Is Cisco anyconnect lisence required

Hi,
I have a case where we have proposed Cisc ISE basic and advanced lincense for around 10000 users.
Customer is asking for 802.1X supplicant, we are saying to the customer that 802.1x will be taken care by the operating system and that NAC agent will take care of Profiling and posturing.
Could you please advice if 802.1x supplicant is really required for ISE deployment.
The respose is urgently awaited, could you please respond.

Hi Henry,
Almost any modern operating system supports 802.1x.
The Cisco Anyconnect adds more features to it like:
In addition to industry-leading VPN capabilities, the Cisco AnyConnect Secure Mobility Client helps enable IEEE 802.1X capability, providing a single authentication framework to manage user and device identity, as well as the network access protocols required to move smoothly from wired to wireless networks. Consistent with its VPN functionality, the Cisco AnyConnect Secure Mobility Client supports IEEE 802.1AE (MACsec) for data confidentiality, data integrity, and data origin authentication on wired networks, safeguarding communication between trusted components of the network.
The transcript was extracted from:
http://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/datasheet-c78-733184.html
Where you can check if these security features are needed for your client.
Regards,
Pedro Lereno

Similar Messages

Cisco AnyConnect SSL VPN no split tunnel and no hairpinning internet access

Greetings,
I am looking to configure a Cisco ASA 5515X for Cisco AnyConnect Essentials SSL VPN where ALL SSL-VPN traffic is tunneled, no split tunneling or hairpinning on the outside interface. However users require internet access. I need to route traffic out the "trusted" or "inside" interface to another device that performs content-filtering and inspection which then egresses out to the internet from there. Typically this could be done using a route-map (which ASA's do not support) or with a VRF (again, not an option on the ASA). The default route points to the outside interface toward the internet.
Is there no other method to force all my SSL-VPN traffic out the inside interface toward LAN subnets as needed and have another default route point toward the filtering device?
OR
Am I forced to put the ASA behind the filtering device somehow?

Hi Jim,
You can use tunnel default route for vpn traffic:
ASA(config)# route inside 0.0.0.0 0.0.0.0 <inside hop> tunneled
configure mode commands/options:
<1-255> Distance metric for this route, default is 1
track Install route depending on tracked item
tunneled Enable the default tunnel gateway option, metric is set to 255
This route is applicable for only vpn traffic.
HTH,
Shetty

Windows 8 64 bit issues with Cisco AnyConnect Secure Mobility Client version 3.1.04072

I am having an issue with the Cisco AnyConnect Secure Mobility Client version 3.1.04072 on a Windows 8 64 bit laptop.
I am able to create the VPN connection but the connection will not allow data to be transferred.
Stats from a manual connection:
Cisco AnyConnect Secure Mobility Client Version 3.1.04072
VPN Stats
    Bytes Received: 14375
    Bytes Sent: 0
    Compressed Bytes Received: 0
    Compressed Bytes Sent: 0
    Compressed Packets Received: 0
    Compressed Packets Sent: 0
    Control Bytes Received: 0
    Control Bytes Sent: 0
    Control Packets Received: 0
    Control Packets Sent: 0
    Encrypted Bytes Received: 7820
    Encrypted Bytes Sent: 1207
    Encrypted Packets Received: 9
    Encrypted Packets Sent: 3
    Inbound Bypassed Packets: 0
    Inbound Discarded Packets: 0
    Outbound Bypassed Packets: 0
    Outbound Discarded Packets: 0
    Packets Received: 4
    Packets Sent: 0
    Time Connected: 00:03:01
Protocol Info
    Inactive Protocol
        Protocol Cipher: RSA_3DES_168_SHA1
        Protocol Compression: None
        Protocol State: Disconnected
        Protocol: DTLS
    Active Protocol
        Protocol Cipher: RSA_3DES_168_SHA1
        Protocol Compression: Deflate
        Protocol State: Connected
        Protocol: TLS
OS Version
    Windows 8 : WinNT 6.2.9200
Log from the data transmission software:
24/12/2013 12:51:13 - Application version = 1.11.28.0
24/12/2013 12:51:13 - Lodgement Library Version = 1.11.28.0
24/12/2013 12:51:13 - Connection Method = INTERNET
24/12/2013 12:51:13 - DIS Connection Type = Automatic
24/12/2013 12:51:13 - VPN Client = ACTIVE
24/12/2013 12:51:13 - Check Available Connections = NOT ACTIVE
24/12/2013 12:51:13 - Windows 8 (6.2.9200 SP )
24/12/2013 12:51:13 - Language: English (Australia)
24/12/2013 12:51:13 -
24/12/2013 12:51:13 - Connected to ISP via LAN
24/12/2013 12:51:13 - Checking for presence of VPN client.
24/12/2013 12:51:13 - VPN client found. (C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe)
24/12/2013 12:51:13 - The Cisco AnyConnect Secure Mobility Client application is in use.
24/12/2013 12:51:18 - Terminating Cisco AnyConnect Secure Mobility Client in progress ...
24/12/2013 12:51:18 -
24/12/2013 12:51:18 - Checking Cisco AnyConnect version.
24/12/2013 12:51:19 - Cisco AnyConnect Secure Mobility Client (version 3.1.04072) .
24/12/2013 12:51:19 - Copyright (c) 2004 - 2013 Cisco Systems, Inc. All Rights Reserved.
24/12/2013 12:51:19 - Config file directory:C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\
24/12/2013 12:51:19 -
24/12/2013 12:51:19 - Loading profile:C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\ELS-IMelAde-TCP.xml
24/12/2013 12:51:19 -
24/12/2013 12:51:19 - Initializing the VPN connection.
24/12/2013 12:51:19 - Ready to connect.
24/12/2013 12:51:19 - Ready to connect.
24/12/2013 12:51:19 - Contacting ELS-IMelAde-TCP.
24/12/2013 12:51:23 - Authenticating user.
24/12/2013 12:51:23 - Connected to VPN concentrator.
24/12/2013 12:51:23 - Establishing VPN session...
24/12/2013 12:51:23 - Checking for profile updates...
24/12/2013 12:51:23 - Checking for product updates...
24/12/2013 12:51:23 - Checking for customization updates...
24/12/2013 12:51:23 - Performing any required updates...
24/12/2013 12:51:23 - Establishing VPN session...
24/12/2013 12:51:23 - Establishing VPN - Initiating connection...
24/12/2013 12:51:24 - Establishing VPN - Examining system...
24/12/2013 12:51:24 - Establishing VPN - Activating VPN adapter...
24/12/2013 12:51:24 - Establishing VPN - Configuring system...
24/12/2013 12:51:24 - Establishing VPN...
24/12/2013 12:51:24 - Connected to VPN concentrator.
24/12/2013 12:51:24 - Connected to ELS-IMelAde-TCP.
24/12/2013 12:51:24 - Connected to VPN concentrator.
24/12/2013 12:51:24 - Connection to VPN client return code = 0.
24/12/2013 12:51:24 - Connected to VPN concentrator.
24/12/2013 12:51:24 - Connecting : Connecting to 203.202.43.2.
24/12/2013 12:51:45 - Error in ConnectToDIS - Socket Error # 10060
Connection timed out.
24/12/2013 12:51:46 -
24/12/2013 12:51:46 - Disconnecting from the VPN concentrator.
24/12/2013 12:51:46 - Disconnect in progress, please wait...
24/12/2013 12:51:46 - Detaching AnyConnect, please wait...
24/12/2013 12:51:47 - Detached.
24/12/2013 12:51:47 - Disconnected from VPN concentrator.
24/12/2013 12:51:47 - *****************************************************
24/12/2013 12:51:47 -               END OF LODGEMENT PROCESS
24/12/2013 12:51:47 - *****************************************************
Issue history:
- Previously running Cisco VPN client on Windows 8 64 bit laptop (VPN working and able to transmit data over VPN)
- Upgrade to Windows 8.1 stopped the VPN client working
- Refreshed system back to Windows 8 and reinstalled all software
- Cisco VPN client would not install on system
- Cisco AnyConnect Secure Mobility Client installs and is able to connect to VPN host
- Cisco AnyConnect Secure Mobility Client downloads and installs software from VPN host
- Data transmission software returns error code #10060
Any assistance would be greatly appreciated.

anyone found the fix for this?

Simple remote connection using Cisco AnyConnect and ISR router

Hi all,
I am just wondering what the easiest and simplest method would be to make remote PCs (running Cisco AnyConnect) establish a VPN IPsec to a Cisco ISR (881/887, 1900s,2900s series). I used to use EasyVPN method (simple and fast to configure and no need for special licences other than crypto licence) but since Cisco VPN Client is no longer supported I had to resort to WebVPN which requires a licence depending on the number of clients to support (SSL licences for 10,20 users and so forth). I've read a bit about FlexVPN but I can't find an easy example to what I want to do. The closest is this one (FlexVPN and Anyconnect IKEv2 Client Configuration Example):
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html
But that example makes use of RADIUS. Is there a way to make use of local database (users configured on the router) instead of RADIUS?
Basically what I am after is the following
- Remote users install Cisco AnyConnect to establish a VPN connection to HQ
- HQ ISR (880s, 1900s, 2900s) terminates that VPN connections and allows access to local resources (shared drives, applications...).Authentication method would be local database on the router. No need of RADIUS/ACS as this is for very small companies with no IT resources to maintain and configure a RADIUS/ACS server.
I think what I need is this AnyConnect to IOS Headend Over IPsec with IKEv2 and Certificates Configuration Example:
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115014-flexvpn-guide-cert-00.html
But the example is too highlevel for me to follow, basically I don't know how to generate such certificates and distribute it to remote clients.
Any help as to how to create such certificates or how to configure FlexVPN to just requiring the user to enter usr/pass (using local database not RADIUS nor ACS) would be highly appreciated.
Cheers
Alvaro

If you insist .. try this:
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/116032-flexvpn-aaa-config-example-00.html
http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115907-config-flexvpn-wcca-00.html
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/50282-ios-ca-ios.html

Cisco AnyConnect Configuration

Can someone assist me with configuring Cisco AnyConnect VPN? For some reason with the config below, I seem to get connected but then my internet connection randomly drops and reconnects. Ive tried several different times to get this to work properly but Im obivously missing something here. Any help is appreciated.
ASA Version 8.2(2)
hostname FW01
enable password .MlTybcgwEXNF1HM encrypted
passwd .MlTybcgwEXNF1HM encrypted
names
dns-guard
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
description ### Link to Internet ###
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
description ### Link to GUEST WIFI ###
nameif guest
security-level 50
ip address 172.16.10.1 255.255.255.0
interface Vlan4
description ### Link to INSIDE LAN ###
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
interface Vlan5
description ### Link to INSIDE WIFI ###
nameif insidewifi
security-level 50
ip address 172.16.2.1 255.255.255.0
interface Ethernet0/0
description ### Link to Internet ###
switchport access vlan 2
interface Ethernet0/1
description ### Link to GUEST WIFI ###
switchport access vlan 3
interface Ethernet0/2
description ### Link to INSIDE LAN ###
switchport access vlan 4
interface Ethernet0/3
description ### Link to INSIDE WIFI ###
switchport access vlan 5
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
banner exec
banner exec ******* ENGLISH *** ATTENTION *** ENGLISH *** ATTENTION *** ENGLISH **********
banner exec *
banner exec *      This system is for the use of authorized users only.
banner exec *      Individuals using this system are subject to having all of their
banner exec *      activities on this system monitored and recorded by system
banner exec *      personnel.
banner exec *
banner exec *      Anyone using this system expressly consents to such monitoring
banner exec *      and is advised that if such monitoring reveals possible
banner exec *      evidence of criminal activity, system personnel may provide the
banner exec *      evidence of such monitoring to law enforcement officials.
banner exec *
banner exec ******* ENGLISH *** ATTENTION *** ENGLISH *** ATTENTION *** ENGLISH **********
banner exec
banner exec
banner exec Name:.......FW01
banner exec Address:....172.16.1.1
banner exec Location:...CST -5
ftp mode passive
clock timezone CST -5
same-security-traffic permit inter-interface
access-list inside extended permit ip any any
access-list outside extended permit ip any any
access-list guest extended permit udp any host 172.16.1.102 eq domain
access-list guest extended permit udp any host 172.16.1.103 eq domain
access-list guest extended permit udp any any range bootps tftp
access-list guest extended deny ip any 172.16.1.0 255.255.255.0 log
access-list guest extended deny ip any 172.16.2.0 255.255.255.0 log
access-list guest extended permit ip any any
access-list insidewifi extended permit ip any any
access-list Outside_In extended permit tcp any any eq 3389
pager lines 50
logging enable
logging list TEST level alerts
logging buffered debugging
logging asdm informational
logging mail TEST
logging from-address [email protected]
logging recipient-address ************* level errors
mtu outside 1500
mtu guest 1500
mtu inside 1500
mtu insidewifi 1500
ip local pool SSLClientPool 172.16.9.1-172.16.9.2 mask 255.255.255.0
ip audit name FW01-INFO info action alarm
ip audit name FW01-ATTACK attack action alarm reset
ip audit interface outside FW01-INFO
ip audit interface outside FW01-ATTACK
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any guest
icmp permit any inside
icmp permit any insidewifi
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (guest) 1 172.16.10.0 255.255.255.0
nat (inside) 1 172.16.1.0 255.255.255.0
nat (insidewifi) 1 172.16.2.0 255.255.255.0
static (inside,outside) tcp interface 3389 172.16.1.200 3389 netmask 255.255.255.255
static (inside,guest) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
access-group Outside_In in interface outside
access-group guest in interface guest
access-group inside in interface inside
access-group insidewifi in interface insidewifi
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
fragment chain 1 outside
sysopt noproxyarp outside
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn sslvpn.moore.net
subject-name CN=sslvpn.moore.net
keypair sslvpnkeypair
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 956e1350
    308201ef 30820158 a0030201 02020495 6e135030 0d06092a 864886f7 0d010105
    0500303c 31193017 06035504 03131073 736c7670 6e2e6d6f 6f72652e 6e657431
    1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e6d 6f6f7265 2e6e6574
    301e170d 31323037 32383034 34363133 5a170d32 32303732 36303434 3631335a
    303c3119 30170603 55040313 1073736c 76706e2e 6d6f6f72 652e6e65 74311f30
    1d06092a 864886f7 0d010902 16107373 6c76706e 2e6d6f6f 72652e6e 65743081
    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c8 167e2c3d
    04c16a6c b6639fda c60f085a 8ea6a2ea 6e0bcafb acb3ec8e 3c659274 37636c34
    0df9e770 17fb97f6 c2b8641e ff3675f3 3d906e01 a7056bb0 9c0bf54c 3475729e
    74caf157 068464d3 e235c46f a8525867 c3911d9c 760253d0 c7bbb7c8 84f91f92
    858866c6 e0c1033d 6cfba6f0 b732158f 3d2d7ef5 9bbb0821 4d093f02 03010001
    300d0609 2a864886 f70d0101 05050003 81810062 65e2455a cb4e87ea 7879099d
    06ed1c5e 7eab180a 4d7564be c36810eb fe6a5bb9 94348ded 1336d811 d0949342
    2718400c 8cc32395 23e7d722 3e2758a9 a2116a38 07500bd5 5b96f3c2 1d7c5769
    dc5b876b 858cb447 355aa323 abbaf45d bed3814d a04f503a 21cddb47 aaecd5aa
    1c82f701 22969424 f6845937 a21568a1 ecaa0e
quit
telnet timeout 5
ssh 172.16.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 172.16.1.102
dhcpd ping_timeout 750
dhcprelay server 172.16.1.102 inside
dhcprelay enable guest
dhcprelay enable insidewifi
dhcprelay setroute guest
dhcprelay setroute insidewifi
dhcprelay timeout 60
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 172.16.0.0 255.255.0.0
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 211.233.40.78
ntp server 61.153.197.226
ntp server 202.150.213.154 prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.6005-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 172.16.1.102 172.16.1.103
vpn-tunnel-protocol svc
default-domain value moore.net
address-pools value SSLClientPool
username gmoore_a password PNUmTwjDhevRqhkT encrypted privilege 15
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
smtp-server 68.1.17.8
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:847a9a2b25e6a8ea2d4b68d17cdd41d2
: end
no asdm history enable

Javier,
Thanks for the explaination. I have one more question, maybe I should open a seperate discussion. If so please let me know...
After I got the Anyconnect VPN configuraiton working I tried to configure LDAP configuration. Now when I try to connect I get and error stating
"Login denied. Your environment does not meet the access criteria defined by your administrator."
Then at the bottom of the AnyConnect client I see
"Access Denied: Your system does not meet policy requirement (DAP)
Looking at the DAP configuration I cant see what the policy is not accepting. The partial config is below
ASA Version 8.2(2)
same-security-traffic permit inter-interface
access-list inside extended permit ip any any
access-list outside extended permit ip any any
access-list guest extended permit udp any host 172.16.1.102 eq domain
access-list guest extended permit udp any host 172.16.1.103 eq domain
access-list guest extended permit udp any any range bootps tftp
access-list guest extended deny ip any 172.16.1.0 255.255.255.0 log
access-list guest extended deny ip any 172.16.2.0 255.255.255.0 log
access-list guest extended permit ip any any
access-list insidewifi extended permit ip any any
access-list Outside_In extended permit tcp any any eq 3389
access-list SSLClientProfile_SPLIT standard permit 172.16.1.0 255.255.255.0
access-list SSLClientProfile_SPLIT standard permit 172.16.2.0 255.255.255.0
access-list nonat_inside extended permit ip 172.16.1.0 255.255.255.0 172.16.9.0 255.255.255.0
access-list nonat_insidewifi extended permit ip 172.16.2.0 255.255.255.0 172.16.9.0 255.255.255.0
pager lines 50
logging enable
logging list TEST level alerts
logging buffered debugging
logging asdm informational
logging mail TEST
logging from-address [email protected]
logging recipient-address [email protected] level errors
mtu outside 1500
mtu guest 1500
mtu inside 1500
mtu insidewifi 1500
ip local pool SSLClientPool 172.16.9.1-172.16.9.2 mask 255.255.255.0
ip audit name FW01-INFO info action alarm
ip audit name FW01-ATTACK attack action alarm reset
ip audit interface outside FW01-INFO
ip audit interface outside FW01-ATTACK
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any guest
icmp permit any inside
icmp permit any insidewifi
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (guest) 1 172.16.10.0 255.255.255.0
nat (inside) 0 access-list nonat_inside
nat (inside) 1 172.16.1.0 255.255.255.0
nat (insidewifi) 0 access-list nonat_insidewifi
nat (insidewifi) 1 172.16.2.0 255.255.255.0
static (inside,outside) tcp interface 3389 172.16.1.200 3389 netmask 255.255.255.255
static (inside,guest) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (inside,insidewifi) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
access-group Outside_In in interface outside
access-group guest in interface guest
access-group inside in interface inside
access-group insidewifi in interface insidewifi
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record SSLVPNPolicy
description "SSL VPN Policy (AD Login)"
dynamic-access-policy-record DfltAccessPolicy
action terminate
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 172.16.1.102
server-port 389
ldap-base-dn DC=MOORE,DC=NET
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=LDAP Service Account,OU=ServiceAccounts,OU=MooreNetwork,DC=moore,DC=net
server-type microsoft
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 172.16.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
fragment chain 1 outside
sysopt noproxyarp outside
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn sslvpn.moore.net
subject-name CN=sslvpn.moore.net
keypair sslvpnkeypair
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 956e1350
    308201ef 30820158 a0030201 02020495 6e135030 0d06092a 864886f7 0d010105
    0500303c 31193017 06035504 03131073 736c7670 6e2e6d6f 6f72652e 6e657431
    1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e6d 6f6f7265 2e6e6574
    301e170d 31323037 32383034 34363133 5a170d32 32303732 36303434 3631335a
    303c3119 30170603 55040313 1073736c 76706e2e 6d6f6f72 652e6e65 74311f30
    1d06092a 864886f7 0d010902 16107373 6c76706e 2e6d6f6f 72652e6e 65743081
    9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c8 167e2c3d
    04c16a6c b6639fda c60f085a 8ea6a2ea 6e0bcafb acb3ec8e 3c659274 37636c34
    0df9e770 17fb97f6 c2b8641e ff3675f3 3d906e01 a7056bb0 9c0bf54c 3475729e
    74caf157 068464d3 e235c46f a8525867 c3911d9c 760253d0 c7bbb7c8 84f91f92
    858866c6 e0c1033d 6cfba6f0 b732158f 3d2d7ef5 9bbb0821 4d093f02 03010001
    300d0609 2a864886 f70d0101 05050003 81810062 65e2455a cb4e87ea 7879099d
    06ed1c5e 7eab180a 4d7564be c36810eb fe6a5bb9 94348ded 1336d811 d0949342
    2718400c 8cc32395 23e7d722 3e2758a9 a2116a38 07500bd5 5b96f3c2 1d7c5769
    dc5b876b 858cb447 355aa323 abbaf45d bed3814d a04f503a 21cddb47 aaecd5aa
    1c82f701 22969424 f6845937 a21568a1 ecaa0e
quit
telnet timeout 5
ssh 172.16.1.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
management-access inside
dhcpd dns 172.16.1.102
dhcpd ping_timeout 750
dhcprelay server 172.16.1.102 inside
dhcprelay enable guest
dhcprelay enable insidewifi
dhcprelay setroute guest
dhcprelay setroute insidewifi
dhcprelay timeout 60
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 172.16.0.0 255.255.0.0
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 211.233.40.78
ntp server 61.153.197.226
ntp server 202.150.213.154 prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.6005-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 172.16.1.102 172.16.1.103
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLClientProfile_SPLIT
default-domain value moore.net
address-pools value SSLClientPool
username gmoore_a password PNUmTwjDhevRqhkT encrypted privilege 15
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
authentication-server-group LDAP LOCAL
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
smtp-server 68.1.17.8
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:db7d3afda8f35ce1733b3fcd3f5f468d
: end
no asdm history enable

Error "Version 3.1.04063 of the Cisco AnyConnect Secure Mobility Client is already installed" - help !

hi,
I've tried to install AnyConnect Secure Mobility Client on my computer (Mac OS 10.6.8), I've never installed it before on this computer, however when I want to install i got the message
"Version 3.1.04063 of the Cisco AnyConnect Secure Mobility Client is already installed"
I would be thankful if anyone could help me with this problem !!!

Would I be correct in assuming that you are trying to do a manual install of the AnyConnect client when you get this error? Have you ever used this MAC to connect to an ASA and to establish a VPN? If so it is quite likely that AnyConnect was installed in that on line session and does not require a manual install.
HTH
Rick

Problem installing Cisco AnyConnect Secure Mobility Client

Hello,
When attempting to install the Cisco AnyConnect Secure Mobility Client, I get the following message: "There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor."
Well, my support personnel haven't been able to assist. I am attaching the setupapi.dev file I was told could help in troubleshooting. Any help is greatly appreciated!
Thank you in advance.

do you have the xml assigned in the group policy on the ASA? I know the scripting behavior changed between anyconnect 2.5 and 3.1. AnyConnect 2.5 only required the xml profile locally but 3.1 requires the xml with EnableScripting = true to be assigned to the group policy.

Cisco AnyConnect Secure Mobility Client

I have a Cisco ASA 5525-X.
Behind the firewall I have six seperate networks, with interface 0 connected to the Internet.
Cisco Anyconnect clients can connect from the Internet without any problems.
What I want to do is restrict users/groups to specific networks.
For instance -group1 can only connect to network1 after authentication.
The problem I have is that users that are NOT part of the tunnelgroup are still authenticated and get access to a network they shouldn't have access to.
In short I want six groups for six networks but can't seem to make this work.
The reason for this is that these networks are six distinct networks with one Internet feed.
I would be most gratefull if somebody can point me in the right direction.
thanks

Hi,
I got to admit that I am a bit rusty on the VPN Client side.
In some of our environments we utilize the default RA (Remote Access) "tunnel-group" only and use a separate AAA server to return the correct group for the user based on their login information.
Now if we had to do this with just the ASA then I am not 100% sure how to set it up. I wonder if the solution would then be to remove all the non default "tunnel-group" configurations related to the type of VPN you are using and simply using the default "tunnel-group" and assigning "username" different "group-policy" based on their need?
In other words using only the default "tunnel-group" there would be nothing to choose from in the drop down menu but the "group-policy" attached to the "username" would define to which networks traffic would be tunneled and so on.
I guess this would still require you to configure an "address-pool" under the default "tunnel-group" or you would have to define each users IP address under the "username attributes".
To view the default "tunnel-group" and "group-policy" configurations on the CLI of the ASA you would have to use this command
show run all tunnel-group
show run all group-policy
Do take note that these commands print out a lot more information/configurations than the usual "show run" variation. This is because the command also shows the default settings which arent otherwise visible in the "show run" output.
Would really need to test this myself to be able to give you an 100% sure answer.
- Jouni

Cisco AnyConnect Secure Mobility Client using discrete graphics on Mac

Hello,
I use your Cisco AnyConnect Secure Mobility Client to connect to my University's VPN. The programme is supplied to me by my University so I presume it licenses it for its students such as myself.
I am writing to let you know the Cisco AnyConnect Secure Mobility Client uses the discrete graphics card on my MacBook Pro whenever it is running. I cannot quit the Client, that will end my VPN session, but at the same time using the discrete graphics card is a drain on the battery for no good reason; Cisco AnyConnect does not display any visuals that I am aware would require the use of an NVidia Kepler card with 1GB VRAM. The application's code perhaps needs to be rectified so it does not depend on the discrete graphics card when clearly (as the attachments show) it does not need a discrete graphics card to render its very simple interface.
Cheers.

If your company has the Cisco IPSec protocol open you can use the Mac's built-in VPN settings.
However, if those ports are blocked by your local service (Starbucks or w/e) then you will have to use the AnyConnect VPN, which is done over SSL (https).

Cisco AnyConnect VPN app on iPhone 4s won't connect

I have successfully installed the Cisco AnyConnect VPN app on my iPad Air and can connect to my target VPN. But the same app on my iPhone 4s won't work. When I try to connect I get this message: "Connect using Cisco AnyConnect App at least once before using any other App." I'm not trying to use another app, in fact I closed all other apps. I'm using the same settings as the Air. I tried with wi-fi, turned wi-fi off, location services on and off, etc. I'm on Verizon.
Has anyone got this to work on an iPhone?
Thanks

Although I agree that this is really a question for Cisco, finding/receiving an official answer there may take a while.
This app worked fine for me until I upgraded today - June 19, 2014 - the date of the release of Version 3.0.09430. After upgrade, I get the same message. The update note says "Apple IOS Connect On Demand Considerations - To ensure proper establish of Connect On Demand VPN tunnels after updating AnyConnect, users must manually start the Any Connect app and establish a connection. If this is not done, upon the next iOS system attempt to establish a VPN tunnel, the error message 'The VPN Connection requires an application to start up' will display."
But I too have tried various interpretations of that, and still get the error above quoted by azmilt.
It appears that either:
- the upgrade is faulty
- the version itself is faulty
- the directions for a proper upgrade need clarification
So if anyone has upgraded to this version, and made it work, I think that providing a procedure would help the community.

How do I use Cisco Anyconnect?

I'm not sure if this is the right place for this.
My work has provided Cisco Anyconnect to access their network. I'm able to download and install successfully but once I establish the connection, then what. I'm connected but nothing seems to happen. How do I actually access my works network? Do I need to connect to a server (Using Go/Connect to a server...)?
Thanks

All Anyconnect does is connect you to you work's network. Once you've established a connection, you should have access to work resources (servers, desktops, printers) by connecting to them as you would if you were at your office.
If there are any special connection requirements to use your work resources, you would need to contact the I/T people at your workplace.

Cisco AnyConnect does it do IPsec?

Hi Guys
I have a Cisco ASA5520 with Software Version 8.2(5) in place, most my users are Mac Users and I am currently looking into Cisco AnyConnect in comparison to using VPN client.
I have a couple of questions
1) Does Cisco AnyConnect make use of IPsec or is it soley SSL VPN based?
2) From the license information I have below in my ASA I understand that I can have max 750 vpn peers however am I right in saying that this does not apply to Cisco AnyConnect peers? and that with Cisco AnyConnect I can only have 2 peers? Also what are the disabled anyconnect options for?
Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled
3) When trying to set up Cisco Anyconnect on the ASA using ASDM, I noticed I needed to upload AnyConnect client images however when I did this by uploading the .dmg file for mac machines I got the error message "not a valid SVC image". Is this because I am running 8.2?
Your help is much appreciated
Regards
Mohamed

Hi Mohammad,
I will answer your questions one by one:
1. Cisco Anyconnect version 3.0 and above support SSL as well as IPSECv2 connection. If you want the user to connect using IPSECv2 from the Anyconnect client then it will consume the SSL license and not the IPsec license however if you use IPSECv2 for connections like site to site vpn then it will consume normal IPSec VPN license.
2. a. SSL VPN Peers: This license gives you the information about the number of users who can connect using the SSL protocol i.e. using the Anyconnect client as well as web portal based client also known as clientless VPN. Here I see there are only 2 licenses so at any point of time only 2 users can connect successfully because 750 is the total number of license available for VPN connection on the ASA, only 698 will be available for the IPSec connections.
   b. Anyconnect for mobile: This license is required whenever a user is connecting from a handheld device like: Iphone, Ipad, Tablets etc.
   c. Anyconnect for Cisco VPN Phone: Cisco IP phones have the ability to connect to a remote ASA using the SSL protocol and to enable this feature you should have this license enabled on the ASA.
   d. Anyconnect essentials: For Anyconnect there are two licenses a> Anyconnect Premium and b> Anyconnect Essentials. Anyconnect essentials is cheaper as compared Anyconnect premium license. This license is for those who do not use webvpn or clientless VPN. When this license is enabled, the user can only connect from the Anyconnect VPN client.
3. I am not sure what image you are using on the ASA. Please try the image named as anyconnect-macosx-i386-2.5.2010-k9.pkg.
    To apply the changes using the command line, put this image on disk0: and then issue this command on the CLI.
   svc image disk0:/anyconnect-macosx-i386-2.5.2010-k9.pkg
Let me know if this helps.
Thanks,
Vishnu Sharma

Issue or Bug with Cisco Anyconnect 3.1

Hello Everybody,
I´m facing to one problem
i have an ASA 5510 version 8.4
i have upgraded since 3 days the anyconnect version to Anyconnect 3.1
Here is my license :
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 0              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 50             perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Everything was working fine on my client user , when they vpn with the new application : "anyconnect vers 3.1"
Now , noone are able to connect via VPN , it appear on message when try to vpn :
" The service Provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can estabilish a vpn session"
Everything work fine , with my service Provider, have the last JAVA on my Laptop and here is is the Event viewer error :
Function: MsgCatalog::msgFormat File: .\i18n\MsgCatalog.cpp Line: 450 Invoked Function: FormatMessage Return Code: 3 (0x00000003) Description: The system cannot find the path specified.
Function: MsgCatalog::msgFormat File: .\i18n\MsgCatalog.cpp Line: 450 Invoked Function: FormatMessage Return Code: 3 (0x00000003) Description: The system cannot find the path specified.
Please someone can Help Me Fix this Probleme, Everything was working fine before ?

Captive Portal Hotspot Detection and Remediation Requirements
Support for both captive portal detection and remediation requires one of the following licenses:
•AnyConnect Premium (SSL VPN Edition)
•Cisco AnyConnect Secure Mobility
You can use a Cisco AnyConnect Secure Mobility license to provide support for captive portal detection and remediation in combination with either an AnyConnect Essentials or an AnyConnect Premium license.
Captive portal detection and remediation support only computers running Microsoft Windows 7, Windows Vista, or Windows XP and Mac OS X 10.5,10.6, and 10.7.
Captive Portal Hotspot Detection
AnyConnect displays the "Unable to contact VPN server" message on the GUI if it cannot connect, regardless of the cause. VPN server specifies the secure gateway. If always-on is enabled, and a captive portal is not present, the client continues to attempt to connect to the VPN and updates the status message accordingly.
If always-on VPN is enabled, the connect failure policy is closed, captive portal remediation is disabled, and AnyConnect detects the presence of a captive portal, the AnyConnect GUI displays the following message once per connection and once per reconnect:
The service provider in your current location is restricting access to the Internet.
The AnyConnect protection settings must be lowered for you to log on with the service
provider. Your current enterprise security policy does not allow this.
If AnyConnect detects the presence of a captive portal and the AnyConnect configuration differs from that described above, the AnyConnect GUI displays the following message once per connection and once per reconnect:
The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.
Captive portal detection is enabled by default, and is non-configurable.
AnyConnect does not modify any browser configuration settings during Captive Portal detection.
Jatin Katyal
- Do rate helpful posts -

No Audio on either end Cisco Jabber for Windows over Cisco AnyConnect

Our telephony staff is replacing our aging/unsupported VoIP system with a Cisco system and as the network tech, I'm trying to get Jabber for Windows to work over our AnyConnect VPN client. Jabber to Cisco phone and Jabber to Jabber calls work fine within our LAN.
However, when I take a laptop to a separate internet connection and connect to the network via the VPN, I can't get any audio to pass across the system, in either direction. If I call a phone on our LAN using the Jabber client (via AnyConnect), the phone rings and when I answer it, it's just dead air on both ends. If I reverse the process, calling from the phone to the Jabber client, the same thing, Jabber client rings, but dead air both ways once I answer.
Things I can do from the laptop over the VPN connection:
I'm able to get to the phone's web interface using that same laptop.
I can ping the phone as well. In fact, the VPN profile I'm using has full access to the entire VoIP Vlan including all IP traffic (all ~65,000 ports).
Searching the address book also works fine. I can search for staff and it's pulling directly from our Active Directory environment.
Is there any special settings on the firewall that I need to setup to allow the voice traffic (which I assume is RTP traffic)? I tried to add a service policy for RTP traffic, but that didn't seem to work...unless I built it wrong.
Jabber for Windows - 10.6.0
Cisco Anyconnect - 3.1.06079
Cisco 5515-x ASA - 9.2

I was able to resolve this on my own. I thought that SIP traffic needed to be inspected via the global inspection policy in order for it to pass through the firewall. I ran into the same issue with ICMP traffic from an Anyconnect client to LAN devices. I had to enable ICMP in that policy for us to be able to ping LAN devices over the VPN tunnel. So when I saw that SIP was already being inspected by this policy, I moved on looking for other solutions. Then I stumbled deep within a Google search (almost hit the end of the Internet doing so) where someone mentioned that SIP shouldn’t be inspected by that policy. So I unchecked it and bam! Voice is now working over the anyconnect client to phones on the LAN.

Setting up IPsec VPNs to use with Cisco Anyconnect

So I've been having trouble setting up vpns on our ASA 5510. I would like to use IPsec VPNs so that we don't have to worry about licensing issues, but from what I've read you can do this with and still use Cisco Anyconnect. My knowledge on how to set up VPNs especially in iOS verion 8.4 is limited so I've been using a combination of command line and ASDM.
I'm finally able to connect from a remote location but once I connect, nothing else works. From what I've read, you can use IPsec for client-to-lan connections. I've been using a preshared key for this. Documentation is limited on what should happen after you connect? Shouldn't I be able to access computers that are local to the vpn connection? I'm trying to set this up from work. If I VPN from home, shouldn't I be able to access all resources at work? I think because I've used the command line as well as ASDM I've confused some of the configuration. Plus I think some of the default policies are confusing me too. So I probably need a lot of help. Below is my current configuration with IP address altered and stuff that is completely non-related to vpns removed.
NOTE: We are still testing this ASA and it isn't in production.
Any help you can give me is much appreciated.
ASA Version 8.4(2)
hostname ASA
domain-name domain.com
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/1
nameif outside
security-level 0
ip address 50.1.1.225 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
no nameif
security-level 100
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa842-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
same-security-traffic permit intra-interface
object network NETWORK_OBJ_192.168.0.224_27
subnet 192.168.0.224 255.255.255.224
object-group service VPN
service-object esp
service-object tcp destination eq ssh
service-object tcp destination eq https
service-object udp destination eq 443
service-object udp destination eq isakmp
access-list ips extended permit ip any any
ip local pool VPNPool 192.168.0.225-192.168.0.250 mask 255.255.255.0
no failover
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.224_27 NETWORK_OBJ_192.168.0.224_27 no-proxy-arp route-lookup
object network LAN
nat (inside,outside) dynamic interface
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.1.1.250 1
sysopt noproxyarp inside
sysopt noproxyarp outside
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ASA
crl configure
crypto ca server
shutdown
crypto ca certificate chain ASDM_TrustPoint0
certificate d2c18c4e
    308201f3 3082015c a0030201 020204d2 c18c4e30 0d06092a 864886f7 0d010105
    0500303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
    f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
    6f6d301e 170d3131 31303036 31393133 31365a17 0d323131 30303331 39313331
    365a303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
    f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
    6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b2
    8acbe1f4 5aa19dc5 d3379bf0 f0e1177d 79b2b7cf cc6b4623 d1d97d4c 53c9643b
    37f32caf b13b5205 d24457f2 b5d674cb 399f86d0 e6c3335f 031d54f4 d6ca246c
    234b32b2 b3ad2bf6 e3f824c0 95bada06 f5173ad2 329c28f8 20daaccf 04c51782
    3ca319d0 d5d415ca 36a9eaff f9a7cf9c f7d5e6cc 5f7a3412 98e71de8 37150f02
    03010001 300d0609 2a864886 f70d0101 05050003 8181009d d2d4228d 381112a1
    cfd05ec1 0f51a828 0748172e 3ff7b480 26c197f5 fd07dd49 01cd9db6 9152c4dc
    18d0f452 50f5d0f5 4a8279c4 4c1505f9 f5e691cc 59173dd1 7b86de4f 4e804ac6
    beb342d1 f2db1d1f 878bb086 981536cf f4094dbf 36c5371f e1a0db0a 75685bef
    af72e31f a1c4a892 d0acc618 888b53d1 9b888669 70e398
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 10
console timeout 0
management-access inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect profiles VPN disk0:/devpn.xml
anyconnect enable
tunnel-group-list enable
group-policy VPN internal
group-policy VPN attributes
wins-server value 50.1.1.17 50.1.1.18
dns-server value 50.1.1.17 50.1.1.18
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value digitalextremes.com
webvpn
anyconnect profiles value VPN type user
always-on-vpn profile-setting
username administrator password xxxxxxxxx encrypted privilege 15
username VPN1 password xxxxxxxxx encrypted
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool (inside) VPNPool
address-pool VPNPool
authorization-server-group LOCAL
default-group-policy VPN
tunnel-group VPN webvpn-attributes
group-alias VPN enable
tunnel-group VPN ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
class-map ips
match access-list ips
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
class ips
ips inline fail-open
class class-default
user-statistics accounting

Hi Marvin, thanks for the quick reply.
It appears that we don't have Anyconnect Essentials.
Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
This platform has an ASA 5510 Security Plus license.
So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license?

Is Cisco anyconnect lisence required

Similar Messages

Maybe you are looking for