as well as ASDM I've confused some of the configuration. Plus I think some of the default policies are confusing me too. So I probably need a lot of help. Below is my current configuration with IP address altered and stuff that is completely non-related to vpns removed.
NOTE: We are still testing this ASA and it isn't in production.
Any help you can give me is much appreciated.
ASA Version 8.4(2)
hostname ASA
domain-name domain.com
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/1
nameif outside
security-level 0
ip address 50.1.1.225 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
no nameif
security-level 100
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa842-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
same-security-traffic permit intra-interface
object network NETWORK_OBJ_192.168.0.224_27
subnet 192.168.0.224 255.255.255.224
object-group service VPN
service-object esp
service-object tcp destination eq ssh
service-object tcp destination eq https
service-object udp destination eq 443
service-object udp destination eq isakmp
access-list ips extended permit ip any any
ip local pool VPNPool 192.168.0.225-192.168.0.250 mask 255.255.255.0
no failover
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.224_27 NETWORK_OBJ_192.168.0.224_27 no-proxy-arp route-lookup
object network LAN
nat (inside,outside) dynamic interface
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.1.1.250 1
sysopt noproxyarp inside
sysopt noproxyarp outside
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ASA
crl configure
crypto ca server
shutdown
crypto ca certificate chain ASDM_TrustPoint0
certificate d2c18c4e
308201f3 3082015c a0030201 020204d2 c18c4e30 0d06092a 864886f7 0d010105
0500303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
6f6d301e 170d3131 31303036 31393133 31365a17 0d323131 30303331 39313331
365a303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b2
8acbe1f4 5aa19dc5 d3379bf0 f0e1177d 79b2b7cf cc6b4623 d1d97d4c 53c9643b
37f32caf b13b5205 d24457f2 b5d674cb 399f86d0 e6c3335f 031d54f4 d6ca246c
234b32b2 b3ad2bf6 e3f824c0 95bada06 f5173ad2 329c28f8 20daaccf 04c51782
3ca319d0 d5d415ca 36a9eaff f9a7cf9c f7d5e6cc 5f7a3412 98e71de8 37150f02
03010001 300d0609 2a864886 f70d0101 05050003 8181009d d2d4228d 381112a1
cfd05ec1 0f51a828 0748172e 3ff7b480 26c197f5 fd07dd49 01cd9db6 9152c4dc
18d0f452 50f5d0f5 4a8279c4 4c1505f9 f5e691cc 59173dd1 7b86de4f 4e804ac6
beb342d1 f2db1d1f 878bb086 981536cf f4094dbf 36c5371f e1a0db0a 75685bef
af72e31f a1c4a892 d0acc618 888b53d1 9b888669 70e398
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 10
console timeout 0
management-access inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect profiles VPN disk0:/devpn.xml
anyconnect enable
tunnel-group-list enable
group-policy VPN internal
group-policy VPN attributes
wins-server value 50.1.1.17 50.1.1.18
dns-server value 50.1.1.17 50.1.1.18
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value digitalextremes.com
webvpn
anyconnect profiles value VPN type user
always-on-vpn profile-setting
username administrator password xxxxxxxxx encrypted privilege 15
username VPN1 password xxxxxxxxx encrypted
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool (inside) VPNPool
address-pool VPNPool
authorization-server-group LOCAL
default-group-policy VPN
tunnel-group VPN webvpn-attributes
group-alias VPN enable
tunnel-group VPN ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
class-map ips
match access-list ips
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
class ips
ips inline fail-open
class class-default
user-statistics accountingHi Marvin, thanks for the quick reply.
It appears that we don't have Anyconnect Essentials.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5510 Security Plus license.
So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license? -
VM with remote access VPN without split tunneling
Hello experts,
I have customers who require to use VM in their laptop. These users also require to VPN to Corporate network to do their job. However when they do remote VPN to corporate Network (ASA VPN concentrator) from their VM host machine, they loose their access to their VM guest machines. This problem was not happening when they used cisco VPN client which has gone end of life and support as of end of July 31, 2012. In Cisco VPN client (IKEV1) if we set the protocol to udp they had no problem to keep their connectivity to VM machines while connected to corporate with remote access VPN. However this feature does not work in new Cisco VPN client which is called AnyConnect. ( NOTE: I am using IPSEC IKEV2. NO SSL at this time).
My Question to Experts:
1. Was the ability to maintain connection to VM guest machines, while connected to VPN without enabling split tunneling a security flaw in the old cisco VPN client?
2. Is there a way to maintain connectivy to VM machines installed in a computer and still connect to remote access VPN concentrator through host machine? (My question is about AnyConnect client only using IPSEC IKEV2 and I do not want to enable split tunneling)
Thanks for your help,
RaziDid you figure this out?
-
ASA 5512-X - VPN & local clients DHCP relaying (DHCP Proxy vs. DHCP Relay conflict)
Hey all,
I have ASA-5512-X serving as general firewall/router. It also serves as AnyConnect SSL VPN gateway (webvpn).
It has ~10 VLANs connected over 1 trunk port. One of the VLANs has DHCP server that shall serve all the VLANs (192.168.16.2).
I'm trying to have the ASA relay DHCP requests from all VLANs to the DHCP server and to also serve VPN clients.
However, according to bug https://tools.cisco.com/bugsearch/bug/CSCsd22469 both DHCP Proxy (webvpn) and DHCP Relay (local interfaces) can't be enabled at the same time.
As VPN clients connect to the same VLANs as local users (eg. VLAN 2 - 192.168.2.0/24) I want to have the very same DHCP server serving both, otherwise it's gonna become a mess.
Note: if I configure DHCP Relay functionality and disable DHCP Proxy - local clients are served fine. If I configure DHCP Proxy (webvpn) and disable DHCP Relay VPN clients are served fine. I therefore consider setup to be correct, just the ASA limitation won't allow me to make it serve both.
Can DHCP Relay also serve VPN clients (no DHCP Proxy enabled)? did I miss something?
Thanks!Hi,
The only workaround for this issue is to configure the ASA itself to act as DHCP server for vpn clients. You also have the flexibility of using local pool and AAA server. Why exactly do you want to use the same DHCP server for both?
AM -
FlexVPN without using certificates
Hi All,
Is there a way we can use Anyconnect VPN clinets with FlexVPN without the Certificate based authentication ( Like in old Cisco VPN clients using Group Key) ?
Is there a way to use the Cisco router itslef as the CA wihtout getting external Windows server involved in the whole setup (with FlexVPN setup + Anyconnect) ?
Thanks in Advance !Shamal,
When using IOS as headend there is no need to use SSL during initial connect, with the caveat that profile NEEDS to be provisioned to client out of band.
Now once the profile is there, you need to make sure that it's being called - i.e. provide the hostname of the gateway you are trying to connect to.
In my documentation it was :
bsns-1941-4.cisco.com
So this is what as destination of my connection. Anyconnect will lookup profile based on the tag.
Regarding EAP currently we are limited to non-tunneled EAP methods on Anyconnect VPN.
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html
EAP methods: MD5, GTC, and MSCHAPv2
But if you go with the mothod I provided
true IKE-RSA
there is no need to use EAP. However you CAN use it.
M. -
Installation issue - using a remote server without using remote desktop or citrix
Hello Experts..
We have a client who wants to install SAP Client (SAP 9 PL 11) in their local machines, but connecting to a remote server. They want to avoid connecting through Remote Desktop or Citrix.They already installed SAP clients in local pc's and when they select the server, they already configured it to a server located overseas. We succed on achieve the connection, but the performance is really poor (sometimes it takes about 2 minutes to open a simple menu in SAP).
We ran internet speed tests in the client's office and in the server, and both results were more than satisfactory. But we couldn't come up with a reason for this enviroment works properly..
The question is... Is this kind of enviroment supported by SAP?? Do you know about any alternative to connect from the local PC to a remote server without using remote desktop or citrix??
Thanks in advance...
Raúl FragueiroHi,
I assumed you are using VPN connection right?
In your scenario that is normal since the GUI of SAP B1 is not built for type of connection compare
to SAP ERP GUI.
The only SAP supported type of remote connection is either Terminal Server or Citrix.
In our own scenario we are using Terminal Server and we are very satisfied. We have used
this between to different cities. This is also prevents data corruption cause by intermittent
internet connection.
Hoping you will be convinced of using Terminal Server or Citrix.
By the way, a quick question, why are you hesitant to use RDC or Citrix?
For overview, if your remote requirement is just simple and basic you may use Terminal Server.
The implementation of this is very fast and simple also, what you need is only a license.
If complex and advance features connection requirement connection use Citrix.
For better understanding you may search from the site for the difference of the two.
Thanks.
Regards,
Clint
Maybe you are looking for
-
I have been using this for as long as the feature has been available along with App tabs. All of a sudden it no longer works. I have tried resetting the option to something else and then back again. I've also tried reloading and reinstalling Firefox.
-
Transfer data between systems realtime
Dear All, I have the following issue: In System1 we create Purchase Order (PO) and in System2 a Sales Order (SO) reference to that PO. The line item in the PO in System1 have Profit Center PC1 assigned. In System2 the SO has PC2 assigned to line item
-
Network drives show while connected
I have a WD NetworkCenter Drive connects to the network via CAT5, here is the poser, this will not connect or be seen while I am wireless, but once I plug in the CAT5 Cable, all SHARED drive connections are there. Would some one please tell me what a
-
SPLongOperation throws error "Thread was being aborted"
Recently we have migrated our SharePoint application from 2010 to 2013, we have upgraded our solution from VS 2012 to VS 2013 and deployed it successfully in newly installed SharePoint 2013 prior to content DB migrate and all. In our solution, we had
-
TS1702 setting for what chat or internet connection through 3G
I can use internect and whatchat now in locations without Wifi service. Such occurence happened only after I reset my I phone to enable it to use Wifi service. I want to use both services in all situations. I think that there must be something wrong