cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
276
Views
0
Helpful
2
Replies

Changing Setup - need ASA suggestions for site to site

Dennis Newman
Level 1
Level 1

Currently have a working WAN system that uses an ASA 5505 in my PA office that flows traffic to a WI office over an MPLS line.

Traffic flows from Fiber Internet in PA across the MPLS to corp hdquarters and back just fine, however we now need to eliminate the MPLS and get new fiber connection in WI.

 

I "think" what I want to set up is an ASA 5512 at the corporate headquarters on the new fiber line with a point to point vpn set up between the new 5512 and the 5505.  I also think that I may need to move (install new) anyconnect vpn connections on the new corporate ASA.

I am not positive as to which product number or additional licenses I would need to buy - What exactly comes with the 5512?  If I get the Security Plus version, do I need to add anything else?  With the 5505 I added the AnyConnect licenses, and upgraded to 50 users.  but I'm pretty sure that is all I needed to add to that one.

 

Is it that easy? - Yes, I know that I have to set up all of my acl's etc. but they should be if not the same as on the 5505 at least similar.

 

OR - should I be looking at something other than the 5512?

Thank you in advance.

Dennis

 

2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

I have the vague memory that we have looked your setup before in the past. :)

 

I guess you should first check the datasheet for the different ASA models and see if the mentioned ASA model meets your requirements. You can find a good overview of the different models in this PDF

 

http://www.cisco.com/c/dam/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/at_a_glance_c45-701635.pdf

 

Next you can use the following document to check the available licenses for the different ASA models and what the contain either with Base License or Security Plus license.

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/license/license-management/license.html#17384

 

You mention that with the ASA5505 you got a user amount based license for the AnyConnect VPN. If I am not mistaken this means you got AnyConnect Premium license for the ASA. Does this mean that you are using the browser based (Clientless VPN) VPN on the ASA5505. To my understanding this is atleast usually the reason when one might go for the Premium license rather AnyConnect Essentials which should provide all the basic SSL VPN Client capabilities. If I am not mistaken it should also support the maximum user amount on the ASA model (refer to the table in the link above for the amount) with that single license.

 

So to my understanding you would need

  • ASA5512-X with Base License
  • AnyConnect Essentials license

 

Though again I would have to say that you should check the above links and see if the model you have initially chosen supports everything you need. I would imagine the company selling you the ASA should be able to help you with choosing the correct setup/part numbers when you are clear on what you need.

 

- Jouni

Jouni,

Yes - you remember correctly, you did assist in setting up the 5505.

I may have mis stated what we have with the 5505

it has the 50 user license and the AnyConnect Essentials 25 VPN user license.

 

As far as which model will meet my requirements - I could possibly get away with another 5505 in the corporate headquarters, as it will only be doing the following 3 tasks.

1 - Acting as an Internet gateway

2 - Guiding site to site traffic between Corporate and PA

3 - providing Corporate users VPN access to the network

I had assumed I should use the 5512 because there is a possibility that I would need to add a second branch office which would use a 5505.  If i'm reading everything correctly, a 5505 won't let me set up 2 site to site vlans along with internet gateway and VPN services.  Also, the Corporate fiber connection is faster than the PA one and servicing more users, which I assumed needed faster throughput.

 

In looking at the license management link that you sent, I believe what I need is a 5512 Basic with the addition of the AnyConnect Essentials license for corporate VPN users.  (or possibly just have my VPN users connect to the PA VPN and connect to the Corporate network via the site to site VLan)

Then I would set up a site to site VLan to the PA 5505, and configure my internet gateway acl's.  All traffic that used to go down the MPLS between offices would just be routed through the site to site VLan.

 

Dennis

Review Cisco Networking for a $25 gift card