No documentation for worm VPN clients. 5


Why it seems that there is no documentation on the Cisco site for VPN clients past version 4.6? There are release notes, but no user guide. We recently bought an ASA, but the accompanying CD has an older version of client.

Thank you




Yes, you are right. There is no new documentation for the 4.8, 4.9 and to output other than the text release notes posted with the VPN Client.

The reason is, other than new features to support some new OS (Vista 32 Bit OS), etc., between 4.6 and 5.0 configuration steps are the same. Then you should be good to go with the 4.6 Setup guide. If this is a new Client VPN deployment, I go through the detailed release notes and be aware of known issues that may affect your network.

Kind regards


* Please Note If this can help *.

Tags: Cisco Security

Similar Questions

  • ASA static IP Addressing for IPSec VPN Client

    Hello guys.

    I use a Cisco ASA 5540 with version 8.4.
    I need to assign a static IP address to a VPN client. I saw in the documentation Cisco that this can be done to validate the user against the local ASA and in the user account database, you assign a dedicated IP address, or using the vpn-framed-ip-address CLI command.
    The problem is that the customer never gets this address and it always gets one of the pool in the political group. If I delete this pool, the client can't get any address.
    No idea on how to fix this or how can I give this static IP address to a specific VPN client?
    Thank you.

    Your welcome please check the response as correct and mark.

    See you soon

  • Configuration of Cisco for Cisco VPN Client ASA 5505

    Our firm has finally made the move from Sonicwall Cisco for our SMB customers. Got our first customer with a VPN site-to site solid and you have configured the main router for connections via the Cisco VPN Client VPN Wizard.

    When I install the VPN Client on desktop computers that does not capture all the necessary options (unless you have a SSL VPN). I guess that there is a process that I am missing to export a connection profile that Cisco VPN Client users can import for their connection.

    There step by step guides to create the connection profile file to distribute to customers?


    The ASDM wizard is for the configuration on the SAA. This wizard will help you complete the VPN configuration on the end of the ASA.

    You will need to set the same in the client, so that they can negotiate and connect.

    Input connection in the client field, that's what you want to be seen that on the VPN client - it can be any name

    Host will be the external ip address of the ASA.

    Group options:

    name - same tunnel as defined on the ASA group
    Password - pre-shared as on ASA.

    Confirm password - same pre-shared key.

    Once this is over, you will see the customer having an entry same as a login entry. You must click on connect there. He will be a guest user and the password. Please enter the login crendentials. VPN connects.

    You can distribute the .pcf file that is formed at the place mentioned in the post above. Once the other client receive the .pcf, they need to import it by clicking this tab on the VPN client.

    Kind regards


  • The ID attribute of the station call needs for Anyconnect VPN client MAC address

    Hi all

    We test tring Anyconnect VPN users to connect using the certificate. ASA East of validation / authentication user based on cert and approval it requires Radius server (ISE). Currently ASA sends the Ip address of the VPN client in «calling station ID» We want ASA to send the Anyconnect VPN client MAC address to the radius server in RADIUS attribute «calling station ID»  Is it possible to do this. Get around them?

    Parag salvation,

    The calling Station ID always contains the IP if Anyconnect VPN.

    L3 is originally unlike wireless which has L2 Assoc.

    Currently no work around.

    Respect of


  • Reverse road injection for remote VPN Clients

    Hello world

    you will need to confirm if reverse road injection is used only for Site to site VPN?

    Also to say that we have two sites using site-to-site vpn

    Site A                                                         Site B

    Private private IP IP

    172.16.x.x                                                    172.20.x.x

    Now, as we VPN site to site, we can either activate the NAT - T option which will allow 172.16 IP reach site B as 172.16 only.

    Do not change the IP address.

    Option 2

    IF we don't allow NAT - T and if we allow injection road Revese and we use say Protocol ospf on ASAs in site A and B.

    In this case, we allow IPPS so that we can announce the private road 172.16. on the internet right of site B?



    Hello Mahesh,

    "Reverse road injection (RRI) is used to fill in the routing table of an internal router that is running OSPF Open Shortest Path First () protocol or the RIP (Routing Information) protocol for Remote Clients VPN sessions or a local area network LAN."


    As a result, allowed RRI ASA learn routing information for connected peers and advertising via RIP or OSPF.

    NAT - T is automatically detected and used when the local or the remote peer is behind NAT.

    To answer your question:

    If NAT - T is required and enabled, then it will automatically be used peer VPN. Then, with IPP in place, remote network will be added to the routing as static routes table, so they can be advertised by OSPF.


    Please note all useful messages.

  • Certificate self-signed for remote VPN CLIENT access

    Hi people,

    I am trying to achieve two-factor authentication, first with RADIUS & 2nd with self-signed certificate. If I generated of self-signed certificate & trying to import this certificate but error 39 that occur. Only obstacle that authenticate with certificate. I saw some documents for separate setting certifcate servers (CA) & then to import in the clients but I m curious about a certificate automatically generated can be used to authenticate the remote access client.

    ASA additional server failover mode is Local CA is not supported. Is there a way to support local CA.

    Thank you

    Are you talking about using self-signed client certificates? I guess that it will not work. At least it is not scalable. You must use an internal CA for this task. As the local certification authority cannot be used with failover, you can take a Windows Server 2 k 3 or 2 k 8. Another option is to use a router IOS as CA-server. But what take something else as a second factor? I'm a big fan of the use of smartphones with the service.

    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:

  • DHCP server for debugging VPN clients

    We are DHCP configuration to a DHCP server for SSLVPN customers on our ASA 8.2 running, and it does not work yet.

    I set the DHCP server to the tunnel profile to use, set the scope of the network dhcp for the group - that seems to be all that is needed.

    Currently, the problem is I'm having trouble finding debug commands that provide detailed information on what is happening with DHCP queries.

    Debug only the DHCP-based controls seem to be:

    DHCPC Client DHCP information

    DHCPD dhcpd information, and
    dhcprelay DHCP Relay information

    I ' ve tried the client and relay debugs and I see is that the client is not giving an IP address valid. "

    The DHCP server is not a request from this ASA for the network defined in the dhcp-network for the group scope, and we see nothing on the DHCP server in debugging results.

    Any suggestions would be welcome.


    you will see a button like "marks" as answered

    You can also sort the useful answers.



  • I am about to buy a new laptop with Windows 7, but must stay with the 32 bit for my VPN client compatibility. What product is 32 bit? Home Premium? __

    No further details

    Hello RxDawg84, welcome.

    32 bit |     64 bit |     Windows 7 SKU

    YES No. Windows 7 Starter
    YES No. Windows 7 Home Basic
    YES YES Windows 7 Home Premium
    YES YES Windows 7 Professional
    YES YES Windows 7 Ultimate

    All versions of Windows 7 which are Home Premium (or higher) are available in two versions: 32-bit and 64-bit

    Hope this helps,

    Thank you! Ryan Thieman
    Microsoft Answers Support Engineer
    Visit our Microsoft answers feedback Forum and let us know what you think.

  • What are TCP/UDP ports must be open for version 4.8 of the VPN Client?

    What are TCP/UDP ports must be open for Cisco VPN Client version 4.8 working?

    Thank you

    Normally, you need the following ports and Protocol:

    UDP 500

    UDP 4500


    In this case, you are using IPSec over TCP, you must open the port TCP 10000 or any other port that you want to use for (its configurable) IPSec connections.


  • Cisco VPN Client cannot ping from LAN internal IP


    I apologize in advance for my lack of knowledge about it, but I got a version of the software running ASA 5510 7.2 (2) and has been invited to set up a site with a client, I managed to get this configured and everything works fine. In addition, I created a group of tunnel ipsec-ra for users to connect to a particular server remote, even if the connection is made successfully, I can not ping any IP on the LAN located behind the ASA and when I ping inside the interface on the ASA it returns the public IP address of the external interface.

    If someone out there could give me a little push in the right direction, it would be much appreciated! This is the current configuration of the device.

    Thanks in advance.

    : Saved


    ASA Version 7.2 (2)


    hostname ciscoasa5510

    domain.local domain name

    activate the password. 123456789 / encrypted

    names of


    interface Ethernet0/0

    nameif outside

    security-level 0

    PPPoE client vpdn group ISP IP address pppoe setroute


    interface Ethernet0/1

    nameif inside

    security-level 100



    interface Ethernet0/2


    No nameif

    no level of security

    no ip address


    interface Ethernet0/3


    No nameif

    no level of security

    no ip address


    interface Management0/0

    nameif management

    security-level 100


    management only


    passwd encrypted 123456789

    passive FTP mode

    clock timezone GMT/UTC 0

    summer time clock GMT/BDT recurring last Sun Mar 01:00 last Sun Oct 02:00

    DNS server-group DefaultDNS

    domain.local domain name

    permit outside_20_cryptomap to access extended list ip host

    permit inside_nat0_outbound to access extended list ip host

    access-list Split_Tunnel_List note the network of the company behind the ASA

    Split_Tunnel_List list standard access allowed

    pager lines 24

    asdm of logging of information

    Outside 1500 MTU

    Within 1500 MTU

    management of MTU 1500

    IP local pool domain_vpn_pool - mask

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm - 522.bin

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access inside_nat0_outbound

    NAT (inside) 1

    Route outside 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout, uauth 0:05:00 absolute

    internal domain_vpn group policy

    attributes of the strategy of group domain_vpn

    value of DNS server

    Protocol-tunnel-VPN IPSec

    Split-tunnel-policy tunnelspecified

    value of Split-tunnel-network-list Split_Tunnel_List

    username domain_ra_vpn password 123456789 encrypted

    username domain_ra_vpn attributes

    VPN-group-policy domain_vpn

    encrypted utilisateur.123456789 password username

    encrypted utilisateur.123456789 password username

    privilege of username user password encrypted passe.123456789 15

    encrypted utilisateur.123456789 password username

    the ssh LOCAL console AAA authentication

    AAA authentication enable LOCAL console

    Enable http server

    http management

    http inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto-map dynamic outside_dyn_map 20 set pfs

    Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

    card crypto outside_map 20 match address outside_20_cryptomap

    peer set card crypto outside_map 20 987.65.43.21

    outside_map crypto 20 card value transform-set ESP-3DES-SHA

    3600 seconds, duration of life card crypto outside_map 20 set - the security association

    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

    outside_map interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    aes-256 encryption

    sha hash

    Group 5

    life 86400

    crypto ISAKMP policy 30

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    tunnel-group 987.65.43.21 type ipsec-l2l

    IPSec-attributes tunnel-group 987.65.43.21

    pre-shared-key *.

    tunnel-group domain_vpn type ipsec-ra

    tunnel-group domain_vpn General-attributes

    address domain_vpn_pool pool

    Group Policy - by default-domain_vpn

    domain_vpn group of tunnel ipsec-attributes

    pre-shared-key *.

    Telnet inside

    Telnet timeout 5

    Console timeout 0

    VPDN group ISP request dialout pppoe

    VPDN group ISP localname [email protected] / * /

    VPDN group ISP ppp authentication chap

    VPDN username [email protected] / * / password *.

    dhcpd dns

    dhcpd lease 691200

    dhcpd ping_timeout 500

    domain.local domain dhcpd


    dhcpd address - inside

    dhcpd allow inside


    management of - dhcpd address

    enable dhcpd management



    class-map inspection_default

    match default-inspection-traffic



    type of policy-card inspect dns preset_dns_map


    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp


    global service-policy global_policy

    context of prompt hostname


    : end


    Seems to me that you are atleast lack the NAT0 configuration for your VPN Client connection.

    This configuration is intended to allow the VPN Client to communicate with the local network with their original IP addresses. Although the main reason that this is necessary is to avoid this traffic to the normal rule of dynamic PAT passing this traffic and that traffic is falling for the corresponding time.

    You can add an ACL rule to the existing ACL NAT0, you have above and the NAT configuration should go next

    Add this

    permit inside_nat0_outbound to access extended list ip

    Hope this helps

    Let me know how it goes


  • Cisco vpn client is supported on the analogue ppp connection

    can someone pls tell me if we can use the client vpn cisco on a ppp connection analog and put a pix that is not PPPs running. If it works, then why do we need to VPN L2tp/ipsec. can someone pls tell me something abt it. It is very urgent.




    If I understand your question, you speak with PPP initially to get an IP address from your service provider, then use the Client VPN VPN in your Pix Firewall. If so, yes it is possible.

    To name a few reasons why PPTP or L2TP/IPSEC is used instead of Cisco VPN Client are:

    1. because companies have used a PPTP or L2TP/IPSEC solution for some time and are migrating to Cisco VPN

    2. do not install vpn on the PC client software

    3. won't pay for the VPN Client software licenses

    Let me know if it helps.

    Kind regards


  • Only permitted in specific protocol like RDP remote VPN client

    Hi, is it possible allow or restrict vpn clients to a specific protocol such as RDP to the authorized network (internal)? Most of the samples in Cisco allows the IP Protocol on the access list of the network of the boarding school for the IP pool which is then translated as Nat (0). I tried to only allow the RDP Protocol in this access list and it does not work.

    Thank you.

    Hi vivi, unfortunately vpn-filter is not posible in codes 6.x, this feature was introduced in the code 7.x and higher. You need to upgrade code 7.x or higher.

    On the other hand if you already have a group of tunnel for the vpn clients and you want to limit all this tunnel RDP group only and nothing else you do with your current code with an acl, not permit ip address but permit tcp and tcp port number port on vpn network host of destination... but this policy applies to all users of RA for this group of tunnel... no practice... as supposed using vpn-filters by user who allows to better control the individual users on the same group of tunnel without affecting others.


  • How can I send parameters preconfigured VPN client to a remote user

    Dear all,

    I have an ASA 5510 using VPN IP - SEC for remote users. I want to send all settings pre-configured for the VPN client.

    How can I save the configuration file and send to a remote user?


    Configure the vpn profile in your vpn client, and then send them the .pcf file located in the directory Program Files/Cisco Systems VPN/customer/profiles. Then all they have to do is import it into their client.

  • AnyConnect VPN Client - works with IPsec


    How can I do for AnyConnect VPN Client works with ipsec?

    I tried with SSL and works normally.

    But with IPsec does not work. Should I do something?

    Thank you


    Rodrigo, Anyconnect works with SSL, in order to use IPSec, you must the Cisco VPN Client.

  • Windows 7 64 bit VPN client problems


    I am running Windows 7 Professional 64 bit and Cisco VPN client I am able to connect to my corporate network and work ok but connection is very slow!

    Connection time is distributed as follows:

    Client program VPN Opening: 70 seconds.

    Click on connect and wait for the user credentials dialog box: 30 seconds.

    Enter the credentials, and then click ok then 'user authentication': 90 seconds.

    "Negotiate security policies": 60 seconds.

    User area credentials if poster again, re - enter the credentials that the dialog box is empty, and then click ok: 90 seconds.

    "User authentication", then connection established: 120 seconds.

    I have a colleague running 64-bit Windows 7 (ultimate edition) which uses the same version and does not have these problems.

    Any ideas anyone?

    See you soon,.


    Gary, thanks for the update. If disabling the firewall and restart vpn service did not help. Could you please try and install the version?

    Before do you, I would like to know if you import .pcf for the VPN Client files. If so, please try to re-create a file .pcf on the PC and try and use this file to connect. Also, I see that the existing .pcf file you are using is a file read-only. Could you change this and give permissions to write to the file, and try to connect. If th does not help the two steps will then install the version.

    Thank you


Maybe you are looking for