01-11-2019 12:53 AM - edited 02-21-2020 08:39 AM
I am considering re-flashing my ASA5506 from ASA to FTD. I am reading that there is a license required for Remote Access VPN operation, but all documents mention SSL (or "Anyconnect"). Right now using the "traditional" ASA OS, my ASA has no problem running an IKE-based IPsec Remote Access VPN.
Does an ASA with FTD support Remote Access VPN via IPsec? If I upgrade to FTD, will I have to purchase a new license just to use this feature I'm already using? The documentation doesn't mention it, but I would find it exceptionally hard to believe it's not available.....
01-11-2019 12:58 AM
01-11-2019 01:00 AM
The Running Activation Key feature: 2 security contexts exceed the limit on the platform, reduced to 0 security contexts.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 5 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
The flash permanent activation key is the SAME as the running permanent key.
What do you mean when you say "FTD supports remote access VPN not the traditional client VPN."..... this is unclear.
01-11-2019 01:45 AM
Hi,
Your current license cannot be used in FTD. By default you can use 2 anyconnect license
As FTD required Smart license you need to register FTD with cisco smart license portal.
HTH
Abheesh
01-11-2019 01:46 AM
*sigh* I'm not trying to use AnyConnect, I'm trying to use IPsec.....
01-11-2019 01:51 AM
01-11-2019 01:55 AM - edited 01-11-2019 01:55 AM
No, I am using the built-in IPsec client that comes with many devices/OSes (Android, iOS, OSX, Linux, etc) to connect Remote-Access style to my ASA. I would specifically like to avoid using AnyConnect.
If I'm understanding you correctly, you are saying that FTD will not support me using those built-in clients to connect to a Remote Access VPN - AnyConnect is the only option?
01-14-2019 09:34 AM
You can use IPSec IKEv2 in FTD, but not IPSec IKEv1. More information here:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide