We were going to upgrade our old PIX 515e to an ASA 5510. We were hoping that the SSL VPN protocol is a bit more forgiving with flakey internet connections. Is this true?
On the Licensing for SSL VPN its not 100% clear what I need.
Seems like there are a few flavors of Licensing.
AnyConnect (Essential and Preimum(Shared and Not)
SSL VPN Licenses for AnyConnect Preimum
I have 40 Users, they typically have 1-3 devices. All have laptops, some have SmartPhones, some have iPads.
We currently use IPSec and typically do not have more than 17 users connected at one time.
So my question is what Licenses to I need to make this happen? If I want to have the users have to have the AnyConnect Client installed, and I want them to be able to use their laptop or mobile device (though typically not at the same time) what would I need?
Say Typical load will be:
10 AnyConnect Windows 7 x64 Clients
5 iPad devices (Yes I know its not ofdficialy supported till the release of 4.2 in november)
One of the attractive features of Anyconnect, in my opinion, is the auto-reconnect capability. It allows for the tunnel to re-establish without user intervention (ex. logging in again) in the event your network connection goes in and out. In these cases, yes, it's more resiliant with suspect internet connections.
As for licensing, if you're simply providing client-based access and have no desire to present a clientless (webvpn) portal, then Anyconnect Essentials is next-to-nothing in terms of cost. This of course all depends on your requirements. If you require other advanced features such as endpoint assessment or clientless (as just mentioned), you will need to steet towards premium. Judging from your current usage and projected needs, you may do just fine with Anyconnect Essentials licensing and the Anyconnect Mobile licensing---again, all dependent upon your requirements. For more clarification, I have included links to the licensing and feature overviews for AC 2.5 below.
Thank you for the explanation of the Licensing. I think I have it Straight.
With the AnyConnect Essentials you DO NOT need the SSL VPN XX User Licenses. they a only for the AnyConnect Preimun flavors?
I'm still not sure of the Mobile Licenses still.
AnyConnect Mobile and Cisco Secure Mobility. Seems like One of the Docs you linked to was referring more to Cisco Secure Mobility. I believe I need the AnyConnect Mobile License. Though am not sure if that is like the Essential License where I only need one on the ASA or if I need XX for the number of users, or YY for the number of Concurrent users.
I have implemented AnyConnect for several customers. In my experience it is more forgiving about flakey Internet connections.
While the ASA has no requirement for separate licensing for the IPSec client (you can run IPSec clients up to the limit of the box) there are requirements for licensing when you use AnyConnect or clientless SSL VPN. There are multiple options and understanding them can be confusing. As noted in the other response the AnyConnect Essentials license gives you the ability to run the AnyConnect client but does not give access to some of the functionality available in conjunction with AnyConnect such as Cisco Secure Desktop, End Point analysis, etc. From your description of your requirements I believe that the AnyConnect Essentials would be adequate for you (and much more economical). The AnyConnect Essentials license is one license for the box. If you want the other functionality then you need the premium license and that licenses per active user.
The AnyConnect Mobile license is for touch screen handheld devices. If you need to support them running AnyConnect to the ASA then you need the Mobile license. The Mobile license is one for the box (not per user).
Community Live Event Video
Are you ready to level up your security? Learn more about how Cisco SecureX can help you simplify your security and maximize operational efficiency.
This event talks about Cisco SecureX, its benefits, features, and usage. Th...
Hi all,I cannot understand why is something working very well they create a way to complicate things in Cisco ASA OS. I have a rule :object network LOCAL_ADRESS1 host 192.168.20.12 nat (VLAN20,outside) source static LOCAL_ADRESS1 interface&...
It is our pleasure to officially announce the finalists in the 2021 IT Blog Awards. We are now looking to our amazing tech community to check out the amazing line up of bloggers, vloggers and podcasters. Make sure to vote for your favorites...
Community Live Event Slides
This event talks about Cisco SecureX, its benefits, features, and usage. The session includes sample use cases and live demonstrations.
Cisco expert Luis Silva talks about how this solution can integrate Cisco technology and ...
Hello All, Recently I got an opportunity to perform POC with Cisco ISE (2.7 Patch 4) and Aruba Wireless AP (IAP) to perform 802.1x EAP-FAST (machine + user) authentication followed by Posture Assessment on Windows 10 Machines (installed with AnyConnect 4....