Table Of Contents
Adaptive Security Appliance VPN Compatibility Reference
ASA, ASDM, Cisco Secure Desktop, and AnyConnect (SSL) VPN Client
Antivirus, Antispyware, and Firewall Packages Supported by Host Scan
Adaptive Security Appliance VPN Compatibility Reference
11 December 2008This document shows the compatibility of the ASA, clients, and Cisco Secure Desktop.
We have tested the features on the operating systems (OSs) and web browsers named in this document; however, they might work on other OSs and browsers.
For more information, go to the release notes and configuration guides for the products named in this document.
Note
For AAA server compatibility information, go to "Configuring AAA Servers and the Local Database."
LAN to LAN
The ASA supports LAN-to-LAN IPsec connections with Cisco peers, and with third-party peers that comply with all relevant standards.
ASA, ASDM, Cisco Secure Desktop, and AnyConnect (SSL) VPN Client
Table 1 shows the compatibility of the latest versions.
Table 1 ASA, ASDM, and Client Compatibility
8.1
6.1(1) to 6.1(3)1
3.3.0.118+
2.2.0133+
8.0(4)
6.1(3)1
3.3.0.118+
2.2.0133+
8.0(3)
6.0(3) to 6.1(3)1
3.2.1.103 or 3.3.0.118+
2.1.0128 to 2.1.0148
8.0(2)
6.0(2) or 6.1(1) to 6.1(3)1
3.2.0.136 (subsequently referenced as "3.2")
2.0.0343 (subsequently referenced as "2.0")
7.1(x) - 7.2(x)
5.1(x) - 5.2(x)
3.1.1.45 (subsequently referenced as "3.1.1")
1 ASDM 6.1.3 can manage ASAs running 8.0(2), 8.0(3), 8.0(4) and 8.1(1).
2 Only ASAs running 7.1(x) or 7.2(x) support the Cisco SSL VPN Client (1.1.4.176+); however Cisco Secure Desktop does not support it. See the next section for IPsec support.
IPsec Clients
All releases of the ASA support the following IPsec clients; however, Cisco Secure Desktop does not support them:
•
•
•
•
•
•
Operating Systems
The following tables show the ASA features and the OSs they support:
•
•
•
•
Features not shown support all of the named OSs. The tables address the following releases:
•
•
–
–
–
Note
–
–
–
•
Table 2 AnyConnect and Supported OSs
Certificate Authentication, including DoD Common Access Card and SmartCard
Start Before Logon
Standalone or WebLaunch (Cisco Secure Desktop components not used)
Standalone with Host Scan
Standalone with Secure Desktop (Vault)
WebLaunch with Cache Cleaner
WebLaunch with Secure Desktop
1 With Safari keychain only.
2 Beginning with Cisco Secure Desktop 3.2.1 and AnyConnect 2.2.
3 Beginning with AnyConnect 2.1
4 Standalone mode supports both 32-bit and biarch 64-bit.
5 Beginning with Cisco Secure Desktop 3.2.1.118 and AnyConnect 2.1.
6 Beginning with AnyConnect 2.1 on 32-bit mode only.
7 Beginning with AnyConnect 2.1 on Fedora Core 4.
1 Beginning with Cisco Secure Desktop 3.2.1.118.
2 Beginning with Cisco Secure Desktop 3.2.1.
3 This OS does not use registry keys.
1 Beginning with Cisco Secure Desktop 3.3, Secure Desktop supports Windows Vista and Vista SP1, but it does not support AnyConnect on these OS's.
Table 5 Clientless SSL VPN Features and Supported OSs
Certificate Authentication, including DoD Common Access Card and SmartCard
Port Forwarding (Sun Microsystems Java™ Runtime Environment (JRE) 1.4.1.x or higher must be installed. See Port Forwarding Restrictions for other requirements.)
Note: Recommended only for Linux
Smart tunnel (ASA 8.0(2) and above)
Note: Recommended for Windows and Mac OS instead of port forwarding
Web folders
1 With Safari keychain only.
2 The most recent Safari version 2.0.4(419.3) we tested requires Java version 1.5 to use Port Forwarding.
3 Tested on Fedora Core 4.
4 Beginning with ASA 8.0(2)+. The browser must be enabled with Java, Microsoft ActiveX, or both.
5 Beginning with ASA 8.0(4)+. The browser must be enabled with Java. See restrictions.
6 With Microsoft hotfix installed.
Mobile Support
The following sections address mobile compatibility with the ASA:
VPN (IPsec) Client
The Apple iPhone 3G ships with advanced VPN Client capabilities for Cisco IPsec connectivity already installed. Original iPhone users can upgrade to the iPhone 2.0 software to take advantage of this new capability. Features of the VPN Client include:
•
–
–
–
–
–
–
–
•
•
The Cisco ASA 5500 Security Appliances and PIX Firewalls work with the Cisco VPN Client on the iPhone. We highly recommend the 8.0(x) software release or later, but you can also use the 7.2(x) software.
For Windows Mobile, the following third-party vendors offer a VPN client that works with the ASA: Antha, Apani, Bluefire, Microsoft, and NCP.DE. Cisco supports the Microsoft client; the respective vendors support the other clients.
Bluefire offers a version of the Palm Treo that has an IPsec client that works with the ASA.
Nokia provides support for Symbian on the Nokia 92xx Communicator series, Nokia 6600 and Nokia E61.
L2TP/IPsec Client
The following mobile OS's support a built-in L2TP/IPsec client that Cisco has tested successfully with the ASA:
•
•
•
The iPhone supports MS-CHAP v2 (preferred) for PPP. It has also been tested for MS-CHAP v1 and PAP support for PPP authentication. The VPN Client on the iPhone 3G supports pre-shared keys and certificates.
Windows mobile based handheld devices support MS-CHAP v1 and v2, and pre-shared keys.
Some Windows Mobile 2003 (HP iPAQ h4150) and 5.0 (HP iPAQ hx 2495b) PDAs support enrollment with an available certificate authority server and can use certificate-based authentication.
SSL VPN Clientless
You can access Clientless SSL VPN from your Pocket PC or other certified personal digital assistant (PDA). Neither the ASA administrator nor the Clientless SSL VPN user need do anything special to use Clientless SSL VPN with a certified mobile device. Cisco has certified the mobile devices shown in Table 6:
Other mobile devices (e.g., the BlackBerry) might work but are not supported.
The iPhone does not have a Java Runtime Environment (JRE) and does not support SSL, so the following SSL VPN features are not supported: application access, auto applet download, client/server plug-ins, and e-mail proxy.
Smart tunnels, plug-ins, and port forwarding do not support Microsoft Windows Mobile.
Browsers
Cisco AnyConnect Client (when launched as a standalone client) supports any browser. Table 7 shows the browsers that Clientless SSL VPN and the Cisco Secure Desktop modules support. Other browsers might also work but are not supported by Cisco.
Note
Table 7 Browsers Supported by Cisco AnyConnect Client, Clientless SSL VPN, and Cisco Secure Desktop
Internet Explorer
7.01
6.0 and 7.0
6.0
Firefox
2.0 - 3.02
1.5 - 3.0
1.5 - 3.0
2.0 - 3.1.13
1.5 - 3.0
Safari
2.0 - 3.1.14
1 Secure Desktop does not let Internet Explorer run on the Microsoft Vista desktop.
2 AnyConnect in standalone mode only.
3 AnyConnect on a Mac does not support the Firefox certificate store. For Host Scan with WebStart, see below.
4 Smart Tunnel requires 3.1.1.
To enable Host Scan with WebStart, the remote user must do the following:
Step 1
Step 2
Step 3
Step 4
Do not associate jnlp files with javaws or Applications/Utilities/Java/Java Web Start.
Antivirus, Antispyware, and Firewall Packages Supported by Host Scan
Host Scan examines the remote computer connecting to the VPN for antivirus and antispyware applications, and software firewalls for compliance with configured, corporate security policies. To access the list of packages that Host Scan supports, go to the Software Download page for Cisco Secure Desktop, click the PDF link above "Antivirus, Antispyware, and Firewall Packages Supported by Host Scan," and click Next and Accept in the subsequent pages.
E-mail Proxy
E-mail Proxy (sessions) is a legacy feature that the ASA supports for use with Microsoft Outlook 2002 (also known as Outlook XP), Outlook 2000, and Outlook Express running on the following OS's:
•
•
•
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2008 Cisco Systems, Inc. All rights reserved.
Guest
