cisco 5505 SSL VPN edition firewall licensing

I am trying to purchase 3 cisco 5505 appliances, the head office appliance would be ASA5505-SSL25-K9 to handle IPSec to the other two appliances and remote client SSL and mobile O/S SSL connections.

What I am unsure of, and am getting differing opinions on (from cisco reps), is what licensing I need to cover the SSL client connections from laptop and mobile/smartphone clients.

what I think I need based on cisco docs is:
1x ASA5505-SSL25-K9 for head office
2x ASA5505-50-BUN-K9 for remote offices
1x ASA-AC-M-5505 (AnyConnect Mobile) license on head office appliance
SmartNet support for each appliance

I thought ASA5505-SSL25-K9 includes 25 premium SSL lics, but the latest quote I have received also includes ASA5500-SSL-25 (ASA 5500 SSL VPN 25 Premium User License).

If anyone could shed any light on this for me I would be very greatfull.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dude ask this to your Account manager. It is there job.

Sudip Patil
Erik BjersPrincipal Systems AdministratorCommented:
Also I would go with a 5505 security+ at the main office.

Also want to inform you that there is curently a delay in Asa orders due to production problems. We tried to order a couple recently and were told we could not get them till June. You may want to look at alternet devices like sonicwall.
DAVEBEAuthor Commented:
I'm new to cisco so have no dedicated cisco account manager as yet. I''ve been in touch with 3 different cisco partners who have given different and sometimes conflicting advice on the licensing requirements, this is why I am asking the question here to see if anyone has gone through anything similar.

ebjers, thanks for the advice re cisco order delays. I've used sonicwalls previoulsy for site to site vpn but not remote workers ssl based vpn - I will have a look at the more recent models.

Anyone else out there with any thoughts on the cisco licensing issue?
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

Erik BjersPrincipal Systems AdministratorCommented:

Any good Cisco reseller should be able to put you in contact with a sales engineer at Cisco and this engineer will be the best person to talk to about your requirements.  

For SonicWALL you can go with the NSA240 at the home office and TZ210 at the branch office, both are comparable to the ASA 5505 and due to the lack or ASAs right now I have been looking into the NSA240 to use as a replacement for the 5505s that we buy on a regular basis.  

If you have any more than 50 - 100 people at any of your offices you may want to consider a larger ASA 5510 for your main office or the comparable SonicWALL product.  Even if this is more capacity than you need right now if there are any future plans for growth you should think of those now and build extra capacity into the network.

I'm rather disappointed in the availability of the ASA products from Cisco right now but word on the internet is that they cut back on production during the "economic down turn" and are having problems catching back up.  If you do find a reseller who has the 5505 please let me know.

Here's a good reference on licensing the ASA's
Cisco ASA 5505 SSL/IPsec VPN Edition for 25 concurrent SSL VPN users (AnyConnect Premium-SSL VPN Edition) =  ASA5505-SSL25-K9, so you should not have to purchase any additional SSL line items unless it is for maintenance. This part number is the base 50 user edition of the ASA which should be upgraded to the SEC+ edition with yet another license upgrade - ASA5505-SEC-PL=
So... here's your BOM (zero dollar items are included in the base product)

Product                       Description                                                 Quantity  Discount  Price          Lead Time
ASA5505-SSL25-K9              ASA 5505 VPN Edition w/ 25 SSL Users, 50 FW Users, 3DES/AES 1         0.00      3,940.00       21-90 Days    
CAB-AC-C5                     AC Power Cord, Type C5, US                                  1         0.00      0.00           14-34 Days    
SF-ASA5505-8.2-K8             ASA 5505 Series Software v8.2                               1         0.00      0.00                          
ASA-AC-M-5505                 AnyConnect Mobile - ASA 5505 (req. Essentials or Premium)   1         0.00      100.00                        
ASA5505-SEC-PL                ASA 5505 Sec. Plus Lic. w/ HA, DMZ, VLAN trunk, more conns. 1         0.00      700.00         14 Days        
Included: ASA5500-ENCR-K9     ASA 5500 Strong Encryption License (3DES/AES)               1         0.00      0.00           14 Days        
Included: ASA5500-SSL-25      ASA 5500 SSL VPN 25 Premium User License                    1         0.00      0.00           14 Days        
Included: ASA5505-PWR-AC      ASA 5505 AC Power Supply Adapter                            1         0.00      0.00           14 Days        
Included: SSC-BLANK           ASA 5505 SSC Blank Slot Cover                               1         0.00      0.00           14 Days        
Included: ASA-ANYCONN-CSD-K9  ASA 5500 AnyConnect Client + Cisco Security Desktop Software1         0.00      0.00           14 Days        
Included: ASA5505-SW-50       ASA 5505 50 User software license                           1         0.00      0.00           14 Days        
CON-SNT-AS5SSL25              SMARTNET 8X5XNBD ASA5505-SSL25-K9                           1         0.00      473.00                        


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DAVEBEAuthor Commented:
Thanks for the info.

Just wondering why the secutiy plus license? Apart from extra VLAN, failover, more firewall cons (none of which I can see i need), would there be any other reason for me to upgrade to secutiry plus?

I will have around 25 firewall users behing the SSL25 premium appliance, and around 10-15 concurrent VPN seesions, mostly SSL.

The other two 5505 appliances will have around 7 firewall users and one IPSec site to site VPN.
If you need 11 IPSEC VPN peers, you need SEC+
If you need more than 2 vlans, and/or a DMZ,  and/or need to trunk to a switch, you need SEC+
Think about the future and your growth potential.
You can always purchase the SEC+ upgrade license later if you decide you need it.
Remote 5505's can be just the base 10-user model with no additions.
DAVEBEAuthor Commented:
Thanks Irmoore.

ebjers, Regarding 5505 availability, Dell are now quoting me around 8 weeks for delivery! but I am thinking I will stick with the 5505s rather than go for SonicWalls - our remote sites have bonded ADSL and the ISP has tested their service with the 5505s. Also in terms of reliability, support and SSL VPN performance my feeling (based on others experience/info) is to go with Cisco.

Thanks all for your input.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.