Ikev2 VPN without using a SSL license? (ASA-5512)

Hi All,
I've enabled Cisco "Anyconnect Premium Peers" for client less ssl vpn connections, the obvious catch is that for ikev2 Anyconnect sessions it wants to use up the SSL license pool instead of the IPSEC pool  (which I have lots of connection licenses for "Total VPN Peers : 250".
* Is there any way to configure Anyconnect to connect via IPSEC and use an IPSEC license (while keeping the Anyconnect Premium Peers enabled)?
* Do I have to consider 3rd party vpn clients, outside Anyconnect?
cya
Craig

Remote-Access sessions with IKEv2 will always consume a Premium license. Changing to a different client won't help unless you change to a client that uses the legacy EasyVPN technology. But that shouldn't be the solution.
If you enable AnyConnect Essentials, you can use AnyConnect with IPSec up to the platform-limit but you can't use the premium-features (like clientless) anymore at the same time.
In a situation like that where lots of AnyConnect-Sessions were needed and only a couple of clientless sessions, I installed AnyConnectEssentials on the main ASA and deployed another ASA only for clientless VPN. Due to the high cost of the VPN-premium licenses it was much cheaper then buying Premium licenses for all VPN users.
Sent from Cisco Technical Support iPad App

Similar Messages

  • Access VPN without using credentials

    We have cisco ASA 5585 and we are using CISCO ANYCONNECT VPN. I need to get one VPN user to access the VPN without using credentials, i think
    this should done through Certificate. But I need to know the exact method

    No,sorry. Only Z2 has tap to wake.
    All we have to decide is what to do with the time that is given to us - J.R.R. Tolkien

  • ASA SSL Licensing query

    Hi,
    We are planning on putting Active/Standby pairs of ASA CSC bundles at three of our sites. We would also like to use these pairs as SSL head end devices.
    The question is whether we really need to purchase two sets of SSL licenses (and for that matter CSC user licenses) when only one device will ever be active in the proposed scenario?
    I would be very grateful if anyone can clear this up as I have not been able to find anything definitive on Cisco's web or through their distribution channels.
    Thanks
    Richards

    Hi Raj,
    Thanks for the response,i was worried that this was the case. Are you totally sure, have you deployed a similar scenario?
    We're looking at the 500 user license (list at $30k) so it is harsh that we need to purchase the license twice. I'm sure Cisco will rectity this over time though.
    Thanks

  • How to Implement SSL with Oracle Applications R12 without using Load Balanc

    How to Implement SSL with Oracle Applications R12.1.3 without using Load Balancer

    Please refer to (Enabling SSL in Release 12 [ID 376700.1]).
    Thanks,
    Hussein

  • Asa ssl licensing

    We have a 5520 ASA with a 100 user ssl license. We need to increase this but 250 is overkill. Is there an option to just add 50 more licenses or do we have to go up to 250?
    Sent from Cisco Technical Support iPhone App

    That's right - the next level after 100 is 250. Please refer to this post for more details.

  • Browsing Oracle application using CISCO SSL VPN forms not opening

    Hi all,
    Any idea why am not able to access my application using CISCO SSL VPN.Normal clients are able to use our application there is no problem.i have modifyed the "certdb.txt",still i am having the same problem.here am attaching the Java console output.
    java.net.ConnectException: Operation timed out: connect
         at java.net.PlainSocketImpl.socketConnect(Native Method)
         at java.net.PlainSocketImpl.doConnect(Unknown Source)
         at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
         at java.net.PlainSocketImpl.connect(Unknown Source)
         at java.net.Socket.<init>(Unknown Source)
         at java.net.Socket.<init>(Unknown Source)
         at oracle.jinitiator.protocol.https.HttpsClient.doConnect(Unknown Source)
         at sun.net.www.http.HttpClient.openServer(Unknown Source)
         at sun.net.www.http.HttpClient.openServer(Unknown Source)
         at sun.net.www.http.HttpClient.<init>(Unknown Source)
         at sun.net.www.http.HttpClient.<init>(Unknown Source)
         at sun.plugin.protocol.jdk12.http.HttpClient.<init>(Unknown Source)
         at oracle.jinitiator.protocol.https.HttpsClient.<init>(Unknown Source)
         at oracle.jinitiator.protocol.https.HttpsClient.New(Unknown Source)
         at oracle.jinitiator.protocol.https.HttpsURLConnection$1.run(Unknown Source)
         at java.security.AccessController.doPrivileged(Native Method)
         at oracle.jinitiator.protocol.https.HttpsURLConnection.connect(Unknown Source)
         at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream(Unknown Source)
         at oracle.jre.protocol.jar.HttpUtils.followRedirects(Unknown Source)
         at oracle.jre.protocol.jar.JarCache$CachedJarLoader.download(Unknown Source)
         at oracle.jre.protocol.jar.JarCache$CachedJarLoader.load(Unknown Source)
         at oracle.jre.protocol.jar.JarCache.get(Unknown Source)
         at oracle.jre.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
         at oracle.jre.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
         at sun.misc.URLClassPath$JarLoader.getJarFile(Unknown Source)
         at sun.misc.URLClassPath$JarLoader.<init>(Unknown Source)
         at sun.misc.URLClassPath$2.run(Unknown Source)
         at java.security.AccessController.doPrivileged(Native Method)
         at sun.misc.URLClassPath.getLoader(Unknown Source)
         at sun.misc.URLClassPath.getLoader(Unknown Source)
         at sun.misc.URLClassPath.getResource(Unknown Source)
         at java.net.URLClassLoader$1.run(Unknown Source)
         at java.security.AccessController.doPrivileged(Native Method)
         at java.net.URLClassLoader.findClass(Unknown Source)
         at sun.applet.AppletClassLoader.findClass(Unknown Source)
         at sun.plugin.security.PluginClassLoader.findClass(Unknown Source)
         at java.lang.ClassLoader.loadClass(Unknown Source)
         at sun.applet.AppletClassLoader.loadClass(Unknown Source)
         at java.lang.ClassLoader.loadClass(Unknown Source)
         at sun.applet.AppletClassLoader.loadCode(Unknown Source)
         at sun.applet.AppletPanel.createApplet(Unknown Source)
         at sun.plugin.AppletViewer.createApplet(Unknown Source)
         at sun.applet.AppletPanel.runLoader(Unknown Source)
         at sun.applet.AppletPanel.run(Unknown Source)
         at java.lang.Thread.run(Unknown Source)
    WARNING: Unable to cache https://212.72.22.86/+CSCO+1a756767633A2F2F62656E6A726F322E7A75712E70622E627A++/forms/java/frmwebutil.jar
    java.net.ConnectException: Operation timed out: connect
         at java.net.PlainSocketImpl.socketConnect(Native Method)
         at java.net.PlainSocketImpl.doConnect(Unknown Source)
         at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
         at java.net.PlainSocketImpl.connect(Unknown Source)
         at java.net.Socket.<init>(Unknown Source)
         at java.net.Socket.<init>(Unknown Source)
         at oracle.jinitiator.protocol.https.HttpsClient.doConnect(Unknown Source)
         at sun.net.www.http.HttpClient.openServer(Unknown Source)
         at sun.net.www.http.HttpClient.openServer(Unknown Source)
         at sun.net.www.http.HttpClient.<init>(Unknown Source)
         at sun.net.www.http.HttpClient.<init>(Unknown Source)
         at sun.plugin.protocol.jdk12.http.HttpClient.<init>(Unknown Source)
         at oracle.jinitiator.protocol.https.HttpsClient.<init>(Unknown Source)
         at oracle.jinitiator.protocol.https.HttpsClient.New(Unknown Source)
         at oracle.jinitiator.protocol.https.HttpsURLConnection$1.run(Unknown Source)
         at java.security.AccessController.doPrivileged(Native Method)
         at oracle.jinitiator.protocol.https.HttpsURLConnection.connect(Unknown Source)
         at sun.plugin.protocol.jdk12.http.HttpURLConnection.getInputStream(Unknown Source)
         at oracle.jre.protocol.jar.HttpUtils.followRedirects(Unknown Source)
         at oracle.jre.protocol.jar.JarCache$CachedJarLoader.download(Unknown Source)
         at oracle.jre.protocol.jar.JarCache$CachedJarLoader.load(Unknown Source)
         at oracle.jre.protocol.jar.JarCache.get(Unknown Source)
         at oracle.jre.protocol.jar.CachedJarURLConnection.connect(Unknown Source)
         at oracle.jre.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source)
         at sun.misc.URLClassPath$JarLoader.getJarFile(Unknown Source)
         at sun.misc.URLClassPath$JarLoader.<init>(Unknown Source)
         at sun.misc.URLClassPath$2.run(Unknown Source)
         at java.security.AccessController.doPrivileged(Native Method)
         at sun.misc.URLClassPath.getLoader(Unknown Source)
         at sun.misc.URLClassPath.getLoader(Unknown Source)
         at sun.misc.URLClassPath.getResource(Unknown Source)
         at java.net.URLClassLoader$1.run(Unknown Source)
         at java.security.AccessController.doPrivileged(Native Method)
         at java.net.URLClassLoader.findClass(Unknown Source)
         at sun.applet.AppletClassLoader.findClass(Unknown Source)
         at sun.plugin.security.PluginClassLoader.findClass(Unknown Source)
         at java.lang.ClassLoader.loadClass(Unknown Source)
         at sun.applet.AppletClassLoader.loadClass(Unknown Source)
         at java.lang.ClassLoader.loadClass(Unknown Source)
         at sun.applet.AppletClassLoader.loadCode(Unknown Source)
         at sun.applet.AppletPanel.createApplet(Unknown Source)
         at sun.plugin.AppletViewer.createApplet(Unknown Source)
         at sun.applet.AppletPanel.runLoader(Unknown Source)
         at sun.applet.AppletPanel.run(Unknown Source)
         at java.lang.Thread.run(Unknown Source)
    WARNING: Unable to cache https://212.72.22.86/+CSCO+1a756767633A2F2F62656E6A726F322E7A75712E70622E627A++/forms/java/frmall_jinit.jar
    java.net.ConnectException: Operation timed out: connect

    Hi,
    From your description, my understanding is that you get invalid workflowinstanceid error when you click on workflow link like "inprogress” in the current list.
    Please check the URL of workflow “inprogress” (also URL for workflow approval instance to open task form) to see if it’s correct.
    Please use your company network directly instead of CISCO SSL VPN, then access SharePoint portal url “https://vpnssl.companyname.com/”,  see if the issue still occur.
    Also, check the ULS log on the SharePoint server based on the Correlation ID value, get more detailed information about this error message.
    And you could refer to this similar issue:
    https://social.technet.microsoft.com/Forums/en-US/08aa6b33-cef6-4b01-8af7-6c25ed7d9953/invalid-workflowinstanceid-parameter-in-url?forum=sharepointgeneralprevious.
    Best Regards
    Vincent Han
    TechNet Community Support

  • I can't set up gmail in my iPad 2. Keep on saying ' can't connect with SSL and ask me whether to connect without using SSL, then I press 'yes' and it said again IMAP is not working and tell me to see network connection and incoming mail server.

    I can't set up gmail in my iPad 2. Keep on saying ' can't connect with SSL and ask me whether to connect without using SSL, then I press 'yes' and it said again IMAP is not working and tell me to see network connection and incoming mail server. No idea how to do anymore. Already tried to figure out. But not work. Can anyone pls help me?

    Nope, doesn't pass verification. I get the spinner for a minute or so, then the alert about setting it up without SSL. Are you suggesting I disable Fetch and Push BEFORE I enter the account details? Because I never get past the account details screen, unless I choose "Set up without SSL" after the warning.

  • Mac won't connect to the web without using a vpn...

    I know...it doesn't make sense. I have been buying and using a vpn service, IPVanish, for 3 months now and I have always just had it turned on. But now I no longer use it because of payment issues and it not being that great and since then my computer can't connect to the internet without using some sort of vpn. I can use skype, my email, steam, really anything except my web browser. I go to start it up w/o being connected to a vpn and it wont load a webpage. Does anyone know what to do...if so please help!!

    Back up all data.
    From the menu bar, select
     ▹ System Preferences ▹ Network
    If the preference pane is locked, click the lock icon in the lower left corner and enter your password to unlock it. Then click the Advanced button and select the Proxies tab. If any proxy options are selected, make a note of them and then deselect them. You don’t need to change the bypass or FTP settings. Click OK and then Apply. Test. The result may be that you can't connect to any web server. Restore the previous settings if that happens.

  • How used single ssl for tow exchange server without clustering

    how used single ssl for tow exchange server without clustering
    exchange 2003 std fron-end server
    used for add new server for owa failover or standby 

    Olivia, hopefully by now you have solved your issue but just for the sake of answering that question here so that people having the same issue can later find it I'll go through the motions:
    there are a couple of ways you can achieve this.
    A. get a certificate for free out there
    B. generate your own self signed "fake" certificate.
    certutil will certainly let you do this, here's how:
    1. First, create a file/directory layout to store your certificates
    mkdir -p /path/to/certificates/selfsignedCA2. Initialize a database for the certificate you want to create
    certutil -N -d /path/to/certificates/selfsignedCA -P "ca-"3. Create a self-signed CA certificate
    certutil -S -x -n "ca-cert" -s "cn=SelfSigned CA Certificate,dc=yourSuffix" -t CTPu -v 120 -d /path/to/certificates/selfsignedCA -P "ca-" -5Note: when prompted, select choice (5) SSL CA and 'y' for critical extensions
    4. Export the your newly created self-signed CA certificate in PEM format
    certutil -L -d /path/to/certificates/selfsignedCA -P "ca-" -n "ca-cert" -a > /path/to/certificates/selfsignedCA.pemthat should get you going
    -=arnaud=-

  • What happened to the lock icon when using SSL? Cannot easily determine SSL use without using sniffer.

    The SSL lock icon does not appear in new Firefox 4 during use of SSL. Why was it removed? Only method of determining successful SSL use is through the use of a sniffer and netstat. There is no obvious lock anywhere in the browser while using SSL
    ALSO.... STOP CHANGING THE ORDER OF THE OPEN NEW TAB/OPEN NEW WINDOW UNDER THE FILE->list.

    The "Site Identity button", which provides a lot more pertinent information about a web site, was introduced in Firefox 3, and was used along with the "Security Lock icon"; that "Lock icon" was finally removed from Firefox 4 versions. <br />
    https://support.mozilla.com/en-US/kb/Site+Identity+Button <br />
    http://www.dria.org/wordpress/archives/2008/05/06/635/ <br />
    This extension will add a "lock" in the S-I-B display.<br />
    https://addons.mozilla.org/en-US/firefox/addon/padlock-icon/

  • Setting up IPsec VPNs to use with Cisco Anyconnect

    So I've been having trouble setting up vpns on our ASA 5510. I would like to use IPsec VPNs so that we don't have to worry about licensing issues, but from what I've read you can do this with and still use Cisco Anyconnect. My knowledge on how to set up VPNs especially in iOS verion 8.4 is limited so I've been using a combination of command line and ASDM.
    I'm finally able to connect from a remote location but once I connect, nothing else works. From what I've read, you can use IPsec for client-to-lan connections. I've been using a preshared key for this. Documentation is limited on what should happen after you connect? Shouldn't I be able to access computers that are local to the vpn connection? I'm trying to set this up from work. If I VPN from home, shouldn't I be able to access all resources at work? I think because I've used the command line as well as ASDM I've confused some of the configuration. Plus I think some of the default policies are confusing me too. So I probably need a lot of help. Below is my current configuration with IP address altered and stuff that is completely non-related to vpns removed.
    NOTE: We are still testing this ASA and it isn't in production.
    Any help you can give me is much appreciated.
    ASA Version 8.4(2)
    hostname ASA
    domain-name domain.com
    interface Ethernet0/0
    nameif inside
    security-level 100
    ip address 192.168.0.1 255.255.255.0
    interface Ethernet0/1
    nameif outside
    security-level 0
    ip address 50.1.1.225 255.255.255.0
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    interface Management0/0
    no nameif
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    boot system disk0:/asa842-k8.bin
    ftp mode passive
    dns domain-lookup outside
    dns server-group DefaultDNS
    same-security-traffic permit intra-interface
    object network NETWORK_OBJ_192.168.0.224_27
    subnet 192.168.0.224 255.255.255.224
    object-group service VPN
    service-object esp
    service-object tcp destination eq ssh
    service-object tcp destination eq https
    service-object udp destination eq 443
    service-object udp destination eq isakmp
    access-list ips extended permit ip any any
    ip local pool VPNPool 192.168.0.225-192.168.0.250 mask 255.255.255.0
    no failover
    failover timeout -1
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.224_27 NETWORK_OBJ_192.168.0.224_27 no-proxy-arp route-lookup
    object network LAN
    nat (inside,outside) dynamic interface
    access-group outside_in in interface outside
    route outside 0.0.0.0 0.0.0.0 50.1.1.250 1
    sysopt noproxyarp inside
    sysopt noproxyarp outside
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec ikev2 ipsec-proposal DES
    protocol esp encryption des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal 3DES
    protocol esp encryption 3des
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES
    protocol esp encryption aes
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES192
    protocol esp encryption aes-192
    protocol esp integrity sha-1 md5
    crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption aes-256
    protocol esp integrity sha-1 md5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    subject-name CN=ASA
    crl configure
    crypto ca server
    shutdown
    crypto ca certificate chain ASDM_TrustPoint0
    certificate d2c18c4e
        308201f3 3082015c a0030201 020204d2 c18c4e30 0d06092a 864886f7 0d010105
        0500303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
        f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
        6f6d301e 170d3131 31303036 31393133 31365a17 0d323131 30303331 39313331
        365a303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
        f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
        6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b2
        8acbe1f4 5aa19dc5 d3379bf0 f0e1177d 79b2b7cf cc6b4623 d1d97d4c 53c9643b
        37f32caf b13b5205 d24457f2 b5d674cb 399f86d0 e6c3335f 031d54f4 d6ca246c
        234b32b2 b3ad2bf6 e3f824c0 95bada06 f5173ad2 329c28f8 20daaccf 04c51782
        3ca319d0 d5d415ca 36a9eaff f9a7cf9c f7d5e6cc 5f7a3412 98e71de8 37150f02
        03010001 300d0609 2a864886 f70d0101 05050003 8181009d d2d4228d 381112a1
        cfd05ec1 0f51a828 0748172e 3ff7b480 26c197f5 fd07dd49 01cd9db6 9152c4dc
        18d0f452 50f5d0f5 4a8279c4 4c1505f9 f5e691cc 59173dd1 7b86de4f 4e804ac6
        beb342d1 f2db1d1f 878bb086 981536cf f4094dbf 36c5371f e1a0db0a 75685bef
        af72e31f a1c4a892 d0acc618 888b53d1 9b888669 70e398
      quit
    crypto ikev2 policy 1
    encryption aes-256
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 10
    encryption aes-192
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 20
    encryption aes
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 30
    encryption 3des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 policy 40
    encryption des
    integrity sha
    group 5 2
    prf sha
    lifetime seconds 86400
    crypto ikev2 enable outside client-services port 443
    crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 10
    console timeout 0
    management-access inside
    ssl trust-point ASDM_TrustPoint0 outside
    webvpn
    enable outside
    anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
    anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
    anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
    anyconnect profiles VPN disk0:/devpn.xml
    anyconnect enable
    tunnel-group-list enable
    group-policy VPN internal
    group-policy VPN attributes
    wins-server value 50.1.1.17 50.1.1.18
    dns-server value 50.1.1.17 50.1.1.18
    vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
    default-domain value digitalextremes.com
    webvpn
      anyconnect profiles value VPN type user
      always-on-vpn profile-setting
    username administrator password xxxxxxxxx encrypted privilege 15
    username VPN1 password xxxxxxxxx encrypted
    tunnel-group VPN type remote-access
    tunnel-group VPN general-attributes
    address-pool (inside) VPNPool
    address-pool VPNPool
    authorization-server-group LOCAL
    default-group-policy VPN
    tunnel-group VPN webvpn-attributes
    group-alias VPN enable
    tunnel-group VPN ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    class-map ips
    match access-list ips
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
      inspect http
    class ips
      ips inline fail-open
    class class-default
      user-statistics accounting

    Hi Marvin, thanks for the quick reply.
    It appears that we don't have Anyconnect Essentials.
    Licensed features for this platform:
    Maximum Physical Interfaces       : Unlimited      perpetual
    Maximum VLANs                     : 100            perpetual
    Inside Hosts                      : Unlimited      perpetual
    Failover                          : Active/Active  perpetual
    VPN-DES                           : Enabled        perpetual
    VPN-3DES-AES                      : Enabled        perpetual
    Security Contexts                 : 2              perpetual
    GTP/GPRS                          : Disabled       perpetual
    AnyConnect Premium Peers          : 2              perpetual
    AnyConnect Essentials             : Disabled       perpetual
    Other VPN Peers                   : 250            perpetual
    Total VPN Peers                   : 250            perpetual
    Shared License                    : Disabled       perpetual
    AnyConnect for Mobile             : Disabled       perpetual
    AnyConnect for Cisco VPN Phone    : Disabled       perpetual
    Advanced Endpoint Assessment      : Disabled       perpetual
    UC Phone Proxy Sessions           : 2              perpetual
    Total UC Proxy Sessions           : 2              perpetual
    Botnet Traffic Filter             : Disabled       perpetual
    Intercompany Media Engine         : Disabled       perpetual
    This platform has an ASA 5510 Security Plus license.
    So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license?

  • VM with remote access VPN without split tunneling

    Hello experts,
    I have customers who require to use VM in their laptop. These users also require to VPN to Corporate network  to do their job. However when they do remote VPN to corporate Network (ASA VPN concentrator) from their VM host machine, they loose their access to their VM guest machines. This problem was not happening when they used cisco VPN client which has gone end of life and support as of end of July 31, 2012. In Cisco VPN client (IKEV1) if we set the protocol to udp they had no problem to keep their connectivity to VM machines while connected to corporate with remote access VPN. However this feature does not work in new Cisco VPN client which is called AnyConnect. ( NOTE: I am using IPSEC IKEV2. NO SSL at this time).
    My Question to Experts:
    1. Was the ability to maintain connection to VM guest machines, while connected to VPN without enabling split tunneling a security flaw in the old cisco VPN client?
    2. Is there a way to maintain connectivy to VM machines installed in a computer and still connect to remote access VPN concentrator through host machine? (My question is about AnyConnect client only using IPSEC IKEV2 and I do not want to enable split tunneling)
    Thanks for your help,
    Razi                

    Did you figure this out?

  • ASA 5512-X - VPN & local clients DHCP relaying (DHCP Proxy vs. DHCP Relay conflict)

    Hey all,
    I have ASA-5512-X serving as general firewall/router. It also serves as AnyConnect SSL VPN gateway (webvpn).
    It has ~10 VLANs connected over 1 trunk port. One of the VLANs has DHCP server that shall serve all the VLANs (192.168.16.2).
    I'm trying to have the ASA relay DHCP requests from all VLANs to the DHCP server and to also serve VPN clients.
    However, according to bug https://tools.cisco.com/bugsearch/bug/CSCsd22469 both DHCP Proxy (webvpn) and DHCP Relay (local interfaces) can't be enabled at the same time.
    As VPN clients connect to the same VLANs as local users (eg. VLAN 2 - 192.168.2.0/24) I want to have the very same DHCP server serving both, otherwise it's gonna become a mess.
    Note: if I configure DHCP Relay functionality and disable DHCP Proxy - local clients are served fine. If I configure DHCP Proxy (webvpn) and disable DHCP Relay VPN clients are served fine. I therefore consider setup to be correct, just the ASA limitation won't allow me to make it serve both.
    Can DHCP Relay also serve VPN clients (no DHCP Proxy enabled)? did I miss something?
    Thanks!

    Hi,
    The only workaround for this issue is to configure the ASA itself to act as DHCP server for vpn clients. You also have the flexibility of using local pool and AAA server. Why exactly do you want to use the same DHCP server for both?
    AM

  • FlexVPN without using certificates

    Hi All,
    Is there a way we can use Anyconnect VPN clinets with FlexVPN without the Certificate based authentication ( Like in old Cisco VPN clients using Group Key) ?
    Is there a way to use the Cisco router itslef as the CA wihtout getting external Windows server involved in the whole setup (with FlexVPN setup + Anyconnect)  ?
    Thanks in Advance !

    Shamal,
    When using IOS as headend there is no need to use SSL during initial connect, with the caveat that profile NEEDS to be provisioned to client out of band.
    Now once the profile is there, you need to make sure that it's being called - i.e. provide the hostname of the gateway you are trying to connect to.
    In my documentation it was :
    bsns-1941-4.cisco.com
    So this is what as destination of my connection. Anyconnect will lookup profile based on the tag.
    Regarding EAP currently we are limited to non-tunneled EAP methods on Anyconnect VPN.
    http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html
    EAP methods: MD5, GTC, and MSCHAPv2
    But if you go with the mothod I provided
    true                IKE-RSA           
    there is no need to use EAP. However you CAN use it.
    M.

  • Installation issue - using a remote server without using remote desktop or citrix

    Hello Experts..
    We have a client who wants to install SAP Client (SAP 9 PL 11) in their local machines, but connecting to a remote server. They want to avoid connecting through Remote Desktop or Citrix.They already installed SAP clients in local pc's and when they select the server, they already configured it to a server located overseas. We succed on achieve the connection, but the performance is really poor (sometimes it takes about 2 minutes to open a simple menu in SAP).
    We ran internet speed tests in the client's office and in the server, and both results were more than satisfactory. But we couldn't come up with a reason for this enviroment works properly..
    The question is... Is this kind of enviroment supported by SAP?? Do you know about any alternative to connect from the local PC to a remote server without using remote desktop or citrix??
    Thanks in advance...
    Raúl Fragueiro

    Hi,
    I assumed you are using VPN connection right?
    In your scenario that is normal since the GUI of SAP B1 is not built for type of connection compare
    to SAP ERP GUI.
    The only SAP supported type of remote connection is either Terminal Server or Citrix.
    In our own scenario we are using Terminal Server and we are very satisfied. We have used
    this between to different cities. This is also prevents data corruption cause by intermittent
    internet connection.
    Hoping you will be convinced of using Terminal Server or Citrix.
    By the way, a quick question, why are you hesitant to use RDC or Citrix?
    For overview, if your remote requirement is just simple and basic you may use Terminal Server.
    The implementation of  this is very fast and simple also, what you need is only a license.
    If complex and advance features connection requirement connection use Citrix.
    For better understanding you may search from the site for the difference of the two.
    Thanks.
    Regards,
    Clint

Maybe you are looking for

  • The option "Show my windows and tabs from last time" no longer works and reloading Firefox does not fix it.

    I have been using this for as long as the feature has been available along with App tabs. All of a sudden it no longer works. I have tried resetting the option to something else and then back again. I've also tried reloading and reinstalling Firefox.

  • Transfer data between systems realtime

    Dear All, I have the following issue: In System1 we create Purchase Order (PO) and in System2 a Sales Order (SO) reference to that PO. The line item in the PO in System1 have Profit Center PC1 assigned. In System2 the SO has PC2 assigned to line item

  • Network drives show while connected

    I have a WD NetworkCenter Drive connects to the network via CAT5, here is the poser, this will not connect or be seen while I am wireless, but once I plug in the CAT5 Cable, all SHARED drive connections are there. Would some one please tell me what a

  • SPLongOperation throws error "Thread was being aborted"

    Recently we have migrated our SharePoint application from 2010 to 2013, we have upgraded our solution from VS 2012 to VS 2013 and deployed it successfully in newly installed SharePoint 2013 prior to content DB migrate and all. In our solution, we had

  • TS1702 setting for what chat or internet connection through 3G

    I can use internect and whatchat now in locations without Wifi  service. Such occurence happened only after I reset my I phone to enable it to use Wifi service. I want to use both services in all situations. I think that there must be something wrong