Solved: Max # of VPN clients & site-to-site VPN tunnels simultaneously on ASA 5505

samiam12345 · ‎08-16-2012

Hi, I wanted to know the maximum VPN client sessions (using the Cisco VPN client) and Site-to-Site VPN tunnels that I can connect to my ASA 5505 simultaneously.

In other words, if I have x VPN clients and y Site-to-Site tunnels, at any time, does x + y have to be <= 10 (Total VPN Peers)? If yes, can I upgrade to the security plus license to increase the Total VPN Peers to 25?

Thanks, Sam

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

SSL VPN Peers : 2

Total VPN Peers : 10

Dual ISPs : Disabled

VLAN Trunk Ports : 0

Shared License : Disabled

AnyConnect for Mobile : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions : 2

Total UC Proxy Sessions : 2

Botnet Traffic Filter : Disabled

This platform has a Base license.

Ramraj Sivagnanam Sivajanam · ‎08-16-2012

Hi Bro

With the Cisco ASA 5505 Base License (Part Number: ASA5505-UL-BUN-K9) that you have currently, you can have a maximum of 10 IPSEC VPN tunnels (Remote Access VPN and Site-to-Site VPN) active, at any given time.

Note: This doesn’t affect the 2 SSLVPN Peers. This is a separate story/counting.

If you do need more than 10, then you could purchase the Cisco ASA 5505 Security Plus bundle license (Part Number: ASA5505-SEC-BUN-K9). With this, you can now have a maximum of 25 IPSEC VPN tunnels (Remote Access VPN and Site-to-Site VPN) active, at any given time.

Furthermore, if you do have the budget, you might wanna look into purchasing the Cisco ASA 5505 unlimited user with AIP SSC-5 and Security Plus License bundle (Part Number: ASA5505-U-AIP5P-K9) too. This IPS module greatly enhance firewall protection by blocking threats and network attacks, including worms, Trojans, viruses, and attacks against operating system and application vulnerabilities, with up to 75 Mbps of IPS throughput.

P/S: if you think this comment is useful, please do rate them nicely :-) and select the option “this question is answered”.

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

Ramraj Sivagnanam Sivajanam · ‎08-16-2012

Yes bro. x + y has to be <= 10 (Total VPN Peers).

P/S: if you think this comment is useful, please do rate them nicely :-) and select the option “this question is answered”.

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

Ramraj Sivagnanam Sivajanam · ‎08-16-2012

Hi Bro

With the Cisco ASA 5505 Base License (Part Number: ASA5505-UL-BUN-K9) that you have currently, you can have a maximum of 10 IPSEC VPN tunnels (Remote Access VPN and Site-to-Site VPN) active, at any given time.

Note: This doesn’t affect the 2 SSLVPN Peers. This is a separate story/counting.

If you do need more than 10, then you could purchase the Cisco ASA 5505 Security Plus bundle license (Part Number: ASA5505-SEC-BUN-K9). With this, you can now have a maximum of 25 IPSEC VPN tunnels (Remote Access VPN and Site-to-Site VPN) active, at any given time.

Furthermore, if you do have the budget, you might wanna look into purchasing the Cisco ASA 5505 unlimited user with AIP SSC-5 and Security Plus License bundle (Part Number: ASA5505-U-AIP5P-K9) too. This IPS module greatly enhance firewall protection by blocking threats and network attacks, including worms, Trojans, viruses, and attacks against operating system and application vulnerabilities, with up to 75 Mbps of IPS throughput.

P/S: if you think this comment is useful, please do rate them nicely :-) and select the option “this question is answered”.

Warm regards,
Ramraj Sivagnanam Sivajanam

samiam12345 · ‎08-16-2012

Just to add closure to the mathematical side of the question, x + y has to be <= 10 (Total VPN Peers), right?

Ramraj Sivagnanam Sivajanam · ‎08-16-2012

Yes bro. x + y has to be <= 10 (Total VPN Peers).

P/S: if you think this comment is useful, please do rate them nicely :-) and select the option “this question is answered”.

Warm regards,
Ramraj Sivagnanam Sivajanam

Wilson Gabriel Veliz Plua · ‎12-09-2013

Helo Ramraj

I have purchased a ASA 5512-X with this two items:

ASA-VPN-CLNT-K9 QTY 1
ASA-ANYCONN-CSD-K9 QTY 1

Can you explain me what is the funtion of each one (Documentation), when we are talking about Remote Access VPN and Site-to-Site VPN.

When I have to use each licence.

Regards

Wilson Veliz Plua

Ramraj Sivagnanam Sivajanam · ‎12-09-2013

Hi Bro

Remote Access VPN and Site-to-Site VPN are deployed for different reasons.

Site-to-Site VPN is used when you’ve an HQ in one country, and branch offices worldwide, for example. Hence, you’ll configure Site-to-Site VPN to interconnect all these branch offices worldwide with your HQ. In most cases, you’ll use either a Router or a Firewall for this purpose. This is to allow the private IP Addresses in each branch office to communicate with the private IP Addresses in HQ.

Note: As you know, private IP Addresses cannot traverse through the Internet cloud, unless it’s a public IP Addressing scheme.

Meanwhile, Remote Access VPN is used when you wanted to access LAN resources in your office e.g. File Server, Email Server, Application Server, from your home or hotel. In this example only, you’ll use a VPN client software to establish a VPN tunnel with your office’s VPN server e.g. Router, Firewall etc.

Those days, Cisco VPN client (ASA-VPN-CLNT-K9) was famous but now it’s EOL. For this reason, Cisco urges all to opt for Cisco Anyconnect (ASA-ANYCONN-CSD-K9) instead.

Conclusion: Cisco Anyconnect and Cisco VPN client are examples of VPN client software used only in Remote Access VPN deployment.

Warm regards,
Ramraj Sivagnanam Sivajanam