We were going to upgrade our old PIX 515e to an ASA 5510. We were hoping that the SSL VPN protocol is a bit more forgiving with flakey internet connections. Is this true?
On the Licensing for SSL VPN its not 100% clear what I need.
Seems like there are a few flavors of Licensing.
AnyConnect (Essential and Preimum(Shared and Not)
SSL VPN Licenses for AnyConnect Preimum
I have 40 Users, they typically have 1-3 devices. All have laptops, some have SmartPhones, some have iPads.
We currently use IPSec and typically do not have more than 17 users connected at one time.
So my question is what Licenses to I need to make this happen? If I want to have the users have to have the AnyConnect Client installed, and I want them to be able to use their laptop or mobile device (though typically not at the same time) what would I need?
Say Typical load will be:
10 AnyConnect Windows 7 x64 Clients
5 iPad devices (Yes I know its not ofdficialy supported till the release of 4.2 in november)
One of the attractive features of Anyconnect, in my opinion, is the auto-reconnect capability. It allows for the tunnel to re-establish without user intervention (ex. logging in again) in the event your network connection goes in and out. In these cases, yes, it's more resiliant with suspect internet connections.
As for licensing, if you're simply providing client-based access and have no desire to present a clientless (webvpn) portal, then Anyconnect Essentials is next-to-nothing in terms of cost. This of course all depends on your requirements. If you require other advanced features such as endpoint assessment or clientless (as just mentioned), you will need to steet towards premium. Judging from your current usage and projected needs, you may do just fine with Anyconnect Essentials licensing and the Anyconnect Mobile licensing---again, all dependent upon your requirements. For more clarification, I have included links to the licensing and feature overviews for AC 2.5 below.
Thank you for the explanation of the Licensing. I think I have it Straight.
With the AnyConnect Essentials you DO NOT need the SSL VPN XX User Licenses. they a only for the AnyConnect Preimun flavors?
I'm still not sure of the Mobile Licenses still.
AnyConnect Mobile and Cisco Secure Mobility. Seems like One of the Docs you linked to was referring more to Cisco Secure Mobility. I believe I need the AnyConnect Mobile License. Though am not sure if that is like the Essential License where I only need one on the ASA or if I need XX for the number of users, or YY for the number of Concurrent users.
I have implemented AnyConnect for several customers. In my experience it is more forgiving about flakey Internet connections.
While the ASA has no requirement for separate licensing for the IPSec client (you can run IPSec clients up to the limit of the box) there are requirements for licensing when you use AnyConnect or clientless SSL VPN. There are multiple options and understanding them can be confusing. As noted in the other response the AnyConnect Essentials license gives you the ability to run the AnyConnect client but does not give access to some of the functionality available in conjunction with AnyConnect such as Cisco Secure Desktop, End Point analysis, etc. From your description of your requirements I believe that the AnyConnect Essentials would be adequate for you (and much more economical). The AnyConnect Essentials license is one license for the box. If you want the other functionality then you need the premium license and that licenses per active user.
The AnyConnect Mobile license is for touch screen handheld devices. If you need to support them running AnyConnect to the ASA then you need the Mobile license. The Mobile license is one for the box (not per user).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...