Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5540 for VPN

Hi Everyone,

I need to setup a VPN solution for 3000 clients . As per my understanding ASA 5540 can support out of box 5000 VPN clients.

I know for SSL VPN cisco requires seperate lisence. My question is with ASA 5540 and install AnyConnect VPN client for 3000 users.

What is the difference in performance connecting from SSL or VPN client? My understang is using VPN client will save money.

What is the solution to Create different groups of users for access to different VLANs on DMZs. Do I need to have ACS server for that or its something that can be configured on ASA 5540.We use 2003 Active Directory.

The same ASA will also be having Site to Site VPN from 34 remote office locations.

I need your expert opinion on it. I also want to have an IPS SSM-20 to monitor the VPN traffic. I want to have CS-MARS 55 placed in for protection.

I need a complete solutions.

Much appreciated.


Community Member

Re: ASA 5540 for VPN

Hi Andrew,

Thank you for your reply. I have looked at this information. I also have the Cisco product guide .

As far as the performance is concerned between SSL VPN and AnyConnect VPN client. Which one is better ? We will be having 3000 VPN users connecting.My understanding is AnyConnect VPN client comes free for 5000 users.

We also want to give different level of access to different groups for users on seperate VLANs (DMZ). How can I achive this task on ASA 5540 . Do I need an ACS server for that,we use Windows Server 2003 Active Directory.

The IPS SSM-20 can fit into the ASA5540, can it monitor all the DMZ on the ASA?

If I need to place IPS and MARS55 what will be the best practise to place them on the network. As per my understanding MARS need to be on the Out of Band network. Then how can we make IPS talk to MARS on the Cisco ASA5540.

Please advise.

Thank you for your help.


Community Member

Re: ASA 5540 for VPN

Hi Andrew,

Thanks for all the links. They are very helpful. For the VPN users when they connect through the VPN Client. I want to have :

1. Health Validation (Antivirus,Software Updated,VNC) software check done. If the user fails to meet the requirements he is not allowed to access. If he does he is connected by checking of his group membership in the Active Directory .

2. After the Notebook Health Validation check, the user ID and password information is checked in the AD. According to his group membership (Management or Admins) Management user is given access to VLAN1,VLAN2,VLAN3. If the user is Admin given acess is VLAN1(DMZ1) only.

I want to achive this without using NAC. I know Server 2008 has NAP and Health Validation check. Has some one used Server 2008 NAP feature with a Cisco ASA 5540 .

Please advise and thanks again for the helpful links.


Re: ASA 5540 for VPN

I have no experiance of NAP - perhaps another NetPro will be able to assist.

Community Member

Re: ASA 5540 for VPN

Also, be aware that there is no IPSec client for a 64-bit OS.

If you're connecting 3000 clients, I'd recommend using two ASAs in Load Balance mode, this gives you the advantage of pulling an ASA offline for patching/code upgrades without dropping your users. Simply pull one ASA out of the load balance group, wait for the sessions to die off and then put it back in LB once you're done. Rinse & Repeat for the other.

CreatePlease to create content