cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14444
Views
20
Helpful
13
Replies

Firepower 2140 VPN Support/Licensing

Jim Matuska
Level 1
Level 1

We just purchase a couple 2140 NGFW's with Threat and Malware license subscriptions.  I noticed there is a RA VPN license activation that is showing by default as disabled by user.  

 

Without buying additional licensing with the base license and Threat and Malware subscriptions will we be able to setup L2TP Client VPN configurations as well as site to site IPSec VPN's on the 2140's?  

 

Jim

1 Accepted Solution

Accepted Solutions

Hi,

AnyConnect PLUS

* VPN functionality for PC and mobile platforms, including per-app VPN on mobile platforms.
* Basic endpoint context collection (Note: NOT full ISE context support).
* IEEE 802.1X Windows supplicant.
* Cisco Cloud Web Security agent for Windows & Mac OS X platforms.
* Cisco Web Security Appliance support.
* FIPS compliance.


AnyConnect APEX

* Everything that’s included in AnyConnect Plus.
* Clientless (browser-based) VPN termination on the Cisco ASA.
* VPN Compliance/Posture agent in conjunction with the Cisco ASA.
* Unified Compliance/Posture agent in conjunction with the Cisco ISE 1.3 or later.
* Next Generation Encryption/Suite B.

 

Below is the cisco link for anyconnect FAQ

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html

HTH

Abheesh

View solution in original post

13 Replies 13

nspasov
Cisco Employee
Cisco Employee

Hi Jim-

 

The RA-VPN licenses require AnyConnect (Plus or Apex) subscription. However, those are only for RA-VPN. If you want to configure Site-to-Site VPN (IPSec) you don't need to purchase any additional licenses. 

 

I hope this helps!

 

Thank you for rating helpful posts!

Are L2TP VPN Clients still supported in Firepower like on the older ASA's?  

 

Jim

Remote access L2TP VPN clients are not supported on FTD.

 

We can pass their traffic through (via prefilter) but not terminate it.

Does Cisco 4100 with FTD logical device require any additional licensing for multiple Site - Site VPN tunnels ?

Thanks

@NeWGuy1109 no it doesn't.

It will support the maximum number per the hardware constraints with the base license installed.

Thanks.. how can i find out the maximum number for it ?

You can check the official data sheet for this:

https://www.cisco.com/c/en/us/products/collateral/security/firepower-2100-series/datasheet-c78-742473.html

Thank you for rating helpful posts!

Is there any VPN Client software supported to connect without a special license requirement or would we have to buy licensing for RA VPN?  We are looking at less than a dozen VPN Client users.  

 

Jim

Hi,

FTD supports Any connect Client VPN & IPSec Site to Site VPN. 

Old client vpn will not support in FTD. For remote access VPN you need to buy Anyconnect Plus (L-AC-PLS-LIC=) or Apex (L-AC-APX-LIC=) license. Minimum license count is 25.

 

HTH

Abheesh

What is the difference between the Plus and Apex VPN Client/licensing?  

Hi,

AnyConnect PLUS

* VPN functionality for PC and mobile platforms, including per-app VPN on mobile platforms.
* Basic endpoint context collection (Note: NOT full ISE context support).
* IEEE 802.1X Windows supplicant.
* Cisco Cloud Web Security agent for Windows & Mac OS X platforms.
* Cisco Web Security Appliance support.
* FIPS compliance.


AnyConnect APEX

* Everything that’s included in AnyConnect Plus.
* Clientless (browser-based) VPN termination on the Cisco ASA.
* VPN Compliance/Posture agent in conjunction with the Cisco ASA.
* Unified Compliance/Posture agent in conjunction with the Cisco ISE 1.3 or later.
* Next Generation Encryption/Suite B.

 

Below is the cisco link for anyconnect FAQ

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html

HTH

Abheesh

AS of now, when running RA VPN on FTD, there is no difference between AnyConnect Plus, Apex or VPN-Only. You can buy any of these license and get same result.   

Even though the feature limitations are not enforced via technical means, you are still required to operate per the terms of the End User License Agreement (EULA).

 

So you have to buy the license type and quantity that meets your requirements and operate accordingly.

Review Cisco Networking for a $25 gift card