cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
824
Views
10
Helpful
4
Replies

ASA 5510 Anyconnect Licensing with Cisco IP phone using Anyconnect VPN

leoruben2308
Beginner
Beginner

Hi, hoping anyone can shed some light on this I am just getting more confused the more I try to work it out. Not sure if this goes in the IP Telehpony section or here..

We have an ASA 5510 with the base license. We are needing to install IP Phones at remote workers homes, and I understand there are Cisco IP phones which have VPN clients built in to allow a tunnel to the central private network. IT appears that you can only use Anyconnect VPN for this, ans I am trying to work out what licencing upgrade we need to apply to the ASA, as the two Anyconnect licenses you get free on the ASA is not enough.

This is the phone we are looking to get;

http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/phones/ps10499/ps11005/data_sheet_c78-603725.html

What I want to know is will the Anyconnect Essentials license work with these IP phones?

When I do a show version,

Licensed features for this platform:

Maximum Physical Interfaces  : Unlimited

Maximum VLANs                : 50      

Inside Hosts                 : Unlimited

Failover                     : Disabled

VPN-DES                      : Enabled 

VPN-3DES-AES                 : Enabled 

Security Contexts            : 0       

GTP/GPRS                     : Disabled

SSL VPN Peers                : 2       

Total VPN Peers              : 250     

Shared License               : Disabled

AnyConnect for Mobile        : Disabled

AnyConnect for Linksys phone : Disabled

AnyConnect Essentials        : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions      : 2       

Total UC Proxy Sessions      : 2       

Botnet Traffic Filter        : Disabled

This platform has a Base license.

It shows "AnyConnect for Linksys phone : Disabled", is this the same for Cisco IP Phones? Is this the specific licensing type I should be looking to get for Anyconnect on IP phones or will Essentials do?

1 Accepted Solution

Accepted Solutions

Herbert Baerten
Cisco Employee
Cisco Employee

Hi Leo,

you will need 2 licenses: an Anyconnect Premium license as well as an "Anyconnect for Cisco VPN Phone" license.

In ASA 8.2 and earlier the "for Cisco VPN Phone" license was named "for Linksys phone" so that is the same.

cfr. http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license.html#wp1487574

hth

Herbert

View solution in original post

4 Replies 4

Herbert Baerten
Cisco Employee
Cisco Employee

Hi Leo,

you will need 2 licenses: an Anyconnect Premium license as well as an "Anyconnect for Cisco VPN Phone" license.

In ASA 8.2 and earlier the "for Cisco VPN Phone" license was named "for Linksys phone" so that is the same.

cfr. http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license.html#wp1487574

hth

Herbert

product codes are:

L-ASA-SSL-xxxx

L-ASA-AC-PH-55xx

hth

Herbert

Hi Herbert,

Thanks! Currently I have users conecting to IPSec remote access VPN, which there are 250 seats available for. If I were to install L-ASA-SSL-10. which would give me 10 premium anyconnect licenses, would this have any effect on the seats I have available for IPSec VPN ? Will the users connecting via that still be able to or would they have to use the premium licensing? What Im saying is can you have normal IPsec VPN users/seats running at the same time as anyconnect premium users/seats? Or would I have 240 IPSec seats avaiable and 10 anyconnect premium?


Hi Leo,

technically, the ipsec users will not use up any premium license seats, so if you have 10 ipsec users connecting first, the premium seats are still free and so you can then still have 10 phones/anyconnect users connect.

However, the 250 you mention is the global platform limit, so it refers to the sum of premium and non-premium connections. Or in other words, you can have 240 ipsec users and 10 phones,  but not 250 ipsec users and 10 phones.

If 250 ipsec users and 10 phones would try to connect, it would be first-in, first-served, e.g. you could have 248 ipsec users and 2 phones connected.

Note: since you have Essentials disabled I'm assuming you are referring to the legacy "Cisco vpnclient" (IKEv1 client) which does not require any license on the ASA. But for the benefit of others reading this thread: if  you do have Anyconnect clients (using SSL or IPsec/IKEv2) for which you currently have an Essentials license, then note that the Essentials and Premium license cannot co-exist. So for e.g. 240 Anyconnect users and no phones, you can use Essentials. For 240 Anyconnect users and 10 phones, you need a 250-seat Premium license (and a vpn phone license).

hth

Herbert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers