Using Anyconnect Client With Pan Firewall: A Step-By-Step Guide

Cisco AnyConnect is a Virtual Private Network (VPN) client that enables highly secure remote access across a range of devices. It can be used to connect to a Palo Alto Networks (PAN) firewall, which is a security policy to deny specific traffic while allowing Cisco AnyConnect VPN traffic to traverse the firewall. This can be achieved by configuring a Palo Alto GP gateway to permit connections using the Cisco AnyConnect client. However, it is important to note that the AnyConnect software may cause issues by putting the default gateway to the next virtual IP, and it may require specific versions of the AnyConnect VPN client to successfully establish connections.

Explore related products

Cisco VPN Configuration Guide: Step-By-Step Configuration of Cisco VPNs for ASA and Routers

$29.95

Firewall Policies and VPN Configurations

$54.95

Mullvad VPN | 12 Months for 5 Devices | Protect Your Privacy with Easy-To-Use Security VPN Service

$57

Juniper(r) Networks Secure Access SSL VPN Configuration Guide

$62.95

GL.iNet GL-BE3600 (Slate 7) Portable Travel Router, Pocket Dual-Band Wi-Fi 7, 2.5G Router, Portable VPN Routers WiFi for Travel, Public Computer Routers, Business Trip, Moblie/RV/Cruise/Plane

$149.99 $169.9

Firewall Policies and VPN Configurations

$51.95

Cisco AnyConnect and GlobalProtect

Cisco AnyConnect can be used with a PAN firewall. One way to do this is to set up an ASA 5585-X as an AnyConnect server so that users can access an internal network. The ASA can be placed behind a PAN firewall, with a public IP address.

It is possible to use the Cisco AnyConnect client to connect to the GlobalProtect VPN. One user described their process for doing so: they pointed the GlobalProtect client to the VPN URL, which then prompted them to sign in with Okta. After authenticating, they were then able to accept or deny a push notification sent to their mobile.

Some users have reported issues with using the GlobalProtect client, finding it unreliable and unstable, causing it to kick users off at random. However, upgrading to a 4.x version of the software has been reported to resolve these issues. It is not possible to mix VPN clients with different vendor products.

Explore related products

Understanding Firewalls and VPNs: A Comprehensive Guide to Learn Firewalls and VPNs

$7.99 $34.95

GL.iNet MT2500A (Brume 2) Mini VPN Security Gateway for Home Office and Remote Work-VPN Server&Client for Home and Office, VPN Cascading, Internet Security, 2.5G WAN, *NO Wi-Fi* (Aluminium Alloy Case)

$66.99 $79.9

TP-Link ER605 V2 Wired Gigabit VPN Router, Up to 3 WAN Ethernet Ports + 1 USB WAN, SPI Firewall SMB Router, Omada SDN Integrated, Load Balance, Lightning Protection

$49.99 $59.99

AG Care Firewall Argan Shine & Flat Iron Spray, 5 Oz

$32

1U Rackmount Firewall i3 3110M, 2 x 82599ES 10GB SFP+, 6 x i226V 2.5GbE LAN OPNsense Hardware, U6, AES-NI, Barebone, 19" Router PC, Network Firewall Appliance, VGA, COM

$369.29

SonicWall TZ270 Gen7 Firewall | Compact SMB Security Appliance with 2 Gbps Firewall Throughput, 750 Mbps Threat Prevention, Up to 64 VLANs, and SD-WAN Capability (02-SSC-2821)

$399.2

AnyConnect client firewall

Cisco AnyConnect is a VPN client with a firewall setting. This firewall can be configured in Cisco ASDM. It is configured in the webvpn-section of a group-policy.

Cisco AnyConnect can be used with a PAN firewall. One user on Reddit described their setup, which involves using a 1-1 NAT on the Palo to the untrusted interface of the ASA, assuming multiple static IPs. Another user described a similar setup, but with two interfaces on the ASA, one outside/above the Palo with a public IP, and another interface hooked into the Palo firewalls via an L2 switch to accommodate Palo failovers.

Cisco AnyConnect is not supported by Palo Alto's GlobalProtect VPN client. However, it is possible to configure the Palo Alto GP gateway to permit connections using the Cisco AnyConnect client. This can be done by following the documentation on the PANW website on how to get to the gateway config.

Explore related products

FortiGate-40F Firewall Appliance - 5 Gigabit Ethernet RJ45 Ports, Ideal for Small Businesses (Appliance Only, No Subscription) (FG-40F)

$297

Firewalla: Cyber Security Firewall for Home & Business, Protect Network from Malware and Hacking | Smart Parental Control | Block Ads | VPN Server and Client | No Monthly Fee (Purple SE)

$249

ASUS ExpertWiFi EBG15 Gigabit VPN Wired Router, up to 3 WAN ethernet Ports + 1 USB WAN, IPS Intrusion Prevention, Layer 7 Firewall, Commercial-Grade Network Security, Remote Management with App

$89.99

TP-Link ER7206 Multi-WAN Professional Wired Gigabit VPN Router Increased Network Capacity SPI Firewall Omada SDN Integrated Load Balance Lightning Protection

$138.78 $149.99

TP-Link ER707-M2 | Omada Multi-Gigabit VPN Router | Dual 2.5Gig WAN Ports | High Network Capacity | SPI Firewall | Omada SDN Integrated | Load Balance | Lightning Protection

$99.99

Protectli Vault FW4B - 4 Port, Firewall Micro Appliance/Mini PC - Intel Quad Core, AES-NI, 8GB RAM, 120GB mSATA SSD

$319

AnyConnect on the MX appliance

Cisco AnyConnect is a VPN client/802.1x supplicant used with ASAs for VPN and ISE (Cisco Identity Services Engine). It is possible to use AnyConnect with a Palo Alto gateway.

AnyConnect is supported on the MX appliance. Users have reported that AnyConnect and DUO MFA are easy to set up on all MX devices. To do this, you must enable AnyConnect in the Client VPN settings. You will need to get the licensing for AnyConnect, put in a support case to enable SAML auth, and then follow the documentation.

However, one user reported that their networking partner told them that Cisco AnyConnect cannot be used with MX68CW and MX105 appliances. Instead, they were told that they must use native VPN clients built into Windows and other supported operating systems. Other users have contradicted this, stating that they use AnyConnect with MX105 appliances without any issues.

Another user has reported that they are using AnyConnect with an ASA 5585-X server behind a PAN firewall. They have two interfaces on the ASA, one outside/above the PAN with a public IP, and another interface hooked into the PAN firewalls via an L2 switch to accommodate PAN failovers.

Explore related products

Beelink EQ14 Mini PC, Intel Twin Lake N150(Up to 3.6GHz) 16GB DDR4 500GB NVMe SSD, 2.5G Dual LAN Mini Computer Supports WiFi6, BT5.2, USB3.2, 4K@60Hz Dual HDMI Display, Home-Server/Network Firewall

$264

Firewall Mini PC Quad Core N150, DDR5 8GB RAM 128GB NVMe SSD, 6 x 2.5GbE i226V LAN Fanless Computer Hardware, Micro Router Appliance, AES-NI, OPNsense, TypeC Port, TF Card Slot

$296.31

Firewall

$2.89

Peplink B-One Gigabit Dual WAN WiFi Router for Wireless Internet | 1GBps Throughput | 2X WAN Port, 4X LAN Port, Dual-Band 2X2 MIMO Wi-Fi | WAN Smoothing for Small Office & Home Connectivity

$299

Netgate 1100 pfSense+ Security Gateway | VPN, Router, Firewall | Lifetime TAC Lite Support | 3X 1 GbE Ports | Protect Your Network with This Fully Featured, Professional Network Security Appliance.

$209

Firewall

$12.79 $14.99

AnyConnect VPN server on the MX

The AnyConnect VPN server on the MX uses Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) for tunneling and requires AnyConnect VPN client version 4.8 or higher on either Windows, macOS, Linux, or mobile devices to terminate remote access connections successfully. The AnyConnect client negotiates a tunnel with the AnyConnect server and gives you the ability to access resources or networks on or connected to the AnyConnect server (MX).

Unlike the AnyConnect implementation on the Adaptive Security Appliance (ASA), the MX security appliance supports Secure Socket Layer (SSL), VPN, and other AnyConnect modules that do not require additional configuration on the MX. The MX supports Layer 2 Tunneling Protocol (L2TP)/Internet Protocol Security (IPsec) Client VPN and AnyConnect VPN simultaneously.

To enable AnyConnect, ensure that your network firmware version meets the minimum requirement. For MX64(W) and MX65(W), the firmware version must be 17.6+, and for all other supported models, the latest MX-16 firmware. Upgrades can be managed by navigating to Organization > Monitor > Firmware upgrades. To enable AnyConnect VPN, select Enabled from the AnyConnect Client VPN radio button on the Security & SD-WAN > Configure > Client VPN > AnyConnect Settings tab.

The AnyConnect server on the MX uses TLS 1.2 for tunnel negotiation, and TLS 1.3 on MX 19.1+, hence it needs a server identity certificate. The MX supports three certificate options: With this option, the MX Appliance will enroll in a public trusted certificate using the DDNS hostname of the Meraki network. This publicly trusted certificate renews automatically. The DDNS hostname is not easy to remember, hence, it is highly recommended to use an AnyConnect profile to create a DDNS alias to simplify user interaction.

Changing the Server Certificate Generation Method back to the default option of Auto-Generated from Custom will cause the MX to delete the current uploaded custom certificate. A factory reset or device replacement (RMA) will generate a new private key for that MX. As such, a new CSR will need to be generated, signed and the resulting certificates will need to be re-added under Security & SD-WAN > Configure > Client VPN > AnyConnect.

When configuration is complete, save the xml profile. It is recommended to use a unique file name to avoid profile overrides by other AnyConnect servers, then you can upload the file to the profile update section on the AnyConnect settings page.

AnyConnect on ASA vs. MX

AnyConnect is a fully-fledged end-point mobility client solution. It can be used with the Adaptive Security Appliance (ASA) or FirePOWER, supporting multiple features like Host Scan and Web Launch. However, when using AnyConnect on the MX security appliance, certain features are not supported, such as Web Launch and client software deployment or update. The MX appliance supports SSL Core VPN and other AnyConnect modules that do not require additional configuration.

When using AnyConnect with the MX, a license is required, and license costs vary based on type, duration, and user count. The MX supports Layer 2 Tunneling Protocol (L2TP)/Internet Protocol Security (IPsec) Client VPN and AnyConnect VPN simultaneously. Stateless high availability and WAN failover are also supported, meaning that when HA or WAN failover occurs, active user sessions will be disconnected, and users will need to reconnect to the new active WAN link or the new primary MX.

When comparing the two, one user on Reddit said that they have supported both ASA's and Palo firewalls and that "ASA's just plain suck". They go on to say that they are keeping their ASA's just for AnyConnect until they roll out global protect. Another user said that they have heard stories of people keeping ASA's for AnyConnect alone and that of all the issues with the ASA platform, AnyConnect is not one.

To set up an ASA 5585-X to act as an AnyConnect server, you can do a 1-1 NAT on the Palo to the untrusted interface of the ASA. You can also set up inside and outside zones and interfaces on the PAN and ASA.

Frequently asked questions