Licenses are based on clients

itops · ‎05-16-2016

Hi,

I have a pair of 5525x firewalls which I am thinking to configure and use for remote access VPN for mobile users. The firewalls are currently running site-to-site IPSEC VPNS without any problem.

The type of remote users we have means that clientless SSLVPN won't work since they range from standard users all the way to 3rd part developers. I am really confused with the licensing aspect and will appreciate if anyone can help me out. What I want to know if there is a need to purchase additional licenses to allow SSL-VPN (client based AnyConnect) users to dial in. I don't need fancy features for AnyConnect users, just an ability to dial in and use internal resources.

Licensing snapshot below:

Cisco Adaptive Security Appliance Software Version 9.4(1)
Device Manager Version 7.4(1)

Compiled on Sat 21-Mar-15 11:43 PDT by builders
System image file is "disk0:/asa941-smp-k8.bin"
Config file at boot was "startup-config"

COLO-FIREWALL up 135 days 23 hours
failover cluster up 1 year 9 days

Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
ASA: 4096 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

0: Int: Internal-Data0/0 : address is 64f6.9d79.e51b, irq 11
1: Ext: GigabitEthernet0/0 : address is 64f6.9d79.e520, irq 5
2: Ext: GigabitEthernet0/1 : address is 64f6.9d79.e51c, irq 5
3: Ext: GigabitEthernet0/2 : address is 64f6.9d79.e521, irq 10
4: Ext: GigabitEthernet0/3 : address is 64f6.9d79.e51d, irq 10
5: Ext: GigabitEthernet0/4 : address is 64f6.9d79.e522, irq 5
6: Ext: GigabitEthernet0/5 : address is 64f6.9d79.e51e, irq 5
7: Ext: GigabitEthernet0/6 : address is 64f6.9d79.e523, irq 10
8: Ext: GigabitEthernet0/7 : address is 64f6.9d79.e51f, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is 64f6.9d79.e51b, irq 0

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual

This platform has an ASA5525 VPN Premium license.

Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual

This platform has an ASA5525 VPN Premium license.

Serial Number: **********
Running Permanent Activation Key: 0x5b20d660 0xf4bf5ea8 0x0da3992c 0xe92418a4 0x8718c682
Configuration register is 0x1

Image type : Release
Key version : A

Francesco Molino · ‎05-16-2016

Hi

In order to activate anyconnect SSL vpn connection, you will need to acquire Anyconnect Essentials Licenses.

Below a document that compare Essentials versus Premium licenses:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/feature/guide/anyconnect41features.html

However since some months, there is new licensing guide:

http://www.cisco.com/c/dam/en/us/products/security/anyconnect-og.pdf

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

itops · ‎05-17-2016

Hi,

Thanks for your reply. Still slightly confused about how licensing works. If I buy AnyConnect plus perpetual (50 or 100) license would that give users access to the AnyConnect client ? I assume yes but then the pdf suggests that plus license is per application which I don't understand. I want users to dial in using the AnyConnect client and once connected they should have access to all the networks which I have whitelisted on the policy.

Finally I want to know if licensing is based on concurrent number of users connected at any time or is it unique users logging in.

Many thanks,

Syed

Francesco Molino · ‎05-17-2016

Licenses are based on clients using anyconnect features. It's a concurrent number of users.

It means that if you bought 2 licenses.

1 guy is doing SSL VPN and the other is doing posture (don't care about license level for this example), you will use 2 licenses.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

AnyConnect License for SSL VPN (Client based)