Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
709
Views
5
Helpful
8
Replies

Cisco Router Remote Access VPN License Requirement

telesymbol
Level 1
Level 1

‎08-15-2022 02:14 AM

Dear All,

We've Cisco 4461 router with security license and we need to configure remote access VPN on it and what additional license do we need or having sec license is enough ? please advice.

regards

0 Helpful
8 Replies 8

Rob Ingram
VIP
VIP

‎08-15-2022 02:17 AM

@telesymbol securityk9 is the correct license, it includes all crypto features, including IPsec, SSL/SSH, Firewall, and Secure VPN. On the ISR router you would look to use a IKEv2/IPSec Remote Access VPN which is referred to as FlexVPN.

A couple of guides here https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

0 Helpful

telesymbol
Level 1
Level 1
In response to Rob Ingram

‎08-15-2022 02:24 AM

Hi Rob,

Thanks for your swift response, so with securityk9 license on the router, there is no limitation on the number of users accessing remote VPN ? I'm asking this because we previously bought Anyconnect license for Firepowers based on number of users.

regards

0 Helpful

Rob Ingram
VIP
VIP
In response to telesymbol

‎08-15-2022 02:42 AM - edited ‎08-15-2022 02:50 AM

@telesymbol there will always be a limitation on the number of supported users on the hardware. The 4461 supports around a maximum 4000 IPSec tunnels.

FYI, Remote Access VPN will always be better on a Firepower or ASA then a IOS router, IMO.

0 Helpful

telesymbol
Level 1
Level 1
In response to Rob Ingram

‎08-15-2022 02:49 AM

the issue is we've Firepower 2130 with Anyconnect license for 25 users but our connection with ISP is using private WAN IP and we couldn't create logical interfaces for configure public IP on the FTD. And to overcome the issue we're planning to use our WAN router which is 4461 with Sec license for remote access VPN and we want to be sure that at least 25 users can use remote access VPN without additional licenses.

 

0 Helpful

Rob Ingram
VIP
VIP
In response to telesymbol

‎08-15-2022 02:53 AM - edited ‎08-15-2022 02:57 AM

@telesymbol well the 4461 will easily support 25 VPN users. You may need the HSEC license if you require more than 85Mb of IPSec encrypted throughput https://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html#pgfId-1145483

Why can you not use static PAT for udp/443 and tcp/443 on the WAN router to the firepower outside interface private IP?

telesymbol
Level 1
Level 1
In response to Rob Ingram

‎08-15-2022 03:35 AM

There are some NATs configured on FTD for DMZ services and taking them (NAT) configured on the router may bring security issues and that's why we want to terminate Remote access VPN on the router. please advise on it

0 Helpful

Rob Ingram
VIP
VIP
In response to telesymbol

‎08-15-2022 03:41 AM

@telesymbol if the WAN (outside) IP address of the FTD has a private IP address and you want to run Remote Access VPN on the FTD then you need to NAT udp/443 and tcp/443 on the 4431 to the IP address of the FTD. If you don't wish to do that, then run IKEv2/IPSec Remote Access VPN on the router.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Rob Ingram

‎08-15-2022 04:38 AM - edited ‎08-15-2022 04:39 AM

no need to be port 443 in WAN router, 
you can use PAT 8443 ->> 443 FTD port.
then make the Anyconnect access using 8443 not 443, this prevent you from conflict in service port in WAN router.
 download.jpg

as @Rob Ingram mention FPR is better for anyconnect than WAN router 

0 Helpful
Customers Also Viewed These Support Documents