A new topic for the CCIE Security 3.X blueprint is the Cisco AnyConnect VPN. This is an enhancement to an earlier technology that you are probably familiar with – the Clientless SSL VPN. The idea behind the Clientless SSL VPN is to provide basic VPN capabilities to a remote PC that does not possess a VPN client. The remote PC in this case just needs an SSL capable Web browser.

The Clientless SSL VPN solution has limped along for a time, but has needed enhancements provided by the AnyConnect VPN approach. While the legacy Clientless SSL VPN supports Windows 2000 and Windows XP, the operating systems supported by the AnyConnect VPN feature include:

  • Windows 2000
  • Windows XP
  • Vista
  • MAC Intel
  • MAC Power PC
  • Red Hat Linux

What other features does the AnyConnect VPN provide? Here are the most dramatic improvements:

  • Datagram Transport Layer Security (DTLS) with SSL connections – DTLS is detailed in RFC 4347 and helps to avoid latency and bandwidth issues associated with some SSL-only connections; the AnyConnect clients also allows fallback to TLD if DTLS fails for any reason
  • Standalone Mode – the Cisco AnyConnect VPN client can run as a simple PC application that requires no browser in order to function
  • Command Line Interface (CLI) – the AnyConnect VPN Client features CLI support for various commands
  • Microsoft Installer (MSI) Support
  • IPv6 VPN access
  • Start Before Login (SBL) – in Windows environments, this feature allows for login scripts and drive mapping, as well as other features
  • Certificate-only authentication – no username and password required

If you are wondering how this new VPN application can coexist with other Cisco VPN options, it turns out that you can use it simultaneously with the legacy Clientless SSL VPN option, and it can coexist with the full IPSec Cisco VPN Client, but you cannot use it simultaneously.

So how does the AnyConnect VPN Client work? The end user either launches the preinstalled AnyConnect VPN client or enters the appropriate URL for your Adaptive Security Appliance (ASA) in a Web browser. Once the user completes authentication, the security appliance determines if the AnyConnect client is needed, and downloads the correct version for the Operating System detected. After downloading, the client installs and establishes a secure SSL connection. Depending upon the ASA configuration, when the VPN connection is terminated, the AnyConnect VPN Client can uninstall itself or remain. In the case of a previously installed AnyConnect VPN Client, after user authentication, the security appliance can upgrade the AnyConnect VPN Client version as needed.

The next post on this subject will cover caveats and best practices for the automated installation of the AnyConnect VPN client on remote PCs.

You can leave a response, or trackback from your own site.

6 Responses to “Cisco AnyConnect VPN Overview”

  1. pitt2k says:


    Does it require administrative rights on the client to install or use this software?

    P.S. Seems the article is unfinished.

  2. Hi pitt2k!

    Thanks for the query and feedback. I am trying to keep the posts shorter and more direct. I will add a conclusion – and will post a follow up blog today on issues with the client install. Look for it later today or tonight.

    Thanks again.

  3. LEB says:

    One problem with AnyConnect is that since it uses SSL, it is vulnerable for a Man in The Middle attack.

    I have tested this myself, and was quite easily able to get both username and password by doing MiTM.

    Granted, I had to click accept on the certificate error that was presented, but normally users do this anyway.

    But with the new MD5 exploit for certificates, this can quite quickly become critical for an organization.

    So, yes, AnyConnect is quite nice, but I would reccomend either using token based authentication, or having the ASA request a client certificate to mitigate this attack.


    • Joe Filstein says:

      AnyConnect has a mode called Strict Certificate Trust, which I think would eliminate what you describe. It can be turned on at deployment time.

    • Fred Schlip says:

      You will get a prompt for cert acceptance in IPSec unless you are using PSK which is even worse as there is no easy way to manage and revoke a PSK.


Leave a Reply


CCIE Bloggers