Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Cisco SSL-VPN License Pricing Question

Posted on 2007-04-04
Medium Priority
Last Modified: 2011-09-20
Hello Experts,

We are looking for client-less VPN solutions, likely SSL-VPN to provide web access to our application.  These are some backgrounds:

1. We already have several PIXes in place for security control and site-to-site VPN, as well as a few software VPN clients.

2. We have absolutely no need for Anti-whatever protection on the device - anti-virus, anti-spam, etc.

That being said, I have looked at both the ASA and VPN Concentrator from Cisco since we have traditionally been a Cisco shop.  To my understanding both of them have native SSL-VPN support, but what I needed some advise is pricing.

For example, if I understand correctly the ASA only comes with certain number of SSL-VPN license.  So, say if I buy a ASA 5520 at $6k (CDW), even though it supports "up to 750 SSL-VPN clients", I will still have to pony up $5k or so to buy license packs for every 100 concurrent SSL-VPN connection, right?  So in reality if I want an ASA 5520 to support 300 concurrent SSL-VPN connection, I will be paying $6k for the unit plus $5k x 3 for SSL-VPN licnese, which puts me at $21k?

Now, if the above assumption is correct, is it also true that Cisco Concentrators comes with all the SSL-VPN licenses when you buy the box?  For example, the CVPN3030 ($19k, CDW) is rated for up to 500 SSL-VPN connections, and to my understanding as long as I buy a CVPN3030 device, I can let 500 users connect to it via SSL-VPN immediately?  Is there anything else I needed to add for that to happen?

Basically, I wanted to find out what is the cheaper way to get this done, making sure I understand their licensing policies correctly.  I was under the impression that for 300 SSL-VPN users, since we don't need the other security features of the ASA, it would be cheaper for us to just buy a Concentrator 3030 at $19k (not to mention if we need to go to 400 or 500 users, the ASA would be another $10k in the hole).  Also there are 3030s on eBay for much less...

Any advise regarding these two devices (or third party alternatives that performs well at a good price point) would be greatly appreciated.  Please feel free to share your experience, tips, catches, etc.  I am open to idea, and all are welcome!


Question by:WallaceLau
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
LVL 28

Accepted Solution

batry_boy earned 2000 total points
ID: 18855674
My experience reflects what you have posted in regards to the different licensing models offered between the ASA and VPN 3000 series concentrators...SSL VPN licensing costs extra on the ASA and it doesn't cost extra on the VPN 3000.  The only limitation on the VPN 3000 series is the hardware limitation that Cisco has put into each model of concentrator for the number of simultaneous WebVPN sessions allowed.

So, it is cheaper to implement clientless VPN on the VPN 3000 concentrators, you just won't get as much performance out of them since they are limited in RAM, processor, etc., but it is definitely cheaper.

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question