Thanks for the Reply.

Solution:

1)  This sounds like what I want to do.  How would I see or figure out on my ASA if I have anyconnect license?

2)  I currently am doing site to site VPNs with my other offices.  And it works perfectly!  I currently have 4 VPN tunnels.  Again how would I see how many it supports?

Thanks again for your help!

Hi there,

1)  This sounds like what I want to do.  How would I see or figure out on my ASA if I have anyconnect license?

     Issue the following command on your FW "show version", this will display the licensing information.

     In addition, issue the "show vpn-session-db summary". so it shows how many AnyConnect sessions can be establised at        the same time.

     Feel free to attach the output, I will check it for you.

2)  I currently am doing site to site VPNs with my other offices.  And it works perfectly!  I currently have 4 VPN tunnels.  Again how would I see how many it supports?

    Please attach the "show version".

Keep me posted.

Portu.

Please rate any helpful posts

I will do this an let you know!
Thank you!

Sounds good to me.

Keep us posted.

How is this?

Result of the command: "show version"

Cisco Adaptive Security Appliance Software Version 8.0(5)
Device Manager Version 6.3(1)

Compiled on Mon 02-Nov-09 21:22 by builders
System image file is "disk0:/asa805-k8.bin"
Config file at boot was "startup-config"

***** up 26 days 4 hours

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: Ethernet0/0         : address is c84c.7561.6dd0, irq 9
1: Ext: Ethernet0/1         : address is c84c.7561.6dd1, irq 9
2: Ext: Ethernet0/2         : address is c84c.7561.6dd2, irq 9
3: Ext: Ethernet0/3         : address is c84c.7561.6dd3, irq 9
4: Ext: Management0/0       : address is c84c.7561.6dd4, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 100      
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Security Contexts            : 2        
GTP/GPRS                     : Disabled 
VPN Peers                    : 250      
WebVPN Peers                 : 2        
AnyConnect for Mobile        : Disabled 
AnyConnect for Linksys phone : Disabled 
Advanced Endpoint Assessment : Disabled 
UC Proxy Sessions            : 2       

This platform has an ASA 5510 Security Plus license.

Serial Number: **************
Running Activation Key: ****************
Configuration register is 0x1

Hello,

Your ASA support 250 VPN peers. and there is no Anyconnect license. Now in order for you to permit remote access clients.. you have below options

1. Create normal Easy VPN - You do not need extra license but clients connecting to it need to have cisco easy vpn client software installed in their laptop

2. Configure Anyconnect VPN - This is more flexible way of remote access VPN as clint devices doesnt require a software but you need to purchase anyconnect license for your ASA 5510.

let me know if you have any further questions

Regards

Harish.

Please rate all helpful posts!

Thanks for your quick response.

Let's walk through the license output:

VPN Peers      : 250   

This is for IPsec sessions, not for SSL. The ASA can handle up to 250 IPsec session, including IPsec L2L and Remote Access connections,

WebVPN Peers      : 2

This is for SSL connections, by default, the ASA allows a maximun of two simultaneous SSL connections (either AnyConnect or WebVPN). 

Recommendations:

1- Consider an upgrade to ASA 8.2.5, since it introduces some new licenses, like AnyConnect Essentials.

AnyConnect Essentials FAQAnyConnect Essentials FAQ

Licensing Information

2- You have up to 250 IPsec users, so you could consider the IPsec Remote Access VPN client, but this software is legacy now, so the AnyConnect client would be the best option in terms of support.

3- Another option is Easy VPN, so you could have the ASA 5505 connect to the main office, but if they become Easy VPN clients, no other tunnels would be able to come up.

Configuring Easy VPN on the ASA 5505

Final suggestion:

Build a HUB-TO-SPOKE VPN scenario with L2L tunnels, so you create L2L tunnels between each spoke and the HUB, you already have the software and the hardware for this, no need for more memory or extra licensing.

LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example

Keep me posted.

Portu.

Please rate any helpful posts.

Message was edited by: Javier Portuguez To add more SSL sessions consider: AnyConnect Essentials AnyConnect Premium SSL VPN (sessions) http://www.cisco.com/en/US/docs/security/asa/asa82/license/license82.html#wp190732

Looks like I have some reading and a decision or two to make.....

However a couple more questions:

1) Upgrading my ASA to 8.2.5 - this scares me.  As currently everything it working good.  So if its not broke don't fix it comes to mind.  If by upgrading will I have to re-configure my ASA or will it keep all the current configurations?

2)  While drive back to my office today I was thinking about the paperwork and what not I received when I order the ASA and I thought I remembered something about licenses.  I have found that paper and it says:

ASA5500-SSL-25 = / ASA 5500 SSL VPN 25 Premium User Licenes
 
Serial Number - ********************

 A CD was included with this package and letter too.

So does this change any of the above suggestions about how I can establish have remote users log into the network?

Thanks again for the help!

Well, an upgrade to 8.2.5 is not going to change your configuration at all. I just mentioned it as a piece of advice.

On the other hand, the fact that you have a 25 AnyConnect Premium license, means that you can have up to 25 simultaneous SSL connections (AnyConnect + WebVPN).

However, since you are connecting multiples remotes offices (fixed locations) I think the L2L tunnel is the best option.

You could still use the AnyConnect license in order to connect users on the field or people who are constantly moving or connecting from home for instance.

Thanks.

Javier Portuguez wrote:
Well, an upgrade to 8.2.5 is not going to change your configuration at all. I just mentioned it as a piece of advice.

Sounds like to a good weekend project.  I know it needs to be done and I will just a bit fearful of networking going down.

Javier Portuguez wrote:
On the other hand, the fact that you have a 25 AnyConnect Premium license, means that you can have up to 25 simultaneous SSL connections (AnyConnect + WebVPN).

I know I have the CD but would the software be on that CD?  And the anyconnect software needs to be installed on each Laptop that would be used for remote access.

Javier Portuguez wrote:
However, since you are connecting multiples remotes offices (fixed locations) I think the L2L tunnel is the best option.

I currently do do this with my branch offices.  Example main office is in City 1.  Branch offices are in City2 City3 City4.  City2, City3 and City4 vpn with a L2L Tunnel to City1 to access server and documents.  I have this set with ASA 5510 and 5505.

Javier Portuguez wrote:
You could still use the AnyConnect license in order to connect users on the field or people who are constantly moving or connecting from home for instance.
Thanks.

To do this I should look at your LINK above in Recommendation 1????

THANK YOU for all your help and info!!

I know I have the CD but would the software be on that CD?  And the anyconnect software needs to be installed on each Laptop that would be used for remote access.

AnyConnect SSL VPN Client Web Deployment

* In case the CD does not have the image, you can download it here:

http://tools.cisco.com/squish/796BF

WEB DEPLOYMENT:

Web deployment package for Windows platforms.

anyconnect-win-3.1.00495-k9.pkg

Microsoft installer (open the ISO and look for the MSI file):

Full installation package on Windows platforms. This includes installation packages for DART, NAM, VPN, Telemetry, Hostscan, and WebSecurity components.

anyconnect-win-3.1.00495-pre-deploy-k9.iso

To do this I should look at your LINK above in Recommendation 1????

Introduction to the AnyConnect Secure Mobility Client

ASA 8.x : VPN Access with the AnyConnect VPN Client Using Self-Signed Certificate Configuration Example

Portu.

Please rate any helpful posts.