I recently updated from an old PIX platform to the new ASA platform. While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works. It turns out that the ASA has 3 different VPN licensing schemes.
The first are the "site-to-site" VPNs that come with all ASAs. For the 5505, this is 10 for the base OS and 25 for the Security Plus OS. 5510s are 250, 5520s are 750, etc... These licenses are not AnyConnect licenses. They are restricted to IPSec only and client-wise are only compatible with the Cisco VPN Client.
This Cisco VPN Client is the old platform from the PIX/VPN Concentrator days, so they worked for my migration. However, a Cisco SE informed me that the Cisco VPN Client platform is EOL'd and when a hotfix/service pack is released that breaks the client, it will not be fixed.
At this point I started looking into the new AnyConnect platform for my user/client-based VPNs. AnyConnect comes in two flavors. One is AnyConnect Premium. All ASAs comes with 2 licenses of AnyConnect Premium. These licenses are unrestricted and allow for client-based and client-less VPNs along with some advanced security features like Endpoint Assessments and Remote Host Scans. The AnyConnect Premium scheme is tiered. So the licensing starts at the 2 the ASA comes with. You can then upgrade to 10, 25, 50, 100, 250, etc... until you reach the box max.
The other option in the AnyConnect world is AnyConnect Essentials. The Essentials license is restricted to client-based only VPNs and is a direct replacement for the old Cisco VPN Client. You cannot do anything with this license other than the IPSec or SSL based VPN connections, limited to fat-client-based VPNs. No clientless, no advanced security features. These Essentials licenses are platform licenses, so purchase qty 1 of the Essentials license for a 5505 would give you the box max for concurrent AnyConnect VPNs (which is 25 on a 5505). Qty 1 of the Essentials license on a 5510 would give you 250 concurrent client-based AnyConnect VPNs, 750 on a 5520, etc....
The OS of the ASA has a software switch in the VPN config that only allows for the ASA to be in one scheme or the other at any one time so you cannot have both and Essentials and Premium license active at the same time.
I would also like to point out that with AnyConnect, you cannot connect iPads/iPhones/etc... out of the box. All ASAs, by default, will reject a VPN request from a mobile device. To change this, I needed to install qty 1 of the AnyConnect Mobile license. This then allowed the VPN requests from the mobile devices to be accepted and it then pulled a VPN license from my AnyConnect license pool (either Essentials or Premium, whichever is active).
Some of the wording in the Cisco documentation led me to believe I needed one mobile license for each mobile device, but that is NOT the case. The mobile license is not a VPN license, it is just to allow the ASA to accept VPN requests from mobile devices. The VPN licenses for the mobile devices were then pulled from my normal AnyConnect licensing pool (as I stated above).
Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’
As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:
• Key questions to ask when considering a partnership to accelerate your business into the cloud
• Pitfalls and mistakes other partners…