Cisco VPN client for 64-bit operating systems

jgrammer42
jgrammer42 used Ask the Experts™
on
I have a couple of my users that need to connect to my network via VPN using Cisco's AnyConnect client.  99% of my users, use the Cisco VPN Client 5.03 version.  I am not at ALL familiar, and have no way to test this 64-bit VPN Anyconnect client.  

In looking at the admin guide for it the client, it is very unclear as to how I install and setup this guy.

How I create a profile so that they can connect to my ASA VPN server?  (BTW, my ASA is running IOS 7.2(3)  but that should not matter at all.)

Thank you,
Jeff
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Hi,

The SSL vpn is clientless, so you not need to create pcf file! please connect to your asa from internet to https://vpnserver:443 and the users able to use it.....

Please refer this guide
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml

Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
If you are running Windows x64, there is a third party client called NCP Secure Entry Client.  You can import your Cisco VPN client settings to this client.  It's not freeware, but it solves the x64 Vista compatibility issue.

NCP Secure Entry Client: http://www.ncp-e.com/en/solutions/vpn-products/secure-entry-client.html

Commented:
Anyconnect will require you to upgrade to 8.x.

It will also require some configuration changes.  If you post your config I can give you the changes...

Also keep in mind that you only get 2 SSL licenses with the ASA by default, and have to buy more if you require more.
adam115,
I am sorry it took me so long to get back to you.  I was traveling for work.

Here is the current working configuration on my ASA, that works for anyone using the Cisco Client v5.



Cisco Adaptive Security Appliance Software Version 7.2(3) 
Device Manager Version 5.2(4)56
 
Compiled on Wed 15-Aug-07 16:08 by builders
System image file is "disk0:/asa723-k8.bin"
Config file at boot was "startup-config"
 
ASA-Host up 32 days 21 hours
 
Hardware:   ASA5540, 1024 MB RAM, CPU Pentium 4 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
 
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CNlite-MC-Boot-Cisco-1.2
                             SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Ext: GigabitEthernet0/0  : address is 0023.0477.1aca, irq 9
 1: Ext: GigabitEthernet0/1  : address is 0023.0477.1acb, irq 9
 2: Ext: GigabitEthernet0/2  : address is 0023.0477.1acc, irq 9
 3: Ext: GigabitEthernet0/3  : address is 0023.0477.1acd, irq 9
 4: Ext: Management0/0       : address is 0023.0477.1ace, irq 11
 5: Int: Not used            : irq 11
 6: Int: Not used            : irq 5
 
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited 
Maximum VLANs               : 200       
Inside Hosts                : Unlimited 
Failover                    : Active/Active
VPN-DES                     : Enabled   
VPN-3DES-AES                : Enabled   
Security Contexts           : 2         
GTP/GPRS                    : Disabled  
VPN Peers                   : 5000      
WebVPN Peers                : 500       
 
This platform has an ASA 5540 VPN Premium license.
 
Serial Number: JMX1245L2Q7
Running Activation Key: 0x7f1bda41 0x2c26dcb0 0xd0f311f4 0x8b046050 0x4930aa8c 
Configuration register is 0x2001
Configuration last modified by enable_15 at 14:36:51.907 UTC Wed Aug 20 2003
ASA-Host# 
 
: Saved
:
ASA Version 7.2(3) 
!
hostname ASA-Host
domain-name domain-name.com
enable password <removed> encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 198.210.30.191 255.255.255.224 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172.16.1.2 255.255.0.0 
!
interface GigabitEthernet0/2
 nameif dmz
 security-level 70
 ip address 192.168.175.2 255.255.255.0 
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif ASA-Mgmt
 security-level 0
 ip address 192.168.10.1 255.255.255.0 
!
passwd <removed> encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name domain-name.com
access-list OUTSIDE extended permit icmp any any 
access-list OUTSIDE extended permit tcp any host 198.210.30.40 eq www 
access-list OUTSIDE extended permit tcp any host 198.210.30.41 eq www 
access-list OUTSIDE extended permit tcp any host 198.210.30.41 eq https 
access-list OUTSIDE extended permit tcp any host 198.210.30.41 eq pop3 
access-list OUTSIDE extended permit tcp any host 198.210.30.41 eq imap4 
access-list OUTSIDE extended permit tcp any host 198.210.30.41 eq 993 
access-list OUTSIDE extended permit tcp any host 198.210.30.41 eq 587 
access-list OUTSIDE extended permit tcp any host 198.210.30.42 eq 7001 
access-list OUTSIDE extended permit tcp any host 198.210.30.42 eq 7002 
access-list OUTSIDE extended permit tcp any host 198.210.30.43 eq www 
access-list OUTSIDE extended permit tcp any host 198.210.30.43 eq https 
access-list OUTSIDE extended permit tcp any host 198.210.30.43 eq pop3 
access-list OUTSIDE extended permit tcp any host 198.210.30.43 eq imap4 
access-list OUTSIDE extended permit tcp any host 198.210.30.43 eq 5229 
access-list OUTSIDE extended permit tcp any host 198.210.30.50 eq www 
access-list OUTSIDE extended permit tcp any host 198.210.30.50 eq https 
access-list OUTSIDE extended permit tcp any host 198.210.30.51 eq 8443 
access-list OUTSIDE extended permit tcp any host 198.210.30.51 eq www 
access-list OUTSIDE extended permit tcp host 216.26.136.180 host 198.210.30.43 eq smtp 
access-list OUTSIDE extended permit tcp any host 198.210.30.44 eq 8443 
access-list OUTSIDE extended permit tcp any host 198.210.30.34 eq 6000 
access-list OUTSIDE extended permit tcp any host 198.210.30.34 eq 30000 
access-list OUTSIDE extended permit tcp any host 198.210.30.34 eq 30030 
access-list OUTSIDE extended permit ip any host 198.210.30.37 
access-list OUTSIDE extended permit ip any host 198.210.30.38 
access-list VPN extended permit ip 172.16.0.0 255.255.0.0 192.168.200.0 255.255.255.0 
access-list VPN extended permit ip 192.168.175.0 255.255.255.0 192.168.200.0 255.255.255.0 
access-list VPN extended permit ip 172.16.0.0 255.255.0.0 172.21.0.0 255.255.0.0 
access-list VPN extended permit ip 172.16.0.0 255.255.0.0 172.22.0.0 255.255.0.0 
access-list VPN extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0 
access-list DMZ extended permit icmp any any 
access-list DMZ extended permit udp any any 
access-list DMZ extended permit tcp any any 
access-list DMZ extended permit ip 192.168.175.0 255.255.255.0 192.168.200.0 255.255.255.0 
access-list KMD extended permit ip 192.168.175.0 255.255.255.0 192.168.200.0 255.255.255.0 
access-list KMD extended permit ip 172.16.0.0 255.255.0.0 192.168.200.0 255.255.255.0 
access-list EXT-GA extended permit ip 172.16.0.0 255.255.0.0 172.21.0.0 255.255.0.0 
access-list EXT-MD extended permit ip 172.16.0.0 255.255.0.0 172.22.0.0 255.255.0.0 
access-list SPLIT-TUNNEL standard permit 172.16.0.0 255.255.0.0 
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu ASA-Mgmt 1500
ip local pool expool 192.168.150.1-192.168.150.254
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/pdm
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 192.168.175.253
nat (inside) 0 access-list VPN
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 198.210.30.41 172.16.3.1 netmask 255.255.255.255 
static (inside,outside) 198.210.30.42 172.16.3.10 netmask 255.255.255.255 
static (inside,outside) 198.210.30.43 172.16.3.2 netmask 255.255.255.255 
static (dmz,outside) 198.210.30.50 192.168.175.22 netmask 255.255.255.255 
static (dmz,outside) 198.210.30.51 192.168.175.21 netmask 255.255.255.255 
static (dmz,outside) 198.210.30.40 192.168.175.23 netmask 255.255.255.255 
static (inside,outside) 198.210.30.44 172.16.3.251 netmask 255.255.255.255 
static (inside,outside) 198.210.30.34 172.16.1.10 netmask 255.255.255.255 
static (inside,outside) 198.210.30.37 172.16.1.12 netmask 255.255.255.255 
static (inside,outside) 198.210.30.38 172.16.1.13 netmask 255.255.255.255 
access-group OUTSIDE in interface outside
access-group DMZ in interface dmz
route outside 0.0.0.0 0.0.0.0 198.210.30.62 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server RADIUS protocol radius
aaa-server RADIUS host 172.16.3.3
 key <removed>
http server enable
http 172.16.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set EXTset esp-des esp-md5-hmac 
crypto ipsec transform-set EXTset2 esp-3des esp-md5-hmac 
crypto ipsec transform-set EXTset3 esp-3des esp-sha-hmac 
crypto ipsec security-association lifEXTme seconds 3600
crypto dynamic-map EXTvpn 10 set pfs group1
crypto dynamic-map EXTvpn 10 set transform-set EXTset3
crypto map EXTmap 10 match address EXT-GA
crypto map EXTmap 10 set peer 218.19.201.142 
crypto map EXTmap 10 set transform-set EXTset2
crypto map EXTmap 20 match address EXT-MD
crypto map EXTmap 20 set peer 197.68.46.206 
crypto map EXTmap 20 set transform-set EXTset2
crypto map EXTmap 40 match address KMD
crypto map EXTmap 40 set peer 69.35.161.164 
crypto map EXTmap 40 set transform-set EXTset2
crypto map EXTmap 40 set security-association lifEXTme seconds 28800
crypto map EXTmap 65000 ipsec-isakmp dynamic EXTvpn
crypto map EXTmap interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifEXTme 3600
crypto isakmp policy 30
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifEXTme 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifEXTme 86400
crypto isakmp nat-traversal  20
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 15
ssh 69.35.161.164 255.255.255.255 outside
ssh 216.85.229.206 255.255.255.255 outside
ssh 218.19.201.142 255.255.255.255 outside
ssh 172.16.0.0 255.255.0.0 inside
ssh timeout 15
console timeout 0
priority-queue outside
  tx-ring-limit 256
!
class-map Data-MD
 match flow ip destination-address
 match tunnel-group 197.68.46.206
class-map Voice
 match dscp ef 
class-map Data-GA
 match flow ip destination-address
 match tunnel-group 218.19.201.142
class-map class_sip_tcp
 match port tcp eq sip
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect http 
  inspect ils 
  inspect pptp 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect tftp 
 class class_sip_tcp
  inspect sip 
policy-map Voicepolicy
 class Voice
  priority
 class Data-GA
  police output 200000 37500
 class Data-MD
  police output 200000 37500
!
service-policy global_policy global
service-policy Voicepolicy interface outside
group-policy EXTVPN internal
group-policy EXTVPN attributes
 wins-server value 172.16.3.11
 dns-server value 172.16.3.11
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value lou.domain-name.com
tunnel-group EXTVPN type ipsec-ra
tunnel-group EXTVPN general-attributes
 address-pool expool
 authentication-server-group RADIUS
 default-group-policy EXTVPN
tunnel-group EXTVPN ipsec-attributes
 pre-shared-key *
tunnel-group EXTVPN ppp-attributes
 authentication pap
 authentication ms-chap-v2
tunnel-group 69.35.161.164 type ipsec-l2l
tunnel-group 69.35.161.164 ipsec-attributes
 pre-shared-key *
tunnel-group 218.19.201.142 type ipsec-l2l
tunnel-group 218.19.201.142 ipsec-attributes
 pre-shared-key *
tunnel-group 197.68.46.206 type ipsec-l2l
tunnel-group 197.68.46.206 ipsec-attributes
 pre-shared-key *
 prompt hostname context 
Cryptochecksum:790ebbffccfe14a9476f9f952e2f109e
: end
ASA-Host# 

Open in new window

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial