AnyConnect VPN license on ASA 5510

Similar Questions

• Cisco Anyconnect/WebVPN license for ASA 5510

  Hello

  Someone could please check the licenses for ASA 5510 attachment and let me know. We currently have ASA 5510 with basic license. According to the table attached under VPN sessions, he mentions that "250 combined SESSIONS IPSec and WebVPN" and to "Max box of WebVPN Session" it is mentioned that 2nd meeting, exceeding that we must buy license optional webvpn. While we the 250 combined license for IPSec and webVPN. We must purchase additional anyconnect license to set up remote access for users who want to use the internal resources from outside the network. OrElse, we don't have to purchase license and can configure webvpn/anyconnect of existing combined license existing users basic ASA license? Waiting for your response. Thank you.

  You are welcome.

  1 Yes

  2 AnyConnect requires no Java, but it can he use when connecting to one AnyConnect SSL VPN client and launch the Web browser option start Java-based. There was a bug with the AnyConnect old versions had later who should have addresses. You also have the option to launch via IE and using ActiveX or simply throw AnyConnect directly - neither of these two methods require Java.

  Here is a document TAC on the Java questions if you want more details.

  Please take a moment to note the useful messages and mark your answers questions.

• All necessary licenses on ASA 5510 for old Cisco VPN Client

  We're trying to migrate our firewall Watchguard to a Cisco ASA 5510, who bought some time ago. For some reason, all of our users have already installed the old Cisco VPN client. I think it will work. Are there licensing issues on the 5510 I had to be concerned with?  No matter what special config that needs to be done on the 5510?

  Fix. You don't require licensing of AnyConnect of any type of configuration and the use of IKEv1 IPsec remote access VPN (which use the old Cisco VPN client).

  You will be limited to 250 active IPsec peers (remote access more no matter what VPN site-to-site) by the platform (hardware) device capabilities that are enforced by the software.

• ASA 5500 x new anyconnect VPN license structure

  I wonder if anyone can give me some insight on the new ASA VPN (SSL VPN) structure of license.  Currently, I have anyconnect premium license installed on the ASA 5500 series but want to buy the same type of license for x ASA 5500 series.  I understand the premium license is required for SSL VPN and webvpn.  Can someone find out if the premium anyconnect and anyconnect essentials license has been replaced by the Cisco Anyconnect Apex licence?

  The new AnyConnect Apex maps old Premium licenses. They are now focused on the term (1, 3-5 years) and have been approved by a single user (regardless of the number of devices) vs. concurrent users on the old regime.

  Apex (or the old premium) is required for clientless SSL VPN. Regular-based on the SSL VPN client AnyConnect requires no Apex but can be done by using only more licenses.

  The new AnyConnect Plus is the old Essentials plus mobile licenses. There is an option of perpetual and based on the duration.

  By single user licensing is a terms and conditions / EULA stuff and not enforced by technical means at the moment.

• AnyConnect VPN for Cisco ASA 5505 refused connections

  I'm trying to set up my Cisco 5505 with AnyConnect VPN client VPN access.  Here is the relevant information of my config:

  interface Vlan2
  
      mac-address xxxx.xxxx.xxxx
  
      nameif outside
  
      security-level 0
  
      ip address A.A.A.A 255.255.255.240
  
      !
  
      access-list outside_access_in extended permit tcp any host C.C.C.C eq pptp
  
      access-list outside_access_in extended permit tcp any host C.C.C.C eq https
  
      access-list outside_access_in extended permit tcp any host C.C.C.C eq ftp
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq https
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq ftp
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq www
  
      access-list outside_access_in extended permit tcp any host C.C.C.C eq smtp
  
      access-list outside_access_in extended permit icmp any any
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq ssh
  
      access-list outside_access_in extended permit tcp any host C.C.C.D eq 8080
  
      access-list outside_access_in extended permit gre any host C.C.C.C
  
      access-list outside_access_out extended permit ip any any
  
      access-list inside_access_in extended permit ip any any
  
      access-list inside_access_in extended permit ip any interface outside
  
      access-list inside_access_out extended permit ip any any
  access-group inside_access_in in interface inside
  
      access-group inside_access_out out interface inside
  
      access-group outside_access_in in interface outside
  
      access-group outside_access_out out interface outside
  webvpn
  
      enable inside
  
      enable outside
  
      svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
  
      svc enable
  group-policy DfltGrpPolicy attributes
  
      dns-server value X.X.X.X
  
      vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  
      split-tunnel-policy tunnelspecified
  
      split-tunnel-network-list value
  
      address-pools value palm
  
      webvpn
  
        svc rekey time 30
  
        svc rekey method ssl
  
        svc ask enable default webvpn
  policy-map global_policy
  
      class inspection_default
  
        inspect pptp
  
        inspect http
  
        inspect icmp
  
        inspect ftp
  
      !
  

  When I try to connect, I get this error in the real-time log viewer:

  TCP access denied by ACL from X.X.X.X/57356 to outside:A.A.A.A/443
  

  Here are the details of the license:

  Licensed features for this platform:
  
      Maximum Physical Interfaces  : 8
  
      VLANs                        : 3, DMZ Restricted
  
      Inside Hosts                 : Unlimited
  
      Failover                     : Disabled
  
      VPN-DES                      : Enabled
  
      VPN-3DES-AES                 : Enabled
  
      SSL VPN Peers                : 2
  
      Total VPN Peers              : 10
  
      Dual ISPs                    : Disabled
  
      VLAN Trunk Ports             : 0
  
      Shared License               : Disabled
  
      AnyConnect for Mobile        : Disabled
  
      AnyConnect for Linksys phone : Disabled
  
      AnyConnect Essentials        : Disabled
  
      Advanced Endpoint Assessment : Disabled
  
      UC Phone Proxy Sessions      : 2
  
      Total UC Proxy Sessions      : 2
  
      Botnet Traffic Filter        : Disabled
  This platform has a Base license.
  

  Can someone tell me what I am doing wrong or what access list I'm missing?

  I have two Cisco ASA 5510 firewall with a similar setup configuration and the AnyConnect SSL VPN works great.

  Hi Matt,

  You are probably landing on the tunnel-group by default - you will need to indicate which group to connect to the client. This can be done in different ways - I see that you already have a defined group aliases, but to be able to use that you must configure:

  WebVPN

  tunnel-group-list activate

  Alternatively, if you have only a single group, you can add 'group-url https://yourasa.yourcompany.com/ permit' to the webvpn attributes tunnel-group.

  HTH

  Herbert

• AnyConnect VPN licenses

  Hello

  I want to know what is meant by in licensed ASA it supports maximum 10000 5000 AnyConnect or VPN users without client Sessions. I am referring to the link http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html# ~ mid - range

  This means that at a given point of time only 10000 or 5000 users can connect via Anyconnect VPN or it means something else?

  In my organization I have 25000 employees and all need SSL VPN to access spme or other resources on the company's intranet. I want to offer Anyconnect VPN users. How can I avieve only with the permission of restriction of the maximum number of 10000 users.

  Thanks in advance

  Deepak Khemani

  The counts of license you mention above are for the concurrent (simultaneous) users. If need more than 10,000 concurrent users, Clientless VPN, you need to use several ASAs.

  You could use a license shared on an ASA server and allocate licenses of it (up to 500,000 may be installed on the shared license server) as they are needed by the ASA of the cluster members.

• Help with a VPN tunnel between ASA 5510 and Juniper SSG20

  Hello

  We have a customer wanting to configure a VPN Site to Site tunnel between a new purchased 5510 of ASA located in his direction with its Juniper SSG20 Office, located in the main office. We contacted HP and they send us a Cisco professional to do the job.

  After 2 days from 16:00 to 22:00 and error and countless hours of research online and nunerous calls, we are still unable to get traffic from the network of agencies to enter the tunnel.

  Main branch
  1.1.1.2                                 1.1.1.1
  -----                                               -----------
  192.168.8.0/24 | ASA|-----------------------------------| Juniper |    192.168.1.0/24
  -----                                               -----------
  192.168.8.254 192.168.1.254

  According to Cisco professionals, the tunnel is now in place but no traffic through. We are unable to ping anything on the network on the other side (192.168.1.0/24). We receive timeout ping all the time. The Cisco professional told us it's a routing or NAT problem and he's working on a solution!

  Through research, I came across a post on Experts-Exchange (here) [the 1st comment on the original post] which States "...". that both sides of the VPN must have a different class of LAN for the VPN to work... " Would that be our problem?

  It has become a critical issue to the point that he had to replace the Cisco ASA with a temporary Juniper SSG5 on another subnet (192.168.7.0/24) to get the tunnel upward and through traffic until the ASA VPN issue is resolved and I didn't need to say that the client is killing us!

  Help is very appreciated.

  Thank you

  1. Yes, ping package from the interface of the ASA is considered valuable traffic to the LAN of Juniper.

  SAA, need you traffic from the interface source ASA's private, because interesting to determine by crypto ACL MYLIST traffic between 192.168.8.0/24 and 192.168.1.0/24.

  You will also need to add the following configuration to be able to get the ping of the interface of the ASA:

  management-private access

  To initiate the ping of the private interface ASA:

  ping 192.168.1.254 private

  2. the default time before the next generation of new key is normally 28800 seconds, and if there is no interesting traffic flowing between 2 subnets, he'll tear the VPN tunnel down. As soon as there is interesting traffic, the VPN tunnel will be built automatically into the next generation of new key. However, if there is traffic before generating a new key, the new tunnel will be established, and VPN tunnel will remain standing and continue encrypt and decrypt traffic.

  Currently, your configuration has been defined with ITS lifetime of 3600 seconds GOLD / 4608000 kilobytes of traffic before the next generate a new key (it will be either 3600 seconds, or 4608000 kilobytes period expires first). You can certainly change it by default to 28800 seconds without configuring kilobytes. SA life is negotiated between the ASA and Juniper, and whatever is the lowest value will be used.

  Hope that helps.

• Remote RDP client VPN access on ASA 5510

  Hello.

  We have configured the VPN tunnel from site of offshore to the location of the customer using ASA5510 and access to RDP to the location of the customer. Also been configured remote VPN access in offshore location. But using the remote VPN client, we are able to get the RDP of officeshore location but not able to access to the location of the RDP client. Are there any additional changes required?

  Thank you

  Hi Salsrinivas,

  so to summarize:

  the VPN client connects to the ASA offshore

  the VPN client can successfully RDP on a server at the offshore location

  the VPN client cannot NOT RDP on a server at the location of the customer

  offshore and the location of the customer are connected by a tunnel L2L

  (and between the 2 sites RDP works very well)

  is that correct?

  Things to check:

  -the vpn in the ACL crypto pool?

  -you're exemption nat for traffic between the vpn pool and 'customer' LAN? is the exemption outside (vpn clients are coming from the outside)?

  -you have "same-security-traffic permitted intra-interface" enabled (traffic will appear outside and go back outside)?

  If you need help more could you put a config (sterilized) Please?

  HTH
  Herbert

• SSL VPN license for ASA

  It must be an easy question - but I'm having a hard time finding an answer. How are the SSL VPN to the end user a license?

  Let's say I have 300 users, SSL, but only 20 concurrent SSL at any time. Do I need licenses for the 300 full or 20 competitors?

  Thank you

  Jim

  Hey Jim,.

  SSL licenses for only simultaneous connections. The only limitation you will encounter is how SSL sessions each platform supports (i.e. 750 concurrent sessions on an ASA5520).

• Support ASA 5510 Anyconnect

  I see that the latest code for the 5510 is 9.1.5 and they have an end of life of the product. I have 100 Anyconnect premium licenses on a 5510 I've ever used. I was starting to put in place. What are my options now?  Does this mean that I'm having problems with any more recent code as Microsoft 10 and even new versions of Microsoft 7 IE etc?   Oh I forgot trying to turn this 5510 SSL remote access device?  Thank you

  I noticed that I have a 5505 with 25 licenses Anyconnect premium on it (installed by accident by the seller) but this support does not seem to have folklore about that yet.

  The 5510 with ASA 9.1 (5) software is fully capable of supporting AnyConnect (Essentials or Premium-) full-tunnel remote access SSL VPN for users on operating system platforms more modern. It is more the software client AnyConnect himself (compared to the head of network ASA) which sometimes needs to be updated to accommodate the latest operating system compatibility issues.

  In addition, with AnyConnect Premium, you can configure mode clientless SSL VPN and end users simply access the ASA and interact with remote resources through a portal in the browser.

  The 5505 isn't enough end-of-Sales again (the other original of the 5500 series for fall 2013); but we expect a replacement platform soon.

• MAC and PC can reach the same an ASA for Anyconnect VPN?

  Hi, we have MAC and PC users. We configure the Anyconnect VPN in an ASA. But two users need two image of sorts. We must therefore use the two commands:

  AnyConnect image disk0: / anyconnect -win- 3.1.04066 - k9.pkg

  AnyConnect image disk0: / anyconnect -macosx- i386 - 2.5.2014 - k9.pkg.

  This is what two commands cannot coexist in an ASA. How to solve the problem? I hope your suggestion. Thank you

  They can co-exist, but you must add different sequence numbers at the end of each command.

• Setup for use with Cisco Anyconnect VPN IPsec

  So, I had trouble setting up VPN on our ASA 5510. I would use IPsec VPN so that we don't have to worry about licensing issues, but what I have read you can do with and always use Cisco Anyconnect. My knowledge on how to set up VPN especially in iOS version 8.4 is limited, so I've been using a combination of command line and ASDM.

  I am finally able to connect from a remote location, but once I log in, nothing else works. What I've read, you can use IPsec for client-to-lan connections. I use a pre-shared for this. Documentation is limited on what should happen after have connected you? Shouldn't be able to local access on the vpn connection computers? I'm trying to implement work. If I have VPN from home, should not be able to access all of the resources at work? According to me, because I used the command-line as ASDM I confused some of the configuration. In addition, I think that some of the default policies are confused me too. So I probably need a lot of help. Here is my current setup with the changed IP address and other things that are not related to deleted VPN.

  NOTE: We are still testing this ASA and is not in production.

  Any help you can give me is greatly appreciated.

  ASA Version 8.4 (2)

  !

  ASA host name

  domain.com domain name

  !

  interface Ethernet0/0

  nameif inside

  security-level 100

  the IP 192.168.0.1 255.255.255.0

  !

  interface Ethernet0/1

  nameif outside

  security-level 0

  IP 50.1.1.225 255.255.255.0

  !

  interface Ethernet0/2

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Ethernet0/3

  Shutdown

  No nameif

  no level of security

  no ip address

  !

  interface Management0/0

  No nameif

  security-level 100

  IP 192.168.1.1 255.255.255.0

  !

  boot system Disk0: / asa842 - k8.bin

  passive FTP mode

  DNS domain-lookup outside

  DNS server-group DefaultDNS

  !

  permit same-security-traffic intra-interface

  !

  network of the NETWORK_OBJ_192.168.0.224_27 object

  subnet 192.168.0.224 255.255.255.224

  !

  object-group service VPN

  ESP service object

  the purpose of the tcp destination eq ssh service

  the purpose of the tcp destination eq https service

  the purpose of the service udp destination eq 443

  the destination eq isakmp udp service object

  !

  allowed IP extended ip access list a whole

  !

  mask 192.168.0.225 - 192.168.0.250 255.255.255.0 IP local pool VPNPool

  no failover

  failover time-out period - 1

  ICMP unreachable rate-limit 1 burst-size 1

  ASDM image disk0: / asdm - 645.bin

  don't allow no asdm history

  ARP timeout 14400

  NAT (inside, outside) static source any any static destination NETWORK_OBJ_192.168.0.224_27 NETWORK_OBJ_192.168.0.224_27 non-proxy-arp-search to itinerary

  !

  the object of the LAN network

  NAT dynamic interface (indoor, outdoor)

  Access-group outside_in in external interface

  Route outside 0.0.0.0 0.0.0.0 50.1.1.250 1

  Sysopt noproxyarp inside

  Sysopt noproxyarp outdoors

  Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

  Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

  Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

  Crypto ipsec ikev2 ipsec-proposal OF

  encryption protocol esp

  Esp integrity sha - 1, md5 Protocol

  Crypto ipsec ikev2 proposal ipsec 3DES

  Esp 3des encryption protocol

  Esp integrity sha - 1, md5 Protocol

  Crypto ipsec ikev2 ipsec-proposal AES

  Esp aes encryption protocol

  Esp integrity sha - 1, md5 Protocol

  Crypto ipsec ikev2 ipsec-proposal AES192

  Protocol esp encryption aes-192

  Esp integrity sha - 1, md5 Protocol

  Crypto ipsec ikev2 AES256 ipsec-proposal

  Protocol esp encryption aes-256

  Esp integrity sha - 1, md5 Protocol

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF

  outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

  outside_map interface card crypto outside

  Crypto ca trustpoint ASDM_TrustPoint0

  registration auto

  name of the object CN = ASA

  Configure CRL

  crypto ca server

  Shutdown

  string encryption ca ASDM_TrustPoint0 certificates

  certificate d2c18c4e

  864886f7 0d06092a c18c4e30 308201f3 3082015c a0030201 d 020204 2 0d 010105

  0500303e 3110300e 06035504 03130741 53413535 3130312a 2 a 864886 30280609

  02161b 41 53413535 31302e64 69676974 616c 6578 7472656d 65732e63 f70d0109

  3131 31303036 31393133 31365a 17 323131 30303331 39313331 0d 170d 6f6d301e

  365a303e 3110300e 06035504 03130741 53413535 3130312a 2 a 864886 30280609

  02161b 41 53413535 31302e64 69676974 616c 6578 7472656d 65732e63 f70d0109

  6f6d3081 9f300d06 092 has 8648 86f70d01 01010500 03818d b 30818902-00-818100-2

  8acbe1f4 5aa19dc5 d3379bf0 f0e1177d 79b2b7cf cc6b4623 d1d97d4c 53c9643b

  37f32caf b13b5205 d24457f2 b5d674cb 399f86d0 e6c3335f 031d54f4 d6ca246c

  234b32b2 b3ad2bf6 e3f824c0 95bada06 f5173ad2 329c28f8 20daaccf 04c 51782

  3ca319d0 d5d415ca 36a9eaff f9a7cf9c f7d5e6cc 5f7a3412 98e71de8 37150f02

  03010001 300 d 0609 2a 864886 f70d0101 05050003 8181009d d2d4228d 381112a 1

  cfd05ec1 0f51a828 0748172e 3ff7b480 26c197f5 fd07dd49 01cd9db6 9152c4dc

  18d0f452 50f5d0f5 4a8279c4 4c1505f9 f5e691cc 59173dd1 7b86de4f 4e804ac6

  beb342d1 f2db1d1f 878bb086 981536cf f4094dbf 36c5371f e1a0db0a 75685bef

  af72e31f a1c4a892 d0acc618 888b53d1 9b 888669 70e398

  quit smoking

  IKEv2 crypto policy 1

  aes-256 encryption

  integrity sha

  Group 2 of 5

  FRP sha

  second life 86400

  IKEv2 crypto policy 10

  aes-192 encryption

  integrity sha

  Group 2 of 5

  FRP sha

  second life 86400

  IKEv2 crypto policy 20

  aes encryption

  integrity sha

  Group 2 of 5

  FRP sha

  second life 86400

  IKEv2 crypto policy 30

  3des encryption

  integrity sha

  Group 2 of 5

  FRP sha

  second life 86400

  IKEv2 crypto policy 40

  the Encryption

  integrity sha

  Group 2 of 5

  FRP sha

  second life 86400

  Crypto ikev2 activate out of service the customer port 443

  Crypto ikev2 access remote trustpoint ASDM_TrustPoint0

  Crypto ikev1 allow outside

  IKEv1 crypto policy 10

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  IKEv1 crypto policy 65535

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 86400

  Telnet timeout 5

  SSH timeout 10

  Console timeout 0

  management-access inside

  SSL-trust outside ASDM_TrustPoint0 point

  WebVPN

  allow outside

  AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

  AnyConnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2

  AnyConnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3

  profiles of AnyConnect VPN disk0: / devpn.xml

  AnyConnect enable

  tunnel-group-list activate

  internal VPN group policy

  attributes of VPN group policy

  value of server WINS 50.1.1.17 50.1.1.18

  value of 50.1.1.17 DNS server 50.1.1.18

  Ikev1 VPN-tunnel-Protocol, l2tp ipsec ikev2 ssl-client

  digitalextremes.com value by default-field

  WebVPN

  value of AnyConnect VPN type user profiles

  always-on-vpn-profile setting

  privilege of xxxxxxxxx encrypted password username administrator 15

  VPN1 xxxxxxxxx encrypted password username

  VPN Tunnel-group type remote access

  General-attributes of VPN Tunnel-group

  address (inside) VPNPool pool

  address pool VPNPool

  LOCAL authority-server-group

  Group Policy - by default-VPN

  VPN Tunnel-group webvpn-attributes

  enable VPN group-alias

  Group-tunnel VPN ipsec-attributes

  IKEv1 pre-shared-key *.

  !

  class-map inspection_default

  match default-inspection-traffic

  class-map ips

  corresponds to the IP access list

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  Review the ip options

  inspect the netbios

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect the tftp

  inspect the sip

  inspect xdmcp

  inspect the http

  class ips

  IPS inline help

  class class by default

  Statistical accounting of user

  I would recommend buy AnyConnect Essentials. The cost of the license is nominal - list of US $150 for the 5510. (piece number L-ASA-AC-E-5510 =)

  Meawwhile you can use the Cisco VPN client inherited with IKEv1 IPSec remote access VPN using profiles *.pcf.

  I believe you can also use the client Anyconnect client SSL or DTLS transport access remotely (non-IPsec) without having to buy the license Anyconnect Essentials for your ASA focus.

  As an aside, note that if you want to use AnyConnect Mobile (e.g. for iPhone, iPad, Android, Blackberry etc.clients) you will also get the additional license for it (L-ASA-AC-M-5510 =, also price US $150)

• Anyconnect VPN migration issues

  Hi, I do Anyconnect VPN from an ASA ASA migration another. I need your suggestion. Migration must transfer customization and anyconnect vpn configuration. After that I reviewed some documents, looks like the configuration and customization are not the only thing that needs to be transferred. Everything can give some suggestion exactly what needs to be transferred in addition to customization and configuration vpn? Thank you

  Hello

  Although the copy of the configuration of one firewall to another will get all the anyconnect rules and the installation program completed, but the flash content (IE anyconnect programs, profiles anyconnect, customizations anyconnect, bookmarks, and dap profiles) is not transferred to the other ASA. They must be downloaded manually to the ASA again.

  Another way to do this is through ASDM,

  Go to tools > configuration backup:

  Select the components of the VPN you want to create a backup for.

  

  NOTE *.
  This backup will be restored as a whole via ASDM and substitute another configuration.
  So, you might want to restore the backup to a fresh firewall and then import the configuration and the images of the SAA.

  Otherwise, you can go the ususal path, the anyconnect first configuration copy and then manually transfer components anyconnect flash of one ASA to another.

  **********

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• L to L passing tunnel concentrator 3000 to ASA 5510

  Hello

  I'm looking in to Lan VPN configuration tunnel the Cisco VPN 3000 to ASA 5510 concentrator Lan. I noticed that this particular configuration has NAT enabled in the hub (Config-online policy management of-online traffic Mgmt-online NAT-online L to L rules)... There are 2 servers NATted to 192.168.1.1 et.2 addresses, so I need to do the same in ASA. Should what steps I take to reach the same configuration in SAA? Is it possible through SDM?

  Thank you

  Forman

  In ASDM-online-online NAT rules configuration, I can create static rule inside indoor int interface and then create the tunnel using 'translated the address' or 'translated network' local area network in the VPN configuration. Is this right?

  That is right.

  You should NAT the VPN traffic and set the VPN traffic from the translated addresses.

  Federico.

• IPSec VPN between Cisco ASA and Fortigate1000

  Hello

  I find a useful document on how to create a tunnel VPN IPSec with ASA 5510 firewall Fortigate 1000...

  the configuration of the coast FG is done without any problem, BUT the document (. doc FG) said I must configure the ASA with a GRE interface and assign an internal IP address in order to communicate with the FG...

  The question is: How do I configure the interface on the SAA ACCORD?

  Thanks in advance, Experts...

  Kind regards...

  ASA firewall does not support the interface/GRE GRE tunnel.

  If you need to have GRE configured, you will need to complete the GRE tunnel on router IOS.

  If you want to configure just pure tunnel VPN IPSec (lan-to-lan), here is an example of configuration on the side of the ASA:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080950890.shtml

  Hope that helps.