Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN Licenses for ASA 5520

Support Community,

I wanted to run this question by you guys to avoid the sales pitch from our CISCO partner and looking more for the best option that would provide us what we are looking for.

Currently we have a CISCO 3020 VPN Concentrator to terminate Lan-to-Lan tunnels and have our mobile workers connect via CISCO VPN client (300 users-employees and contractors-).

Since this device is coming to an EOL this year  we purchased a CISCO 5520 (below are the current licenses on it)

The licensing seems rather complicated, therefore this is my question:

- What VPN solution do you recommend for our users and contractors? it is my understanding the CISCO VPN client does not work with ASA 5500 series devices

- Is there a license needed to deploy VPN solutions for our remote users(employees/contractors)?

Thanks

John

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                           : 150            perpetual
Inside Hosts                                    : Unlimited      perpetual
Failover                                           : Active/Active  perpetual
VPN-DES                                       : Enabled        perpetual
VPN-3DES-AES                           : Enabled        perpetual
Security Contexts                           : 2              perpetual
GTP/GPRS                                     : Disabled       perpetual
AnyConnect Premium Peers        : 2              perpetual
AnyConnect Essentials                  : Disabled       perpetual
Other VPN Peers                            : 750            perpetual
Total VPN Peers                             : 750            perpetual
Shared License                              : Disabled       perpetual
AnyConnect for Mobile                  : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5520 VPN Plus license.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Gold

VPN Licenses for ASA 5520

Your understanding that the Cisco VPN client does not work with ASA is mistaken. It may be that the version of the Cisco VPN client that you are currently using does not work with ASA. But recent (and not so very recent for that matter) versions of the VPN client do work with the ASA. I have installed ASAs for several customers who are using the traditional IPSec VPN client with ASA and they work well.

You are correct that licensing for the ASA gets complicated. Your IPSec site to site VPN tunnels will work on the ASA and do not present much challenge in terms of licensing. But there are issues and alternatives to consider for the Remote Access VPN clients. At this point there are two main alternatives: you can use the traditional IPSec VPN client or you can use the new AnyConnect client. From a licensing perspective there is a Hugh difference between them. There is not special licensing that applies to the traditional IPSec client and they just count against your licensing for Total VPN peers (for which you have 750 in your license). For the AnyConect there is a licensing requirement. There is a premium license for AnyConnect and there is an Essentials license for AnyConnect. The Essentials license price is much lower than the premium license, but Essentials does not give all the features that the Premium does.

In the short term it would sound like an easy question to answer, use the traditional IPSec VPN client for which theere is not special licensing and it is what you are used to. However Cisco has announced dates for End of Sale and End of Support for the traditional VPN client. So at some point you will need to use the AnyConnect client. I would suggest that while you are making the change to the ASA that it might be a good choice to also adopt the AnyConnect client.

HTH

Rick

3 REPLIES
Hall of Fame Super Gold

VPN Licenses for ASA 5520

Your understanding that the Cisco VPN client does not work with ASA is mistaken. It may be that the version of the Cisco VPN client that you are currently using does not work with ASA. But recent (and not so very recent for that matter) versions of the VPN client do work with the ASA. I have installed ASAs for several customers who are using the traditional IPSec VPN client with ASA and they work well.

You are correct that licensing for the ASA gets complicated. Your IPSec site to site VPN tunnels will work on the ASA and do not present much challenge in terms of licensing. But there are issues and alternatives to consider for the Remote Access VPN clients. At this point there are two main alternatives: you can use the traditional IPSec VPN client or you can use the new AnyConnect client. From a licensing perspective there is a Hugh difference between them. There is not special licensing that applies to the traditional IPSec client and they just count against your licensing for Total VPN peers (for which you have 750 in your license). For the AnyConect there is a licensing requirement. There is a premium license for AnyConnect and there is an Essentials license for AnyConnect. The Essentials license price is much lower than the premium license, but Essentials does not give all the features that the Premium does.

In the short term it would sound like an easy question to answer, use the traditional IPSec VPN client for which theere is not special licensing and it is what you are used to. However Cisco has announced dates for End of Sale and End of Support for the traditional VPN client. So at some point you will need to use the AnyConnect client. I would suggest that while you are making the change to the ASA that it might be a good choice to also adopt the AnyConnect client.

HTH

Rick

Community Member

VPN Licenses for ASA 5520

Thank you so much RIchard for your prompt reply clarifying my misunderstanding

Any advantages/extra features on AnyConnect compared to regular CISCO VPN client?

Any good link to read about the difference between the various AnyConnect licenses?

John

Re: VPN Licenses for ASA 5520

The AnyConnect client offers Web deployment, so the users can download the software from the ASA thru a Web Portal.

On the other hand, the AnyConnect client allows advance endpoint assesment features, for instance, if you dont want people to connect without the latest AV update, among a lot of new options.

It also has different modules which introduce new functionalities and flexibility.

Indeed the AnyConnect client is the next generation client, please take it into account whenever possible.

Here is some useful information:

Introduction to the AnyConnect Secure Mobility Client

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac01intro.html

http://www.cisco.com/en/US/products/ps8411/tsd_products_support_series_home.html

Hope it helps.

1062
Views
5
Helpful
3
Replies
CreatePlease to create content