01-21-2009 10:29 AM
Hi All,
Inorder to use SSL VPN (client based) ASA5510, what is the licensing requirement. From the below 'sh ver'.. can we tell how any SSL VPN clients the ASA supports..??
********************************
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : â»CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: â¥CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : âºCNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 000f.f775.944a, irq 9
1: Ext: Ethernet0/1 : address is 000f.f775.944b, irq 9
2: Ext: Ethernet0/2 : address is 000f.f775.944c, irq 9
3: Ext: Ethernet0/3 : address is 000f.f775.944d, irq 9
4: Ext: Management0/0 : address is 000f.f775.944e, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Not licensed : irq 5
7: Ext: GigabitEthernet1/0 : address is 0014.6a21.ca0e, irq 255
8: Ext: GigabitEthernet1/1 : address is 0014.6a21.ca0f, irq 255
9: Ext: GigabitEthernet1/2 : address is 0014.6a21.ca10, irq 255
10: Ext: GigabitEthernet1/3 : address is 0014.6a21.ca11, irq 255
11: Int: Internal-Data1/0 : address is 0000.0003.0002, irq 255
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : 250
WebVPN Peers : 2
This platform has an ASA 5510 Security Plus license.
********************************
Thank you
MS
01-21-2009 11:31 AM
All ASA comes with two free SSL webvpn peers(seen as WebVPN Peers : 2 )
ASA5510 support up to 250 SSL VPN user sesions
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
You can buy the SSL license in a block of either 10, 25, 50, 100, 250, 500, 750, 1000, 2500, and 5000 depending on your ASA5500 platform.
If you have failover ASA you need to also buy same quantity of SSL license for the standby unit as well.
Regards
01-21-2009 12:29 PM
Thank you Jorge. Also, anotehr quick quest does SSL VPN configs support backup SSL VPN server..? (the question may not make much sense though..:-)) Or the users has to aware of backup server url or ip to connect to secondary server incase of primary server not available..?
Thnak you
MS
01-21-2009 01:24 PM
MS, when you say support backup ssl vpn server are you refering when using active/standby ASA's? , if so I would say ssl clients would have to reconnect, this is an educated guess, PLS let me know if I have misunderstood your question.
Stateful information
Regards
01-21-2009 01:39 PM
No Jorge, I undestand SSL vpn supports Active/Standby. But lets say if I have 2 SSL VPN servers at 2 different physical locations for DR purpose. Incase the primary https://server1 is unreachable, then is there anyway user automatically gets redirected to 2nd server (still typing http://server1) to connect to network..? or does this needs dynamic dns..? Iam asking this, as using VPN client s/w on laptops, we can define the backup server and so s/w aware to go to 2nd server without user intervention. Just wondering such kind is avail in SSL VPN as well.
Thank you
MS
01-21-2009 02:20 PM
MS, I see your point .. that would most likely be inplemented with some sort of dynamic DNS as you indicated . As far as I know ASA being your SSL server does not have that dynamic function.
In your scenario you will have two different ISPs IPblocks at different locations, there is an interesting article I saved while ago that talks about multiple address records associated with a single domain name, dynamic dns.
Read BGP session down
http://www.spirit.com/Network/net0503.html
Regards
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide