The 'Cisco KnowledgeBase' section is one of the newest and most popular section on Firewall.cx. Dedicated to Cisco's leading technological inovations, this section offers articles covering multiple categories such Cisco Routers, Switches, Voice over IP and much more.

All articles are written by qualified engineers with years of experience and are complimented by our unique diagrams.

The quality of provided information is so high, readers can use it as a guideline for learning Cisco Technologies, but also for self-study exams.

We should note that Firewall.cx is only site, officially recommended by Cisco's Network Academy Program (see Site Related/Awards section), which confirms the validity of Firewall.cx and provided information.

Articles and examples provided in this section, cover the CCENT, CCNA, CCDA, CCNP & CCVP certification levels.

In late 2014, Cisco announced the new licensing model for the latest AnyConnect Secure Mobility client v4.x. With this new version, Cisco introduced a number of new features, but also simplified the licensing model which was somewhat confusing. In this article, we will take a look at the new AnyConnect 4.x licenses which consist of: AnyConnect Plus license, AnyConnect Plus Perpetual license and AnyConnect Apex license.
 
We will also show how the new licenses map to the older AnyConnect Essentials and AnyConnect Premium license, plus the available migration paths. Finally, we also take a look at Cisco’s Software Application Support (SAS) and Software Application Support plus Upgrade (SASU), which are required when purchasing AnyConnect.

All AnyConnect licenses prior to version 4 had the AnyConnect Essentials and Premium licensing scheme. The newer v4.x AnyConnect licenses now have one of the three licensing options:

• Cisco AnyConnect Plus License (Subscription Based)
• Cisco AnyConnect Plus Perpetual License (Permanent – no subscription)
• Cisco AnyConnect Apex License (Subscription Based)

With the new AnyConnect licenses, Cisco has moved to a subscription-based licensing model which means customers will unfortunately need to fork out more money in the long run.  The Plus Perpetual License on the other hand allows Cisco customers to purchase a one-time license, however the license costs significantly higher than the subscription-based license.

We should also note that AnyConnect 4.0 is not licensed based on simultaneous connections (like the previous AnyConnect 3.x), but is now user-based. This means a user connecting via his smartphone and laptop simultaneously will only occupy a single license.

Since the newer AnyConnect licenses are subscription-based, according to Cisco, if their subscription expires and is not renewed, they will stop working.
 
Cisco AnyConnect Secure Mobility Client 4.0 supports the following operating systems:

• Windows 8.1 (32bit & 64Bit)
• Windows 8 (32bit & 64Bit)
• Windows 7 (32bit & 64Bit)
• Linux Ubuntu 12.X 64Bit
• Linux RedHat 6 64Bit
• Mac OS X 10.10 – 10.8

As expected, Windows XP is no longer supported.

Let’s take a look at each license feature and how the older AnyConnect Essentials and Premium licenses map to the newer AnyConnect Plus and Apex licenses:

Figure 1. Mapping AnyConnect 3.x Essentials & Premium to AnyConnect 4.x Plus & Apex

Related AnyConnect Articles on Firewall.cx:

• Configuring Cisco SSL VPN AnyConnect 3.x (WebVPN) on Cisco IOS Routers
• WEB SSL VPN - The Next Wave Of Secure VPN Services

Cisco AnyConnect Plus License (Equivalent to the old Essentials License) 5, 3 or 1-Year Term

The AnyConnect Plus License is a subscription-based license with the option of a 5, 3 or 1-year renewable subscription and supports the following features:

• VPN Support for Devices. Includes Workstations and Laptops.
• Secure Mobility Client support (AnyConnect Mobile). Includes mobile phones, tablets etc.
• SSL VPN (Client-based)
• Per-app VPN. Authorize specific applications access the VPN.  Supports specific devices and software.
• Basic endpoint context collection
• IEEE 802.1X Windows supplicant
• Cisco Cloud Web Security agent for Windows & Mac OS X platforms
• Cloud Web Security and Web Security Appliance support
• Cisco Advanced Malware Protection for Endpoints Enabler. AMP for Endpoints is licensed separately
• Network Access Manager
• Federal Information Processing Standards (FIPS) Compliance

It is worth noting that AnyConnect 3.x required the purchase of Essentials or Premium license + AnyConnect Mobile (L-ASA-AC-M-55xx) in order to support mobile devices (Smartphones, Tablets etc.).  AnyConnect Mobile is now integrated into the new AnyConnect Plus license.

Cisco AnyConnect Plus Perpetual (permanent) License

A firewall is simply a system designed to prevent unauthorised access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorised Internet users from accessing private networks connected to the Internet. All data entering or leaving the Intranet pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria.

Generally, firewalls are configured to protect against unauthenticated interactive logins from the outside world. This helps prevent "hackers" from logging into machines on your network. More sophisticated firewalls block traffic from the outside to the inside, but permit users on the inside to communicate a little more freely with the outside.

Firewalls are also essential since they can provide a single block point where security and audit can be imposed. Firewalls provide an important logging and auditing function; often they provide summaries to the admin about what type/volume of traffic that has been processed through it. This is an important point: providing this block point can serve the same purpose (on your network) as a armed guard can (for physical premises).

Theoretically, there are two types of firewalls:

1. Network layer

2. Application layer

They are not as different as you may think, as described below.

Which is which depends on what mechanisms the firewall uses to pass traffic from one security zone to another. The International Standards Organization (ISO) Open Systems Interconnect (OSI) model for networking defines seven layers, where each layer provides services that higher-level layers depend on. The important thing to recognize is that the lower-level the forwarding mechanism, the less examination the firewall can perform.

Network Layer Firewalls

This type generally makes their decisions based on the source address, destination address and ports in individual IP packets. A simple router is the traditional network layer firewall, since it is not able to make particularly complicated decisions about what a packet is actually talking to or where it actually came from.Modern network layer firewalls have become increasingly more sophisticated, and now maintain internal information about the state of connections passing through them at any time.

One thing that's an important difference about many network layer firewalls is that they route traffic directly though them, so to use one you either need to have a validly assigned IP address block or to use a private internet address block. The network layer firewalls tend to be very fast and tend to be mostly transparent to its users.

Application Layer Firewalls

These generally are hosts running proxy servers, which permit no traffic directly between networks, and which perform elaborate logging and examination of traffic passing through them. Since proxy applications are simply software running on the firewall, it is a good place to do lots of logging and access control. Application layer firewalls can be used as network address translators, since traffic goes in one side and out the other, after having passed through an application that effectively masks the origin of the initiating connection.

Having an application in the way in some cases may impact performance and may make the firewall less transparent. Early application layer firewalls are not particularly transparent to end-users and may require some training. However more modern application layer firewalls are often totally transparent. Application layer firewalls tend to provide more detailed audit reports and tend to enforce more conservative security models than network layer firewalls.

The Future of firewalls sits somewhere between both network layer firewalls and application layer firewalls. It is likely that network layer firewalls will become increasingly aware of the information going through them, and application layer firewalls will become more and more transparent. The end result will be kind of a fast packet-screening system that logs and checks data as it passes through.

This article examines the concept of NAT Reflection, also known as NAT Loopback or Hairpinning, and shows how to configure a Cisco ASA Firewall running ASA version 8.2 and earlier plus ASA version 8.3 and later, to support NAT Reflection. NAT Reflection, is a NAT technique used when devices on the internal network (LAN) need to access a server located in a DMZ zone using its public IP address.

What’s interesting is that NAT Reflection is not supported by all firewall appliances, however Cisco ASA Firewalls provide 100% support, making any NAT scenario possible. NAT Reflection is also seen at implementations of Cisco’s Telepresence systems where the ExpressWay-C server on the internal network needs to communicate with the ExpressWay-E server in the DMZ zone using its public IP address.

Note: Users seeking additional information on Network Address Translation conceptscan visit our dedicated NAT Section that covers NAT in great depth.

Single 3-Port/Leg Firewall DMZ with one LAN interface ExpressWay-E Server

In the example below, ExpressWay-C with IP address 192.168.1.50 needs to access ExpressWay-E (DMZ zone, IP address 192.168.5.5) using its public IP address of 203.40.40.5. This type of setup also happens to be one of the two most popular configurations:

Figure 1. NAT Reflection on a 3-Port ASA Firewall with Cisco Telepresence (ExpressWay-C & ExpressWay-E)

ExpressWay-C packets traversing the ASA Firewall destined to ExpressWay-E’s public IP address will have the following transformation thanks to the NAT Reflection configuration:

• Destination IP address 203.40.40.5 is replacedwith Destination IP address 192.168.5.5 –ExpressWay-E’s private IP address. This is also known as Destination NAT (DNAT).
• The Source IP address 192.168.1.50 (ExpressWay-C) is replaced with Source IP address 192.168.5.1 – ASA’s DMZ interface IP address. This is also known as Source NAT (SNAT).

When ExpressWay-C packets arrive to the ExpressWay-E server, they will have the following source & destination IP address: Source IP: 192.168.5.1, Destination IP: 192.168.5.5

Translation of the source IP address (SNAT) of packets (192.168.1.50 to 192.168.5.1) for this traffic flow is optional however required specifically for the Cisco ExpressWay setup. The configuration commands for the above setup is as follows:

For ASA Versions 8.3 and later:

This article will show how to download and upload the newer AnyConnect 4.x VPN clients to your Cisco ASA Firewall appliance (5500 & 5500-X Series) and configure WebVPN so that the newer AnyConnect VPN client is used and distributed to the remote VPN clients.

The Cisco AnyConnect SSL VPN has become the VPN standard for Cisco equipment, replacing the older Cisco IPSec VPN Client. With the introduction of the newer 4.x AnyConnect, Cisco has made dramatic changes to their licensing and features supported. Our Cisco AnyConnect 4.x Licensing article explains the differences with the newer 4.x licensing and has all the details to help organizations of any size migrate from 3.x AnyConnect to 4.x. You’ll also find the necessary Cisco ordering codes along with their caveats.

Figure 1. Cisco AnyConnect v4.x

The latest AnyConnect client at the time of writing is version 4.2.02075, which is available for Cisco customers with AnyConnect Plus or Apex licenses. Cisco provides both head-end and standalone installer files. The head-end files (.pkg extension) are deployed on the Cisco ASA Firewall and automatically downloaded by the VPN clients once authenticated via the web browser.

Following s the direct Cisco URL for the AnyConnect download:

https://software.cisco.com/download/navigator.html?mdfid=283000185&flowid=72322

Uploading AnyConnect Secure Mobility Packages to the ASA Firewall

Images can be uploaded to the Cisco ASA Firewall via a standard tftp client using the copy tftp flash: command:

We repeat the same commands until all 3 files have been uploaded so we can fully support Windows, Linux and MAC OS clients.

Using the dir command at the end of the process confirms all files have been successfully uploaded to our ASA Firewall: