Cisco SSL-VPN License Pricing Question

Hello Experts,

We are looking for client-less VPN solutions, likely SSL-VPN to provide web access to our application.  These are some backgrounds:

1. We already have several PIXes in place for security control and site-to-site VPN, as well as a few software VPN clients.

2. We have absolutely no need for Anti-whatever protection on the device - anti-virus, anti-spam, etc.

That being said, I have looked at both the ASA and VPN Concentrator from Cisco since we have traditionally been a Cisco shop.  To my understanding both of them have native SSL-VPN support, but what I needed some advise is pricing.

For example, if I understand correctly the ASA only comes with certain number of SSL-VPN license.  So, say if I buy a ASA 5520 at $6k (CDW), even though it supports "up to 750 SSL-VPN clients", I will still have to pony up $5k or so to buy license packs for every 100 concurrent SSL-VPN connection, right?  So in reality if I want an ASA 5520 to support 300 concurrent SSL-VPN connection, I will be paying $6k for the unit plus $5k x 3 for SSL-VPN licnese, which puts me at $21k?

Now, if the above assumption is correct, is it also true that Cisco Concentrators comes with all the SSL-VPN licenses when you buy the box?  For example, the CVPN3030 ($19k, CDW) is rated for up to 500 SSL-VPN connections, and to my understanding as long as I buy a CVPN3030 device, I can let 500 users connect to it via SSL-VPN immediately?  Is there anything else I needed to add for that to happen?

Basically, I wanted to find out what is the cheaper way to get this done, making sure I understand their licensing policies correctly.  I was under the impression that for 300 SSL-VPN users, since we don't need the other security features of the ASA, it would be cheaper for us to just buy a Concentrator 3030 at $19k (not to mention if we need to go to 400 or 500 users, the ASA would be another $10k in the hole).  Also there are 3030s on eBay for much less...

Any advise regarding these two devices (or third party alternatives that performs well at a good price point) would be greatly appreciated.  Please feel free to share your experience, tips, catches, etc.  I am open to idea, and all are welcome!


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

My experience reflects what you have posted in regards to the different licensing models offered between the ASA and VPN 3000 series concentrators...SSL VPN licensing costs extra on the ASA and it doesn't cost extra on the VPN 3000.  The only limitation on the VPN 3000 series is the hardware limitation that Cisco has put into each model of concentrator for the number of simultaneous WebVPN sessions allowed.

So, it is cheaper to implement clientless VPN on the VPN 3000 concentrators, you just won't get as much performance out of them since they are limited in RAM, processor, etc., but it is definitely cheaper.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.