SSL VPN Licensing on ASA

mvsheik123 · ‎01-21-2009

Hi All,

Inorder to use SSL VPN (client based) ASA5510, what is the licensing requirement. From the below 'sh ver'.. can we tell how any SSL VPN clients the ASA supports..??

********************************

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : â˜»CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: â™¥CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : â˜ºCNlite-MC-IPSECm-MAIN-2.04

0: Ext: Ethernet0/0 : address is 000f.f775.944a, irq 9

1: Ext: Ethernet0/1 : address is 000f.f775.944b, irq 9

2: Ext: Ethernet0/2 : address is 000f.f775.944c, irq 9

3: Ext: Ethernet0/3 : address is 000f.f775.944d, irq 9

4: Ext: Management0/0 : address is 000f.f775.944e, irq 11

5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11

6: Int: Not licensed : irq 5

7: Ext: GigabitEthernet1/0 : address is 0014.6a21.ca0e, irq 255

8: Ext: GigabitEthernet1/1 : address is 0014.6a21.ca0f, irq 255

9: Ext: GigabitEthernet1/2 : address is 0014.6a21.ca10, irq 255

10: Ext: GigabitEthernet1/3 : address is 0014.6a21.ca11, irq 255

11: Int: Internal-Data1/0 : address is 0000.0003.0002, irq 255

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 25

Inside Hosts : Unlimited

Failover : Active/Standby

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 0

GTP/GPRS : Disabled

VPN Peers : 250

WebVPN Peers : 2

This platform has an ASA 5510 Security Plus license.

********************************

Thank you

MS

JORGE RODRIGUEZ · ‎01-21-2009

All ASA comes with two free SSL webvpn peers(seen as WebVPN Peers : 2 )

ASA5510 support up to 250 SSL VPN user sesions

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

You can buy the SSL license in a block of either 10, 25, 50, 100, 250, 500, 750, 1000, 2500, and 5000 depending on your ASA5500 platform.

If you have failover ASA you need to also buy same quantity of SSL license for the standby unit as well.

Regards

Jorge Rodriguez

mvsheik123 · ‎01-21-2009

Thank you Jorge. Also, anotehr quick quest does SSL VPN configs support backup SSL VPN server..? (the question may not make much sense though..:-)) Or the users has to aware of backup server url or ip to connect to secondary server incase of primary server not available..?

Thnak you

MS

JORGE RODRIGUEZ · ‎01-21-2009

MS, when you say support backup ssl vpn server are you refering when using active/standby ASA's? , if so I would say ssl clients would have to reconnect, this is an educated guess, PLS let me know if I have misunderstood your question.

Stateful information

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#statef

Regards

Jorge Rodriguez

mvsheik123 · ‎01-21-2009

No Jorge, I undestand SSL vpn supports Active/Standby. But lets say if I have 2 SSL VPN servers at 2 different physical locations for DR purpose. Incase the primary https://server1 is unreachable, then is there anyway user automatically gets redirected to 2nd server (still typing http://server1) to connect to network..? or does this needs dynamic dns..? Iam asking this, as using VPN client s/w on laptops, we can define the backup server and so s/w aware to go to 2nd server without user intervention. Just wondering such kind is avail in SSL VPN as well.

Thank you

MS

JORGE RODRIGUEZ · ‎01-21-2009

MS, I see your point .. that would most likely be inplemented with some sort of dynamic DNS as you indicated . As far as I know ASA being your SSL server does not have that dynamic function.

In your scenario you will have two different ISPs IPblocks at different locations, there is an interesting article I saved while ago that talks about multiple address records associated with a single domain name, dynamic dns.

Read BGP session down

http://www.spirit.com/Network/net0503.html

Regards

Jorge

Jorge Rodriguez