I work with the United States Air Force. My team has been responsible for standing up a new network and I've been tasked with collecting pricing and hardware/software requirements for a VPN. We're interested in using Cisco's AnyConnect VPN service, but I'm not sure what the requirements for this VPN are. Can someone help me nail down exactly what hardware my organization needs to support this VPN as well as the software and pricing for 200 users to start with?
I apologize if this isn't the right place to ask for this information, but I called Cisco and they told me the Cisco Community was a good place.
You currently have different options, you can run physical hardware or virtual image. Either can run ASA or FTD software.
The ASA can be managed locally using CLI/ASDM or via the cloud using CDO.
The FTD can be managed locally using FDM, centrally (on premise) using FMC or cloud using CDO.
The FPR1140 hardware supports a maximum of 400 VPN peers, so that might fit your requirements.
Select your management option, local management via ASDM/FDM is included in the cost, FMC or CDO is not.
You'll also need to purchase AnyConnect licenses, Apex, Plus or VPN only. The minimum quantity is 25.
Your Cisco partner can provide the cost, if you tell them that hardware, management requirement and the quantity of AnyConnect licenses (depending on the features required).
Thank you for this information. So, is an ASA the only hardware I would need to setup the VPN? Also, 200 users is a start, but in the coming years there is potential for my entire organization (up to 2000 users) to be making use of this VPN so I would need more than what the FPR1140 has to offer.
Can you recommend me a specific piece of hardware to support up to 2000 users to be managed locally and the licensing requirements for that?
the firepower 2120 supports up to 3500 VPN sessions. If you need VPN features only you could use the ASA code on it.
For basic VPN features you need AnyConnect Plus licenses based on concurrent users.
You can run either ASA or FTD code (software) on the hardware. The FTD software features the latest NGFW features, the ASA does not, it supports the traditional ASA features. It currently has a few more VPN features that the FTD software does not. You can select which software you want install when you purchase the hardware or you could reimage later.
FPR (firepower) hardware not the ASA hardware, ASA hardware is mostly EOL. FPR hardware is the newer hardware.
If you want to support up to 2000 users, then you'll need the FPR-2120 hardware minimum. This information can be found in the following datasheet. https://www.cisco.com/c/en/us/products/collateral/security/firepower-2100-series/datasheet-c78-742473.html
Buy the hardware and you'll get the base license. As already mentioned you'll need the AnyConnect Plus, Apex or VPN only license, to active Remote Access VPN. Check the link for the features supported by the licenses and select according to your requirements. https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-og.html
So, just to clarify, the FPR-2120 would be hosting the Cisco VPN service (i.e., the FPR-2120 comes with this VPN already installed). Then, I would have to buy a license for each instance of Cisco AnyConnect Secure Mobility Client that would be installed on each workstation wishing to use the VPN. Is this accurate?