Well, there's actually one problem that will frustrate VPN 3000 users: licensing. The ASA appliance is really the next generation of PIX firewall, with a merging of the best VPN features from both the PIX and the old VPN 3000. One of the features carried over from the PIX is feature-based licensing, and the ASA licensing can best be described as "you've got to be kidding."
For remote access feature set alone, there are 6 types of licenses, with another half-dozen types for the platform itself. For inexplicable reasons, you need a special license to also use mobile devices with your ASA appliance, although only if you use AnyConnect client software, and not if they use the old client, and don't forget the special license for your IronPort S-series WSA to make it part of the Secure Mobility Solution.
Fortunately, there's a 48-page manual which explains it all — make sure you sit down and read it through a few times before you start. Our only other advice is to be sure to get your strong encryption license (it's free, fast, and online; you just have to promise not to let your ASA slip into the wrong hands) before you start, because encryption profiles will only be correctly set up using the wizards if the strong encryption license is already installed.
Putting the pieces together
Cisco Secure Mobility Solution is not just a VPN toolkit; it's about enforcing enterprise security policy when staff members are both in and out of the office. That means you'll need to spend some time thinking about your security policy before you begin configuration.
One of the important things to remember about the AnyConnect client is that it is "always on," meaning that it enforces security policies based on the location of the user, even when there is no tunnel in place. The AnyConnect client periodically connects to the ASA even when the client is not running — you'll see these little 20 packet exchanges to the HTTPS port of the ASA as it verifies that the ASA is alive and well and doesn't have a new policy to hand out.
You can change the security policy on the fly, so you don't have to get it perfect before you start your deployment, but it's a good idea to know where you want to end up before you start. Because the configuration tools within ASDM are so complicated, the only way to avoid getting lost is to zero in on what you want to accomplish. Building policy is only easy to do if you know what you want to enforce.
Sign up for Computerworld eNewsletters.