09-15-2012 09:55 AM
We have a large site and have only allowed the use of IPSEC for all our branch to branch and user tunnels. We tried SSL years ago but it had limitations so we stopped deployment. We now need to start implementing user SSL VPNs and I have some basic ASA questions.
I have an unused ASA 5510 for testing that currently has code 8.3.2 on it, Security plus license, 100 SSL VPN Peers and 250 total VPN peers, 100 max vlans, 2 sec. contexts, active/active, 2 UC phone proxies and everything else is disabled. We do not intend on using a web based SSL connection anywhere (Anyconnect essentials ?) and will only use the full SSL VPN client which will be hand loaded on machines or downloaded from the ASA and loaded on the machine if possible. What I want to know is what version of current code can I install on my ASA without losing my existing 100 SSL VPN peers license and what Anyconnect clients would be supported? I saw mention of Anyconnect Premium but do not know its relationsonship. If I upgrade the ASA to newer releases or code versions does my SSL VPN peer license turn into an Anyconnect Premium license?
Any help to get started in the right direction would be appreciated. I know I can spend days trying to figure out Cisco licensing and pitfalls and still get burned in the end with the wrong license or feature. I basically want to know what I need to install full SSL VPN end user clients and what I should do with the ASA to provide this functionality with the current license / feature set it has. I also want to know what end user code should be used since it looks like Anyconnect Secure Mobile is the one even if I do not use all its security functions. Example - I may not be able to check for firewalls/malware programs etc but we currently have a policy in place that does not allow Internet browsing or access when end users have VPN tunnel connections to our site. That restriction will still be maintained if it is possible with the SSL VPN connection too.
Thanks,
Paul
Solved! Go to Solution.
09-15-2012 11:10 AM
The client-based SSL VPN license will stay active on your box across upgrades to later ASA software. AnyConnect Essentials (which you already have) will work with the SSL VPN license feature.
You would upgrade to AnyConnect Premium only if you wished to add features such as clientless (purely browser-based) SSL VPN or other features such as Advanced Endpoint Assessment (AEA). Anyconnect Premium cannot coexist with Anyconnect Essentials on the same ASA so you cannot mix and match Premium and Essentials licenses.
Either the Essential or Premium distinction is primarily oriented to the ASA installation. The same AnyConnect Secure Mobility client software (version 3.1 is the latest for Windows and OS X and is quite a nice new release) is used in either case. Additional client functional plug-ins are things like AEA and the 802.1x NAC. Your ASA-based group policies such as no split tunneling etc. remain in effect.
If you intend to allow mobile device clients (iPhone, iPad, and Android (very limited support for the latter BTW)) to access your VPN, you will need to add the AnyConnect mobile license on the ASA and install the client from the respective app store. Note that Windows Phone and Blackberry are not supported as AnyConnect clients.
09-15-2012 11:10 AM
The client-based SSL VPN license will stay active on your box across upgrades to later ASA software. AnyConnect Essentials (which you already have) will work with the SSL VPN license feature.
You would upgrade to AnyConnect Premium only if you wished to add features such as clientless (purely browser-based) SSL VPN or other features such as Advanced Endpoint Assessment (AEA). Anyconnect Premium cannot coexist with Anyconnect Essentials on the same ASA so you cannot mix and match Premium and Essentials licenses.
Either the Essential or Premium distinction is primarily oriented to the ASA installation. The same AnyConnect Secure Mobility client software (version 3.1 is the latest for Windows and OS X and is quite a nice new release) is used in either case. Additional client functional plug-ins are things like AEA and the 802.1x NAC. Your ASA-based group policies such as no split tunneling etc. remain in effect.
If you intend to allow mobile device clients (iPhone, iPad, and Android (very limited support for the latter BTW)) to access your VPN, you will need to add the AnyConnect mobile license on the ASA and install the client from the respective app store. Note that Windows Phone and Blackberry are not supported as AnyConnect clients.
09-15-2012 06:56 PM
Thanks,
I think you supplied the info I was looking for. I intend on using a different vendor product or even possibly another ASA for Androids, web phones, IPads etc.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide