05-03-2021 06:14 AM
Hello,
I work with the United States Air Force. My team has been responsible for standing up a new network and I've been tasked with collecting pricing and hardware/software requirements for a VPN. We're interested in using Cisco's AnyConnect VPN service, but I'm not sure what the requirements for this VPN are. Can someone help me nail down exactly what hardware my organization needs to support this VPN as well as the software and pricing for 200 users to start with?
I apologize if this isn't the right place to ask for this information, but I called Cisco and they told me the Cisco Community was a good place.
Thank you,
Jacob
05-03-2021 06:27 AM
Hi @jselph17
You currently have different options, you can run physical hardware or virtual image. Either can run ASA or FTD software.
The ASA can be managed locally using CLI/ASDM or via the cloud using CDO.
The FTD can be managed locally using FDM, centrally (on premise) using FMC or cloud using CDO.
The FPR1140 hardware supports a maximum of 400 VPN peers, so that might fit your requirements.
Select your management option, local management via ASDM/FDM is included in the cost, FMC or CDO is not.
You'll also need to purchase AnyConnect licenses, Apex, Plus or VPN only. The minimum quantity is 25.
AnyConnect licensing
https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-og.html
Firepower licensing
Your Cisco partner can provide the cost, if you tell them that hardware, management requirement and the quantity of AnyConnect licenses (depending on the features required).
05-03-2021 06:51 AM
Thank you for this information. So, is an ASA the only hardware I would need to setup the VPN? Also, 200 users is a start, but in the coming years there is potential for my entire organization (up to 2000 users) to be making use of this VPN so I would need more than what the FPR1140 has to offer.
Can you recommend me a specific piece of hardware to support up to 2000 users to be managed locally and the licensing requirements for that?
Thank you!
05-03-2021 07:11 AM
Hello @jselph17
the firepower 2120 supports up to 3500 VPN sessions. If you need VPN features only you could use the ASA code on it.
For basic VPN features you need AnyConnect Plus licenses based on concurrent users.
https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-og.html#3Licenses
BR
Rick
05-03-2021 07:23 AM
What do you mean by "use the ASA code on it"?
05-03-2021 07:27 AM
You can run either ASA or FTD code (software) on the hardware. The FTD software features the latest NGFW features, the ASA does not, it supports the traditional ASA features. It currently has a few more VPN features that the FTD software does not. You can select which software you want install when you purchase the hardware or you could reimage later.
05-03-2021 07:11 AM
FPR (firepower) hardware not the ASA hardware, ASA hardware is mostly EOL. FPR hardware is the newer hardware.
If you want to support up to 2000 users, then you'll need the FPR-2120 hardware minimum. This information can be found in the following datasheet. https://www.cisco.com/c/en/us/products/collateral/security/firepower-2100-series/datasheet-c78-742473.html
Buy the hardware and you'll get the base license. As already mentioned you'll need the AnyConnect Plus, Apex or VPN only license, to active Remote Access VPN. Check the link for the features supported by the licenses and select according to your requirements. https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-og.html
05-03-2021 07:42 AM
So, just to clarify, the FPR-2120 would be hosting the Cisco VPN service (i.e., the FPR-2120 comes with this VPN already installed). Then, I would have to buy a license for each instance of Cisco AnyConnect Secure Mobility Client that would be installed on each workstation wishing to use the VPN. Is this accurate?
05-03-2021 07:46 AM
Yes, the hardware comes with the software installed, you will need to license it and configure it for Remote Access VPN.
Yes, the AnyConnect client will need installing on each computer wishing to access the VPN.
05-03-2021 11:22 AM
Oh, I forgot to ask something. Do this VPN support CAC authentication?
05-03-2021 11:52 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide