Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2061
Views
5
Helpful
7
Replies

SSL License for FPR2130-ASA-K9

Go to solution
huypd
Level 1
Level 1

‎03-28-2020 03:58 AM - edited ‎03-28-2020 04:27 AM

Dear team, I have a question need your help.

I have CISCO FPR2130-ASA-K9 and License L-FPR2130T-TMC=. I want to ask you guys how many SSL license free in this Firewall?

May I have the documentation to find out?

Thanks you guys

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to huypd

‎03-29-2020 11:23 PM - edited ‎03-30-2020 12:50 AM

AnyConnect Plus gives you all the basic remote access VPN features.

Apex adds compliance and remediation (posture checking capability - for use with ASA headend or ISE), clientless SSL VPN (for ASA only), Next Generation Encryption (Suite B), ASA multicontext-mode remote access and SAML Authentication. So order it if you require any of those features.

Full details can be found here:

http://www.cisco.com/c/dam/en/us/products/security/anyconnect-og.pdf

 

View solution in original post

7 Replies 7

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-28-2020 07:33 AM - edited ‎03-28-2020 07:36 AM

The FPR2130-ASA-K9 part number indicates you are running ASA software image on the appliance.

The L-FPR2130T-TMC= part number is for 2130 appliance running Firepower Threat Defense (FTD) image. That part number doesn't give any remote access VPN licensing - only Threat (IPS), Malware (AMP) and Content (URL) Filtering licensing.

If you are running ASA image it includes the ability to support 2 remote access VPN clients (most commonly configured as SSL VPN but can support IPsec IKEv2 as well). However it does not include any right to download the required AnyConnect client software image. This is the case for any appliance running ASA image - no matter what platform.

If you are running FTD image you cannot even configure remote access VPN without AnyConnect Smart licensing first being active on the device.

0 Helpful

Go to solution
huypd
Level 1
Level 1
In response to Marvin Rhoads

‎03-28-2020 08:30 AM

Hi Mr Marvin Rhoads

Thank you for your answer.

So the FPR2130-ASA-K9 support 2 remote access VPN clients ( SSL VPN / IPsec IKEv2 ) by default ( No need to buy license) ? 
and I need to buy AnyConnect Smart licensing to configure remote access VPN or it is the default in FPR2130-ASA-K9 with License L-FPR2130T-TMC=?

Am i said correct?

 

Thank you sir!

FPR2130-ASA-K9 with License L-FPR2130T-TMC=

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to huypd

‎03-29-2020 04:13 AM

No matter what headend you are using (one running ASA image or one running FTD image) you need AnyConnect licensing to be entitled to obtain the necessary software images for the clients. Those images must be present on the ASA or FTD device.

If you had the old ASA appliance they used to ship with an old AnyConnect 3.x image on them. Thus you could use that with the 2 allowed connections. New ASA appliances, including ASA image running on Firepower appliance do not include the AnyConnect software.

Repeating what I said earlier, license L-FPR2130T-TMC= is NOT for the FPR2130-ASA-K9.

Bottom line - you need licensing. Either purchased through the normal channels or (for now) you can take advantage of the offer from Cisco for free 90 day licensing as part of the COVID-19 response:

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215330-obtaining-an-emergency-covid-19-anyconne.html

0 Helpful

Go to solution
huypd
Level 1
Level 1
In response to Marvin Rhoads

‎03-29-2020 07:58 PM

Hi Sir, so the FPR2130-NGFW-K9 have 02 SSL-VPN Session free too?
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to huypd

‎03-29-2020 08:16 PM

No, the NGFW (i.e. FTD image) SKUs have zero free remote access VPN licenses.

As I noted earlier "If you are running FTD image you cannot even configure remote access VPN without AnyConnect Smart licensing first being active on the device."

Your Smart account must have AnyConnect licenses available and assigned to the device before you even begin configuring remote access VPN (using either SSL or IPsec IKEv2 as the transport).

0 Helpful

Go to solution
huypd
Level 1
Level 1
In response to Marvin Rhoads

‎03-29-2020 09:29 PM

Hi Sir, thank you for helping me. Please help me one more question.

So it mean, anyconnect plus is enough? or require Anyconnect Apex

 

anyconnect.PNG

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to huypd

‎03-29-2020 11:23 PM - edited ‎03-30-2020 12:50 AM

AnyConnect Plus gives you all the basic remote access VPN features.

Apex adds compliance and remediation (posture checking capability - for use with ASA headend or ISE), clientless SSL VPN (for ASA only), Next Generation Encryption (Suite B), ASA multicontext-mode remote access and SAML Authentication. So order it if you require any of those features.

Full details can be found here:

http://www.cisco.com/c/dam/en/us/products/security/anyconnect-og.pdf

 

Customers Also Viewed These Support Documents