<

ASA AnyConnect Licensing

Published on
23,236 Points
16,236 Views
5 Endorsements
Last Modified:
Approved
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes.

"site-to-site" VPNs
The first are the "site-to-site" VPNs that come with all ASAs.  For the 5505, this is 10 for the base OS and 25 for the Security Plus OS.  5510s are 250, 5520s are 750, etc...  These licenses are not AnyConnect licenses.  They are restricted to IPSec only and client-wise are only compatible with the Cisco VPN Client.  

This Cisco VPN Client is the old platform from the PIX/VPN Concentrator days, so they worked for my migration.  However, a Cisco SE informed me that the Cisco VPN Client platform is EOL'd and when a hotfix/service pack is released that breaks the client, it will not be fixed.

AnyConnect Premium
At this point I started looking into the new AnyConnect platform for my user/client-based VPNs.  AnyConnect comes in two flavors.  One is AnyConnect Premium.  All ASAs comes with 2 licenses of AnyConnect Premium.  These licenses are unrestricted and allow for client-based and client-less VPNs along with some advanced security features like Endpoint Assessments and Remote Host Scans.  The AnyConnect Premium scheme is tiered.  So the licensing starts at the 2 the ASA comes with.  You can then upgrade to 10, 25, 50, 100, 250, etc... until you reach the box max.

AnyConnect Essentials
The other option in the AnyConnect world is AnyConnect Essentials.  The Essentials license is restricted to client-based only VPNs and is a direct replacement for the old Cisco VPN Client.  You cannot do anything with this license other than the IPSec or SSL based VPN connections, limited to fat-client-based VPNs.  No clientless, no advanced security features.  These Essentials licenses are platform licenses, so purchase qty 1 of the Essentials license for a 5505 would give you the box max for concurrent AnyConnect VPNs (which is 25 on a 5505).  Qty 1 of the Essentials license on a 5510 would give you 250 concurrent client-based AnyConnect VPNs, 750 on a 5520, etc....

The OS of the ASA has a software switch in the VPN config that only allows for the ASA to be in one scheme or the other at any one time so you cannot have both and Essentials and Premium license active at the same time.

I would also like to point out that with AnyConnect, you cannot connect iPads/iPhones/etc... out of the box.  All ASAs, by default, will reject a VPN request from a mobile device.  To change this, I needed to install qty 1 of the AnyConnect Mobile license.  This then allowed the VPN requests from the mobile devices to be accepted and it then pulled a VPN license from my AnyConnect license pool (either Essentials or Premium, whichever is active).  

Some of the wording in the Cisco documentation led me to believe I needed one mobile license for each mobile device, but that is NOT the case.  The mobile license is not a VPN license, it is just to allow the ASA to accept VPN requests from mobile devices.  The VPN licenses for the mobile devices were then pulled from my normal AnyConnect licensing pool (as I stated above).
5
Comment
Author:tomago
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 18

Expert Comment

by:Garry Glendown
add to that the Anyconnect Mobile license, which requires at least the essentials ... this is necessary for certain features or mobile devices to get a VPN connection to the ASA ... cost is the same as for the essentials ...
0
 
LVL 8

Expert Comment

by:amatson78
Just to clarify if I have an ASA 5505 with a base license and the stock 2 SSL VPN peers this is the Premium SSL correct? If so then for the mobile license I just need part #L-ASA-AC-M-5505= to enable my iPhone to connect?
0
 
LVL 18

Expert Comment

by:Garry Glendown
SSL VPN != AnyConnect !!! The 2 trial SSL VPN licenses are just for the basic SSL connect via webbrowser, not a VPN ...
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 
LVL 18

Expert Comment

by:Garry Glendown
Run "show version" to get the overview over the available licenses:

Licensed features for this platform:
[..]
SSL VPN Peers                  : 2      <-- that's the trial SSL licenses
[..]
AnyConnect for Mobile          : Disabled    <-- what you want/need for your mobile clients
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled    <-- what you need before you can use AnyConnect Mobile

0
 
LVL 5

Author Comment

by:tomago
@amatson78:  Yes, the 2 SSL VPN that come with the ASA are AnyConnect Premium.  If you only need two concurrent VPN sessions from mobile devices, all you have to do is purchase the AnyConnect mobile license and you're all set.  By default the ASA is going to look for the Essentials license so in the WebVPN config just type "no anyconnect-essentials" and it will change it from the essentials licensing scheme to the premium licensing scheme.

@Garry-G:  Incorrect, you AnyConnect mobile requires EITHER essential OR premium.  Also, the trial licenses are AnyConnect Premium and not just a "basic SSL connect".  
0
 
LVL 8

Expert Comment

by:amatson78
@Tomago,

Awesome that is what I expected but wanted to clarify for me and anyone else who comes across this helpful article. I am only using the ASA for a lab so the 2 license are perfect I just wanted mobile access. :) I can confirm I can access the VPN via both clientless portal and the anyconnect which confirms they should be the "Premium" license included. Kudos on the guide.
0
 
LVL 5

Author Comment

by:tomago
Good to hear amatson78.  If you wanted to get started now, there is a free trial of the mobile license on the Cisco site.  http://www.cisco.com/go/license   -> sign in with your CCO ID then click on "If you do not have a PAK, please click here for Demo and Evaluation licenses."
0
 
LVL 8

Expert Comment

by:amatson78
@ Tomago, Awesome thanks for the heads up, I did just that and have a 90 day trial license installed onto the ASA and just successfully connected to my lab from my iPhone. Thx again one of the best guides yet. :)
0
 
LVL 58

Expert Comment

by:Pete Long
Nice Article!
You didn't mention the changes to AnyConnect Licencing for Failover though?
Cisco AnyConnect - Essentials / Premium Licences Explained


Pete
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Join & Write a Comment

As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month