SSL VPN Licensing on ASA

Unanswered Question
Jan 21st, 2009
User Badges:
  • Gold, 750 points or more

Hi All,


Inorder to use SSL VPN (client based) ASA5510, what is the licensing requirement. From the below 'sh ver'.. can we tell how any SSL VPN clients the ASA supports..??


********************************

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : ☻CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: ♥CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : ☺CNlite-MC-IPSECm-MAIN-2.04

0: Ext: Ethernet0/0 : address is 000f.f775.944a, irq 9

1: Ext: Ethernet0/1 : address is 000f.f775.944b, irq 9

2: Ext: Ethernet0/2 : address is 000f.f775.944c, irq 9

3: Ext: Ethernet0/3 : address is 000f.f775.944d, irq 9

4: Ext: Management0/0 : address is 000f.f775.944e, irq 11

5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11

6: Int: Not licensed : irq 5

7: Ext: GigabitEthernet1/0 : address is 0014.6a21.ca0e, irq 255

8: Ext: GigabitEthernet1/1 : address is 0014.6a21.ca0f, irq 255

9: Ext: GigabitEthernet1/2 : address is 0014.6a21.ca10, irq 255

10: Ext: GigabitEthernet1/3 : address is 0014.6a21.ca11, irq 255

11: Int: Internal-Data1/0 : address is 0000.0003.0002, irq 255


Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 25

Inside Hosts : Unlimited

Failover : Active/Standby

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 0

GTP/GPRS : Disabled

VPN Peers : 250

WebVPN Peers : 2


This platform has an ASA 5510 Security Plus license.

********************************


Thank you

MS



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
JORGE RODRIGUEZ Wed, 01/21/2009 - 11:31
User Badges:
  • Green, 3000 points or more

All ASA comes with two free SSL webvpn peers(seen as WebVPN Peers : 2 )


ASA5510 support up to 250 SSL VPN user sesions

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html



You can buy the SSL license in a block of either 10, 25, 50, 100, 250, 500, 750, 1000, 2500, and 5000 depending on your ASA5500 platform.



If you have failover ASA you need to also buy same quantity of SSL license for the standby unit as well.


Regards

mvsheik123 Wed, 01/21/2009 - 12:29
User Badges:
  • Gold, 750 points or more

Thank you Jorge. Also, anotehr quick quest does SSL VPN configs support backup SSL VPN server..? (the question may not make much sense though..:-)) Or the users has to aware of backup server url or ip to connect to secondary server incase of primary server not available..?


Thnak you

MS

JORGE RODRIGUEZ Wed, 01/21/2009 - 13:24
User Badges:
  • Green, 3000 points or more

MS, when you say support backup ssl vpn server are you refering when using active/standby ASA's? , if so I would say ssl clients would have to reconnect, this is an educated guess, PLS let me know if I have misunderstood your question.


Stateful information

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#statef


Regards


mvsheik123 Wed, 01/21/2009 - 13:39
User Badges:
  • Gold, 750 points or more

No Jorge, I undestand SSL vpn supports Active/Standby. But lets say if I have 2 SSL VPN servers at 2 different physical locations for DR purpose. Incase the primary https://server1 is unreachable, then is there anyway user automatically gets redirected to 2nd server (still typing http://server1) to connect to network..? or does this needs dynamic dns..? Iam asking this, as using VPN client s/w on laptops, we can define the backup server and so s/w aware to go to 2nd server without user intervention. Just wondering such kind is avail in SSL VPN as well.


Thank you

MS

JORGE RODRIGUEZ Wed, 01/21/2009 - 14:20
User Badges:
  • Green, 3000 points or more

MS, I see your point .. that would most likely be inplemented with some sort of dynamic DNS as you indicated . As far as I know ASA being your SSL server does not have that dynamic function.


In your scenario you will have two different ISPs IPblocks at different locations, there is an interesting article I saved while ago that talks about multiple address records associated with a single domain name, dynamic dns.


Read BGP session down

http://www.spirit.com/Network/net0503.html



Regards

Jorge

Actions

This Discussion