Tuesday, July 29, 2014

Cisco ASA SSL VPN Licensing



Cisco ASA users who bought the right Cisco ASA hardware in their network may be frustrated by getting the hardware working with proper license and functionality that requires one to navigate a maze of confusing choices with different bundles, rules, and restrictions. Some of them has put their questions when they need Cisco asa license or upgrading. Some questions are raised like this:
“Can someone clarify for me the SSL VPN/AnyConnect licensing for the ASA 5520?  Specifically, the differences between the AnyConnect Essentials and AnyConnect Premium. …I'd like to add 25 or perhaps 50 SSL VPN Licenses and be able to use a combination of clientless, thin client and full client AnyConnect groups.  Would the "ASA5500-SSL-25" (or 50) be the correct license I need to purchase?”


“Our ASA 5505 with BASE license by default allowing only 10 concurrent vpn sessions (including 2 Anyconnect+IPsec). attached TXT file with license information. this firewal is use only for vpn access, and we have  IPSec L2L vpn tunnel, anyconnect, client less SSL vpn and IPSec client access vpn configurations up and running, we are in plan to upgrade vpn license to archive 10 IPSec and 10 Anyconnect and 1 anyconect mobile VPN sessions at time. so my questions are;
1. can I buy "ASA5500-SSL-10=" license and upgrade our ASA 5505 without buying "L-ASA5505-SEC-PL="  security pus license.
2. Does asa Support to upgrade only SSL Anyconnect vpn license while keeping 10 IPSec vpn comes with base license.”
  


There are some typical questions we get asked by customers on a daily basis regarding how ASA licensing works?
Q: If we buy a new ASA (the same model) to replace our old ASA, do we need a new license? Can we transfer?
A: Typically, licenses are non-transferable. Unless the old ASA is covered by SMARTNet, and that the new replacement ASA is a RMA issued directly by Cisco. That’s the only way to keep them.

Q: What license will I need for the new replacement ASA?
A: This depends on the ASA’s topology and function in the network.

-If the ASA is to replace the main Shared Licensing Server, then it’ll need the Shared Licensing Server license which will act as the license issuing server for the participant licenses.
-If the ASA is to replace the Fail-over Server, it’ll only need a Participant License. This server will act as a back-up licensing server in case the primary server is unreachable. However, the Shared Licensing Server license is only good for ONE fail-over server.
-If the ASA is to be used as a participant, only a Participant License is required.

If you are interested in the Cisco Adaptive Security Appliances as an option for your network and don’t know where to start, you can contact our excellent sales team who can get you started right away.

For more about router-switch.com, you can visit here.
cisco@router-switch.com (Sales Inquiries)
ccie-support@router-switch.com (CCIE Technical Support)

*Note: ASA with IOS version prior to 8.3 and after 8.3 have different licensing options in regards to different active/standby configurations.



More Cisco ASA License Topics

1 comment: