Wednesday, September 22, 2010

Cisco ASA - AnyConnect for iPhone released

Cisco announced the general release of the Cisco AnyConnect client for the iPhone. While I think it is cool that Cisco has released this finally I am a bit flabbergasted at the licensing they are doing on the ASA - yet again. Not only do you need AnyConnect Essentials or Premium license but it will require the AnyConnect for Mobile license also. I still don't understand why Cisco feels the need to do this and it is frustrating when trying to sell the ASA platform to have to address each one of the licensing requirements for features that many expect from the base AnyConnect Essentials license. It makes you want to stick with the inbuilt IPSec client solutions regardless of the feature enhancements.

If you do a show version on your ASA you can see what your current license status is, the output should look like:
ASA#show version
Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 50
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 0
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 250
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

So note that you will need the AnyConnect Essentials or AnyConnect Premium (SSL VPN Peers) license plus the AnyConnect for Mobile to have a working solution. Some product overview information is available here, the link might require CCO logon access.
- Ed

Tuesday, September 21, 2010

Cisco ASA - AnyConnect 3.0 features

Cisco has announced new features for AnyConnect 3.0 and will finally be supporting both IPSec VPN and SSL VPN in a single client. They have outlined some interesting things like using RDP to launch AnyConnect, IPv6 VPN access, captive portal detection and auto reconnect. All things that make AnyConnect much more useful and easier for end users to use VPN all the time.

It seems that Cisco is taking seriously Microsoft's DirectAccess solution given the features they are putting into AnyConnect. In addition, they are making the client available for platforms that Microsoft can't support such as the Apple iPad and iPhone. They are also making AnyConnect able to leverage a split VPN connectivity option to take advantage of their ScanSafe cloud security solution so that might give folks more options in terms of offloading posture assessment of VPN clients.

I still think that Microsoft's DirectAccess is an impressive solution for Win7/Server 2008R2 shops that want to provide their end users a remarkable VPN experience. You can tell the difference of something that is made from the ground up in a product and integrated so tightly in the operating system that the experience becomes seamless. The downside is that there are often shortcoming in flexibility in the number of scenarios you can deploy the solution.

I think Cisco's AnyConnect is a great solution in terms of the flexibility it offers while still providing a strong set of capabilities. I just wish a lot of these features had come out in the 1.x release instead of having to wait this long. I special note is the IPSec support in a single client - that has been an issue since AnyConnect was first launched.
- Ed

Tuesday, September 07, 2010

Relaunch of the California IPv6 Task Force

For those who are interested in IPv6 please check out the relaunched California IPv6 Task Force website. The CAv6TF will be helping with the gogonetLive! IPv6 event on Nov 2-3, 2010 in Silicon Valley (San Jose area at this point) so please keep the date reserved, it should be a great chance to interact with other IT professionals interested in IPv6.

I am excited we are finally making the CAv6TF website available via IPv6 too and also that the Task Force is now active again after a few years of hiatus due to the majority of the CAv6TF members driving the National IPv6 story. I am now serving as the Co-Chair of the Task Force handling the San Francisco Bay Area. If you have any comments or interest in helping with the CAv6TF please contact us at

If you have not yet joined gogoNET and you are interested in learning more about IPv6 this is a good place to start getting connected with other IPv6 folks so consider signing up. They also offer a free IPv6 software client service through Freenet6 so you can run IPv6 no matter where you are which is a nice option if you do not have a native IPv6 service yet. Another option is Hurricane Electric's IPv6 Tunnel Broker service which I have used for years for my home configuration.
- Ed