• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2091
  • Last Modified:

licensing for ASA 5520 for anyconnect clients

Good Morning,
      I have a question regarding purchasing SSL licenses for my ASA 5520. I would like to use the anyconnect client to connect to our corporate LAN using the ASA5520. I have set the anyconnect client configuration up and it’s working great and now I just need to know what licenses I need to purchase.

      I do not need client-less vpn connectivity. I want to have the user install the anyconnect client. We also do not utilize the Cisco Secure Desktop.

      My current configuration only has 1 ASA5510 but we may want to utilize a 2nd device for failover. Supposing I want to have 25 concurrent users what license package should I purchase for 1 device? If I want to have the 2nd device setup for failover and in the event my primary device fails and I would like to still have failover capabilities what license package should I purchase?

Any info would be helpful.
0
jbla9028
Asked:
jbla9028
  • 8
  • 7
1 Solution
 
JezbitCommented:
The ASA5520 comes with 500 licenses if the part number of the one you purchased is ASA5520-SSL500-K9. If you buy a unit, it usually comes with licenses so you should be covered for your second device.

Log onto the ASA via the CLI and type "show version" to display what you currently have available license-wize.
0
 
jbla9028Author Commented:
Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 2
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has an ASA 5520 VPN Plus license.
0
 
JezbitCommented:
The license to purchase for 25 users is ASA5500-SSL-25 and you'll need one on each device if you want failover.

The minimal concurrent package for the ASA5520 is 500 (ASA5520-SSL500-K9) which you would also need to have per device if you want failover.

It may be cheaper to look at named user options and see where your break-even point is.
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
jbla9028Author Commented:
Thanks. Not sure I follow...

If I purchase just the ASA5500-SSL-25 I should be fine?

you say the minimal concurrent package for the ASA5520 is 500.. Do I need that as well?

What do you mean by named user options?

Thanks!
0
 
phantom024Commented:
I believe that the SSL VPN licenses and the other VPN liceneses are separate.  If you want your users to use the VPN client software than I don't believe you need to purchase any SSL VPN licenses, From your post it looks like you should have more than enough licenses to support 25 users with the VPN client connections, but maybe I misunderstood the question.
0
 
jbla9028Author Commented:
I want to use the SSL anyconnect client. The license option listed as "Total VPN Peers     750" is for IPSec clients from what I can tell. If I install the IPSec client this will work under the 750 if I understand it correctly. The SSL licenses are listed under where it says "SSL VPN Peers         : 2"  I love the IPSec client, only problem is it take some IT intervention to setup the user. The SSL anyconnect client gets pushed to the user when they log into the SSL webpage. This is the benefit I want.
0
 
JezbitCommented:
Total VPN Peers: 750  - this equates to IPSEC VPN licenses and not Anyconnect SSL licenses, which you only have 2 of.

Named licenses are cheaper than concurrent. You said you needed 25 concurrent (i.e. 25 users connected at the same time... this means if you have 100 users and you had a 25 concurrent user license, only 25 of the 100 would ever be able to connect simultaneously. It would not matter who they were though.

Named users means you would have a list of users and they could connect, up to the number of licenses you buy.

The minimum concurrent license package for your device is 500. If you only have 100 users in total, it might be cheaper to buy a 100 user license instead of a 500 concurrent license.

Hope this explains better, otherwise let me know how many users you have and I can tell you which license would be best.
0
 
JezbitCommented:
P.S. Just read your post above...

You can set the IPSEC client up automatically with an imported profile.
0
 
jbla9028Author Commented:
hmm what a pain. Damn you cisco.  ok so how are the users controlled? I have setup my ASA using TACACS+ to authenticate to AD. If say I buy 25 licenses. and they all connect 1 time. then I have a 26th user who wants to connect.. will I have the ability to remove a license from a previous user who connected? How does the ASA remember the user that takes a license? The 500 concurrent license model is rediculously high and way out of my price range.

The IPSec client can be setup with the imported profile but then you get into the problem of users with 64 bit or 32 bit machines... I'm just trying to make this work as easy as pie for IT and for the users.

0
 
JezbitCommented:
If the vpnclient.ini file is bundled with the VPN Client software when it is first installed, it automatically configures the VPN Client during installation. You can also distribute the profile files (one .pcf file for each connection entry) as preconfigured connection profiles for automatic configuration. To distribute preconfigured copies of the VPN Client software to users for installation, complete these steps:

Copy the VPN Client software files from the distribution CD-ROM into each directory where you created an vpnclient.ini (global) file and separate connection profiles for a set of users.

Prepare and distribute the bundled software. CD-ROM or network distribution. Be sure the vpnclient.ini file and profile files are in the same directory with all the CD-ROM image files. You can have users install from this directory through a network connection; or you can copy all files to a new CD-ROM for distribution; or you can create a self-extracting ZIP file that contains all the files from this directory, and have users download it, and then install the software.

Still more effort than the Anyconnect solution, but it is an option :-)
0
 
JezbitCommented:
That's right, you'd have to delete a user to add a user. Maybe buy a 50 user license (ASA5500-SSL-50) to facilitate some growth. Still cheaper than the concurrent option...

(As far as I know you can go over the licenses but you would be in violation of the agreement)
0
 
jbla9028Author Commented:
how would I delete a user? I'm using TACACS+ with AD. Would I just remove the user from the group under the ACServer? Just trying to gauge how difficult this would be. The IPsec client config your describing wouldn't be too bad as long as I could get the user to install the correct package based on their windows version.

0
 
JezbitCommented:
That should work fine because it would stop the user from authenticating and therefore they would no longer be using a license. It shouldn't be a problem.

The IPSEC option is a bit more pain - only an option if you want the extra work to save license costs. You would need to distribute the right installs to the users, which again is a bit of a pain. The other solution is effortless. Depending on your priorities vs budget, at least it's an option :-)
0
 
jbla9028Author Commented:
Thanks this answers the question and the bottom is a good discussion regarding IPSEC vs SSL connectivity. Thanks for your help!
0
 
JezbitCommented:
Absolute pleasure!
0
 
jbla9028Author Commented:
By the way. I did contact Cisco earlier regarding this and they replied that I should get the following license.

Thank you for contacting Cisco Worldwide Partner Helpline. My name is Sajitha Surendran and I have taken the ownership of this case.

Q) I have a question regarding purchasing SSL licenses for my ASA 5520. I would like to use the anyconnect client to connect to our corporate LAN using the ASA5520. I have set the anyconnect client configuration up and it’s working great and now I just need to know what licenses I need to purchase.

I do not need client-less vpn connectivity. I want to have the user install the anyconnect client. We also do not utilize the Cisco Secure Desktop.

A) If you donot require clientless SSL VPN and Cisco Secure Desktop capabilities you can go for AnyConnect Essentials license.

It provides Cisco AnyConnect Secure Mobility client connectivity without clientless SSL VPN and Cisco Secure Desktop capabilities and Full tunneling access to enterprise applications. The license part number is given below:

L-ASA-AC-E-5520= AnyConnect Essentials VPN License - ASA 5520 (750 Users) USD 250.00

0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now