Changing Setup - need ASA suggestions for site to site
Currently have a working WAN system that uses an ASA 5505 in my PA office that flows traffic to a WI office over an MPLS line.
Traffic flows from Fiber Internet in PA across the MPLS to corp hdquarters and back just fine, however we now need to eliminate the MPLS and get new fiber connection in WI.
I "think" what I want to set up is an ASA 5512 at the corporate headquarters on the new fiber line with a point to point vpn set up between the new 5512 and the 5505. I also think that I may need to move (install new) anyconnect vpn connections on the new corporate ASA.
I am not positive as to which product number or additional licenses I would need to buy - What exactly comes with the 5512? If I get the Security Plus version, do I need to add anything else? With the 5505 I added the AnyConnect licenses, and upgraded to 50 users. but I'm pretty sure that is all I needed to add to that one.
Is it that easy? - Yes, I know that I have to set up all of my acl's etc. but they should be if not the same as on the 5505 at least similar.
OR - should I be looking at something other than the 5512?
You mention that with the ASA5505 you got a user amount based license for the AnyConnect VPN. If I am not mistaken this means you got AnyConnect Premium license for the ASA. Does this mean that you are using the browser based (Clientless VPN) VPN on the ASA5505. To my understanding this is atleast usually the reason when one might go for the Premium license rather AnyConnect Essentials which should provide all the basic SSL VPN Client capabilities. If I am not mistaken it should also support the maximum user amount on the ASA model (refer to the table in the link above for the amount) with that single license.
So to my understanding you would need
ASA5512-X with Base License
AnyConnect Essentials license
Though again I would have to say that you should check the above links and see if the model you have initially chosen supports everything you need. I would imagine the company selling you the ASA should be able to help you with choosing the correct setup/part numbers when you are clear on what you need.
Yes - you remember correctly, you did assist in setting up the 5505.
I may have mis stated what we have with the 5505
it has the 50 user license and the AnyConnect Essentials 25 VPN user license.
As far as which model will meet my requirements - I could possibly get away with another 5505 in the corporate headquarters, as it will only be doing the following 3 tasks.
1 - Acting as an Internet gateway
2 - Guiding site to site traffic between Corporate and PA
3 - providing Corporate users VPN access to the network
I had assumed I should use the 5512 because there is a possibility that I would need to add a second branch office which would use a 5505. If i'm reading everything correctly, a 5505 won't let me set up 2 site to site vlans along with internet gateway and VPN services. Also, the Corporate fiber connection is faster than the PA one and servicing more users, which I assumed needed faster throughput.
In looking at the license management link that you sent, I believe what I need is a 5512 Basic with the addition of the AnyConnect Essentials license for corporate VPN users. (or possibly just have my VPN users connect to the PA VPN and connect to the Corporate network via the site to site VLan)
Then I would set up a site to site VLan to the PA 5505, and configure my internet gateway acl's. All traffic that used to go down the MPLS between offices would just be routed through the site to site VLan.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :