Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3273
Views
5
Helpful
3
Replies

Using 2901 router as a SSL VPN

Go to solution
Alvaro Gutierrez Gracia
Level 1
Level 1

‎03-11-2014 06:11 AM

Hi everyone!

Just wondering if anyone could give me a hand on this. I'm trying to use a Cisco 2901 to allow remote workers to have access to resources on the LAN using AnyConnect Secure Mobility Client. I've just read this doco

http://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/110608-ssl-ios-00.html

But it seems that it doesn't support 2901 platforms.I quote:

 

SSL VPN or WebVPN technology is supported on these IOS router platforms:

  • 870, 1811, 1841, 2801, 2811, 2821, 2851

  • 3725, 3745, 3825, 3845, 7200, and 7301

Is that just because this artile is old?

 

Before I spend money on the wrong licence I decided to give it a go (following above article). So when I went to

"Configure > Security > VPN > SSL VPN > SSL VPN Manager" CCP says that I need "(securityk9)" licence. I followed then the link "activate licence" and clicked on the tab "evaluation licences". But from there there are two that looks good to me:

  • securityk9 (theh one that CCP says it needs)
  • SSL_VPN (the one that sounds reasonable as AnyConnect uses SSL VPN ,right?)

Which one is the right licence? Can anyone shed some light please?

Also, is there any resource that explains better all the options and how to configure AnyConnect on an ISR2 router using CLI?

 

Thanks in advance

 

Alvaro

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Poonam Garg
Level 3
Level 3

‎03-11-2014 07:49 PM

Hello Alvaro,

Which version of IOS you are using?

Starting in Cisco IOS Release 15.0(1)M, the SSL VPN gateway is a seat-counted licensing feature on the Cisco 880, Cisco 890, Cisco 1900, Cisco 2900, and Cisco 3900 platforms. A seat refers to the maximum number of sessions allowed at a time.

 

For further reference go through:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/12-4t/sec-conn-sslvpn-12-4t-book/sec-conn-sslvpn-ssl-vpn.html#GUID-240C4A2D-3B09-438A-8DD5-ED1E95A00AC9

 

"Please rate helpful posts"

View solution in original post

3 Replies 3

Go to solution
Poonam Garg
Level 3
Level 3

‎03-11-2014 07:49 PM

Hello Alvaro,

Which version of IOS you are using?

Starting in Cisco IOS Release 15.0(1)M, the SSL VPN gateway is a seat-counted licensing feature on the Cisco 880, Cisco 890, Cisco 1900, Cisco 2900, and Cisco 3900 platforms. A seat refers to the maximum number of sessions allowed at a time.

 

For further reference go through:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/12-4t/sec-conn-sslvpn-12-4t-book/sec-conn-sslvpn-ssl-vpn.html#GUID-240C4A2D-3B09-438A-8DD5-ED1E95A00AC9

 

"Please rate helpful posts"

Go to solution
Alvaro Gutierrez Gracia
Level 1
Level 1
In response to Poonam Garg

‎03-15-2014 08:44 PM

Hi Poonam,

 

Thanks for taking the rime to reply my question. The version I'm running is this c2900-universalk9-mz.SPA.151-4.M7.bin. And I've got this licences active

 

-----------------------------------------------------------------
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
------------------------------------------------------------------
ipbase        ipbasek9      Permanent      ipbasek9
security      securityk9    Permanent      securityk9
uc            uck9          Permanent      uck9
data          None          None           None


But as per your post, is not enough by having "securityk9" I will need "seat licences". Can I try first that feature by enabling trial mode of this feature:

StoreIndex: 4   Feature: SSL_VPN                           Version: 1.0
        License Type: EvalRightToUse
        License State: Not in Use, EULA not accepted
            Evaluation total period: 8  weeks 4  days
            Evaluation period left: 8  weeks 4  days
            Period used: 0  minute  0  second
        License Count: 0/0  (In-use/Violation)
        License Priority: None


Or is not simple possible and I have to buy those seat licences?

 

Cheers Alvaro

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Alvaro Gutierrez Gracia

‎03-16-2014 06:26 AM

yes, you can enable the evaluation license to make sure it works as you need it.

But if you plan to do a little more with Remote-Access VPNs, also think about switching to an ASA. Not only it can be cheaper (if you need many simoultanious users), The ASA also has more features for remote-access-VPNs and the graphical user interface is far better then the CCP.

0 Helpful
Customers Also Viewed These Support Documents