Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3635
Views
0
Helpful
10
Replies

Pricing and Hardware/Software Requirements for Cisco AnyConnect VPN?

jselph17
Level 1
Level 1

‎05-03-2021 06:14 AM

Hello,

I work with the United States Air Force. My team has been responsible for standing up a new network and I've been tasked with collecting pricing and hardware/software requirements for a VPN. We're interested in using Cisco's AnyConnect VPN service, but I'm not sure what the requirements for this VPN are. Can someone help me nail down exactly what hardware my organization needs to support this VPN as well as the software and pricing for 200 users to start with?

 

I apologize if this isn't the right place to ask for this information, but I called Cisco and they told me the Cisco Community was a good place.

 

Thank you,

Jacob

0 Helpful
10 Replies 10

Rob Ingram
VIP
VIP

‎05-03-2021 06:27 AM

Hi @jselph17 

You currently have different options, you can run physical hardware or virtual image. Either can run ASA or FTD software.

The ASA can be managed locally using CLI/ASDM or via the cloud using CDO.

The FTD can be managed locally using FDM, centrally (on premise) using FMC or cloud using CDO.

 

The FPR1140 hardware supports a maximum of 400 VPN peers, so that might fit your requirements.

https://www.cisco.com/c/en/us/products/collateral/security/firepower-1000-series/datasheet-c78-742469.html

 

Select your management option, local management via ASDM/FDM is included in the cost, FMC or CDO is not.

 

You'll also need to purchase AnyConnect licenses, Apex, Plus or VPN only. The minimum quantity is 25.

 

AnyConnect licensing

https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-og.html

 

Firepower licensing

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/licensing_the_firepower_system.html

 

Your Cisco partner can provide the cost, if you tell them that hardware, management requirement and the quantity of AnyConnect licenses (depending on the features required).

0 Helpful

jselph17
Level 1
Level 1
In response to Rob Ingram

‎05-03-2021 06:51 AM

Thank you for this information. So, is an ASA the only hardware I would need to setup the VPN? Also, 200 users is a start, but in the coming years there is potential for my entire organization (up to 2000 users) to be making use of this VPN so I would need more than what the FPR1140 has to offer.

 

Can you recommend me a specific piece of hardware to support up to 2000 users to be managed locally and the licensing requirements for that?

 

Thank you!

0 Helpful

rschlayer
Level 4
Level 4
In response to jselph17

‎05-03-2021 07:11 AM

Hello @jselph17 

the firepower 2120 supports up to 3500 VPN sessions. If you need VPN features only you could use the ASA code on it.

For basic VPN features you need AnyConnect Plus licenses based on concurrent users.

https://www.cisco.com/c/en/us/products/collateral/security/firepower-2100-series/datasheet-c78-742473.html

https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-og.html#3Licenses

BR
Rick

0 Helpful

jselph17
Level 1
Level 1
In response to rschlayer

‎05-03-2021 07:23 AM

What do you mean by "use the ASA code on it"?

0 Helpful

Rob Ingram
VIP
VIP
In response to jselph17

‎05-03-2021 07:27 AM

@jselph17 

You can run either ASA or FTD code (software) on the hardware. The FTD software features the latest NGFW features, the ASA does not, it supports the traditional ASA features. It currently has a few more VPN features that the FTD software does not. You can select which software you want install when you purchase the hardware or you could reimage later.

0 Helpful

Rob Ingram
VIP
VIP
In response to jselph17

‎05-03-2021 07:11 AM

FPR (firepower) hardware not the ASA hardware, ASA hardware is mostly EOL. FPR hardware is the newer hardware.

 

If you want to support up to 2000 users, then you'll need the FPR-2120 hardware minimum. This information can be found in the following datasheet. https://www.cisco.com/c/en/us/products/collateral/security/firepower-2100-series/datasheet-c78-742473.html

 

Buy the hardware and you'll get the base license. As already mentioned you'll need the AnyConnect Plus, Apex or VPN only license, to active Remote Access VPN. Check the link for the features supported by the licenses and select according to your requirements. https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-og.html

 

 

 

0 Helpful

jselph17
Level 1
Level 1
In response to Rob Ingram

‎05-03-2021 07:42 AM

So, just to clarify, the FPR-2120 would be hosting the Cisco VPN service (i.e., the FPR-2120 comes with this VPN already installed). Then, I would have to buy a license for each instance of Cisco AnyConnect Secure Mobility Client that would be installed on each workstation wishing to use the VPN. Is this accurate?

 

0 Helpful

Rob Ingram
VIP
VIP
In response to jselph17

‎05-03-2021 07:46 AM

Yes, the hardware comes with the software installed, you will need to license it and configure it for Remote Access VPN.

Yes, the AnyConnect client will need installing on each computer wishing to access the VPN.

0 Helpful

jselph17
Level 1
Level 1
In response to Rob Ingram

‎05-03-2021 11:22 AM

Oh, I forgot to ask something. Do this VPN support CAC authentication?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents