Questions on Implementing Cisco VPN 5500's series Router with VM's on WinServ2016 Datacenter

BACKGROUND:
I run a small association, with about 400 members.  We're implementing new technology all the time, to support our vision for the future of what we want to do for members, and we have just recently invested in an HPE Proliant ML110 Gen9 server.  I'm the defacto "CIO" and tech guru, so I got to install Windows Server 2016, setup (so far) three Virtual Machines, and have just installed Microsoft "CAL's" to allow access for RDP clients.   We host an accounting application for a few of our members, and we want to increase those "mini-cloud services", including bookkeeping services.   Thus the investment in a new server.  

Each VM I have assigned a static IP address.  Our current Windows 10 Pro server allows users to login (up to 10) and run the application, from their personal desktop.  I wanted to beef up security, partitioning the disk into VM's, so each user doesn't even know their are other users on the server.   So, we recently purchased a Linksys Router -- an EA9400 wireless unit -- but the Linksys support folks tell me that the reason our RDP clients can't get access to the VM's is the router tables don't support a VPN connection; and that this is what we'll need to setup for them to get access.  

My plan is to have each user assigned to a unique IP port (not 3389, but something like 5000, 5001, 5002, etc. and for each entry, create a VPN table entry that routes the user to the correct virtual machine.   Seemed rather straight forward to me, yet when I set this up in the EA9400, it wouldn't work.  

MY QUESTION:

So, today I purchased a Cisco ASA5506-K9= Network Security Firewall Appliance  I'm told this router requires an "AnyConnect Plus/Apex license".  My question is, is this true, and if so, will THIS BE the last piece of gear -- software or hardware -- I'll need to purchase to get this going?   I'm hoping that for a long, long time, all I would need to add is more RAM and/or more Hard Disk space.  

TIA for any help!   If I need to purchase some tech supt time, or pay for some consulting service, please advise.  I'm just hoping there are some IT folks here that have actually set this up and are able to help make sure I'm heading in the right direction.  

Andrew 'L'
Andrew LietzowExec Dir/CIOAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CompProbSolvCommented:
I realize that you just purchased the ASA5506, but will suggest that you consider a different route altogether.  Take a look at PFSense.com
 and their "free" firewall software.  It is quick and easy to install on any reasonable PC (add a good quality dual- or quad-port NIC) and is VERY flexible in terms of features.  If you can get by with support by other users, then there's no cost beyond whatever you use for hardware.

This is not at all to be critical of the ASA5506.  It is a very capable device, but you'll likely end up paying Cisco for ongoing licenses to get the features and support that you may well need.
0
Pete LongTechnical ConsultantCommented:
Hi,

Your 5506-X comes with two AnyConnect licences for free (Yay!) Modern AnyConenct licencing can be confusing! to demystify I've wrote the following;
AnyConnect 4 – Plus and Apex Licensing Explained

Anyway, don't buy subscription licences buy perpetual ones, the minimum you can buy is 25 - they are not really expensive, but as you a running ML110 servers and Linksys routers (no offence) the cost may be a stretch.

Get the Anyconnect licences and all your problems will be solved, I posted a walkthrough on the above site on how to set it up.

You can of course put all the VMS on different ports with the Asa if you want, I wouldn't recommend this, as Ive seen a lot of Cryptolocker infections come in over public RDP connections (they were not protected by VPN!)
RDP to Multiple Servers with a Cisco PIX/ASA Firewall
If you MUST do this make the public Ports VERY High numbers (anything near 3389 will get probed). e.g. I have my test servers in my companies DC, I used 3390 (I think) and the firewall was logging tens of thousands of hits an hour, I changed it to a large number port - I get about two a day now)

If you need anything else post back, there pretty much no problem on an ASA I've not dealt with before :)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Andrew LietzowExec Dir/CIOAuthor Commented:
Thanks to CompProbSolv and Pete Long for quick responses.  I may not have complete mental clarity yet, but your posts were truly helpful.   Two different ways to skin the Digital VPN cat, and both seem excellent.   Some further research is in order.
1
Andrew LietzowExec Dir/CIOAuthor Commented:
Thanks to CompProbSolv and Pete Long for quick responses.  I may not have complete mental clarity yet, but your posts were truly helpful.   Two different ways to skin the Digital VPN cat, and both seem excellent.   Some further research is in order.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Installation

From novice to tech pro — start learning today.