Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Product Selection sanity check

Here's my use case:

My office has been connecting to a remote VPN using the AnyConnect client.  We are encountering a situation where we need to connect internet-ready devices, that don't support AnyConnect, to the VPN to access secure data (devices such as Smart TVs, etc.)  The obvious solution is a router-to-router VPN tunnel, such that systems here don't need individual clients.  Making changes at the far end is not an option.

The ASA 5505 (plus Premium Anyconnect License) has been recommended for this, but after doing some reading I'm not certain that the use case was understood - the few bits I've read about the "clientless VPN" seem to be discussing PCs without the client connecting, and the client being pushed to them.  Unless I'm the one misunderstanding the discussion.  smiley

The other bit that's confusing me is this - when I look for prices on the ASA 5505, I see that any given retailer has a half-dozen sub-models with different prices.  For some the difference is obvious - prebundled licences, primarily.  For others, not so much.  At this point, I don't know if I need a specific sub-model, or any ASA 5505 + AnyConnect Premium License.

Hall of Fame Super Silver

The AnyConnect Premium

The AnyConnect Premium license is used for clientless remote accessVPN which means the remote user (or device) accesses the VPN via a web browser and does not require any other software client (such as the AnyConnect Secure Mobility software which is used for full tunnel remote access VPN). In either case, these are fundamentally of the class known as "remote access VPN".

If you want to allow devices to connect to remote systems without using any client software (not even a browser) then you need a site-to-site VPN. That requires a firewall (such as the 5505) at your end and a configuration being put onto both it and the remote site firewall to establish a tunnel, route traffic into it, etc.

In the case of a site-to-site VPN, AnyConnect (either Premium or Essentials) is not used at all. The 5505 is very limited and you would need to add licensing in your use case primarily if you anticipate having more than 10 hosts talking to the remote site. The 5505 base license only allows 10 hosts on the inside network. You can add licenses to increase that to 50 or unlimited. You can see the various license types for the 5505 here.

New Member

Thank you very much for

Thank you very much for clarifying that.


I doubt we'd be able to get any specific configuration changes made on the remote firewall, though, as it belongs to a business partner, not us.  That's why we were hoping to establish a tunnel via our existing AnyConnect VPN access.


Sounds like it's "Back to the drawing board."

Hall of Fame Super Silver

You're welcome.Please rate

You're welcome.

Please rate useful answers and mark your question as answered when it has been.

CreatePlease login to create content