Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5983
Views
20
Helpful
8
Replies

SSL VPN Licenses for the ASA 5525-X

Go to solution
Exonix
Level 1
Level 1

‎12-07-2017 05:36 AM - edited ‎03-12-2019 04:48 AM

Hello,

which kind of licenses I have to use if we are going to use SSL VPN with client on Windows\OS X workstations? We don't plan to use clientless access. We have 51 users now and in future the count of employees will be increased up to 100.

I have read that I need only buy the ASA-AC-E-5525 (Essentials) and I get 750 VPN users at once. If some users need the clientless access, then we have to buy desired count of SSL VPN Premium. Is it correct?

1 person had this problem
Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎12-07-2017 06:50 AM

The AnyConnect Essentials License is not available anymore. You need the AnyConnect Plus license for 100 Users which is typically sold as a subscription. Ask your preferred Cisco reseller for the SKU L-AC-PLS-LIC= with L-AC-PLS-5Y-S2 for 100 users. The "5Y" stands for a 5-year subscription, you could also use a 3 or 1-year subscription.

 

 

View solution in original post

Go to solution
GioGonza
Level 4
Level 4

‎12-07-2017 06:59 AM

Hello @Exonix

 

The previous scheme for licensing was Essentials and Premium but right now it is Apex or Plus, here is a link for reference. 

 

Now, when you talk about 750 VPN users at once is the amount of connections the ASA handles but doesn´t refer to the license per se. The information for the license is this link

 

Also in the first link you can verify how many connection the ASAs can handle. 

 

HTH

Gio

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Exonix

‎12-07-2017 07:42 AM - edited ‎12-07-2017 07:50 AM

Remote access VPN on the ASA can be SSL VPN (uses SSL/TLS for transport) or IPsec-based. 

 

IPsec-based can use the (very old now-discontinued, not supported on modern OS) Cisco VPN client with IKEv1 IPsec. That is not suitable for any new implementations.

 

OR it can use IPsec IKEv2 with AnyConnect client.

 

Either method can use AnyConnect Plus, Apex or VPN only license types. They can all support SSL VPN and either 3DES or AES encryption. Apex does add Suite B encryption support (elliptic curve algorithms and other such advanced cryptography features).

 

VPN only is a perpetual license (vs. 1, 3 or 5 year term) and requires a support contract if you need support. It usually ends up costing a bit more than the 5 year term but may make sense for certain use cases.

 

More details on all the Anyconnect licenses are found in the FAQ here:

 

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html#anc5

View solution in original post

8 Replies 8

Go to solution
Karsten Iwen
VIP
VIP

‎12-07-2017 06:50 AM

The AnyConnect Essentials License is not available anymore. You need the AnyConnect Plus license for 100 Users which is typically sold as a subscription. Ask your preferred Cisco reseller for the SKU L-AC-PLS-LIC= with L-AC-PLS-5Y-S2 for 100 users. The "5Y" stands for a 5-year subscription, you could also use a 3 or 1-year subscription.

 

 

Go to solution
Exonix
Level 1
Level 1
In response to Karsten Iwen

‎12-07-2017 07:03 AM

Thank you Karsten for your quick answer.

What does mean "SKU L-AC-PLS-LIC="? I can't find any price for it.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Exonix

‎12-07-2017 07:15 AM

The SKU is the order code. To order the licenses, both codes are needed. The list price is $17.50 per user for five years.

 

Go to solution
GioGonza
Level 4
Level 4
In response to Exonix

‎12-07-2017 07:18 AM

Hello @Exonix,

 

In the second link I provided before you have the names for the specific licenses, now SKU means Stock Keeping Units, reference link.

 

Check the link and you should find the names for the licenses, FYI is without the SKU. 

 

HTH

Gio

0 Helpful

Go to solution
Exonix
Level 1
Level 1
In response to GioGonza

‎12-07-2017 07:26 AM

Thank you Gio for your answer with the links. Now it is much clear.

I have only two question.
- I have seen a license for VPN only - is it enough to use SSL VPN? Because I'm looking for VPN solution only.
- If I buy PLUS license only then I can use 3DES encryption only? And to use AES I have to buy APEX License?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Exonix

‎12-07-2017 07:39 AM

Both VPN-ONLY and APEX are quite expensive and not needed here. The used encryption is independent of the license (unless you need Suite B, NGE) and can be configured as you need it. AES is always possible if your ASA has the strong encryption-license "3DES/AES" in "show version".

 
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Exonix

‎12-07-2017 07:42 AM - edited ‎12-07-2017 07:50 AM

Remote access VPN on the ASA can be SSL VPN (uses SSL/TLS for transport) or IPsec-based. 

 

IPsec-based can use the (very old now-discontinued, not supported on modern OS) Cisco VPN client with IKEv1 IPsec. That is not suitable for any new implementations.

 

OR it can use IPsec IKEv2 with AnyConnect client.

 

Either method can use AnyConnect Plus, Apex or VPN only license types. They can all support SSL VPN and either 3DES or AES encryption. Apex does add Suite B encryption support (elliptic curve algorithms and other such advanced cryptography features).

 

VPN only is a perpetual license (vs. 1, 3 or 5 year term) and requires a support contract if you need support. It usually ends up costing a bit more than the 5 year term but may make sense for certain use cases.

 

More details on all the Anyconnect licenses are found in the FAQ here:

 

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html#anc5

Go to solution
GioGonza
Level 4
Level 4

‎12-07-2017 06:59 AM

Hello @Exonix

 

The previous scheme for licensing was Essentials and Premium but right now it is Apex or Plus, here is a link for reference. 

 

Now, when you talk about 750 VPN users at once is the amount of connections the ASA handles but doesn´t refer to the license per se. The information for the license is this link

 

Also in the first link you can verify how many connection the ASAs can handle. 

 

HTH

Gio

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents