Cisco ASA SSL VPN Licensing

Cisco ASA users who bought the right Cisco ASA hardware in their network may be frustrated by getting the hardware working with proper license and functionality that requires one to navigate a maze of confusing choices with different bundles, rules, and restrictions. Some of them has put their questions when they need Cisco asa license or upgrading. Some questions are raised like this:

“Can someone clarify for me the SSL VPN/AnyConnect licensing for the ASA 5520?  Specifically, the differences between the AnyConnect Essentials and AnyConnect Premium. …I'd like to add 25 or perhaps 50 SSL VPN Licenses and be able to use a combination of clientless, thin client and full client AnyConnect groups.  Would the "ASA5500-SSL-25" (or 50) be the correct license I need to purchase?”

“Our ASA 5505 with BASE license by default allowing only 10 concurrent vpn sessions (including 2 Anyconnect+IPsec). attached TXT file with license information. this firewal is use only for vpn access, and we have  IPSec L2L vpn tunnel, anyconnect, client less SSL vpn and IPSec client access vpn configurations up and running, we are in plan to upgrade vpn license to archive 10 IPSec and 10 Anyconnect and 1 anyconect mobile VPN sessions at time. so my questions are;

1. can I buy "ASA5500-SSL-10=" license and upgrade our ASA 5505 without buying "L-ASA5505-SEC-PL="  security pus license.

2. Does asa Support to upgrade only SSL Anyconnect vpn license while keeping 10 IPSec vpn comes with base license.”

  

There are some typical questions we get asked by customers on a daily basis regarding how ASA licensing works?

Q: If we buy a new ASA (the same model) to replace our old ASA, do we need a new license? Can we transfer?
A: Typically, licenses are non-transferable. Unless the old ASA is covered by SMARTNet, and that the new replacement ASA is a RMA issued directly by Cisco. That’s the only way to keep them.

Q: What license will I need for the new replacement ASA?
A: This depends on the ASA’s topology and function in the network.

-If the ASA is to replace the main Shared Licensing Server, then it’ll need the Shared Licensing Server license which will act as the license issuing server for the participant licenses.
-If the ASA is to replace the Fail-over Server, it’ll only need a Participant License. This server will act as a back-up licensing server in case the primary server is unreachable. However, the Shared Licensing Server license is only good for ONE fail-over server.
-If the ASA is to be used as a participant, only a Participant License is required.

If you are interested in the Cisco Adaptive Security Appliances as an option for your network and don’t know where to start, you can contact our excellent sales team who can get you started right away.

http://www.router-switch.com/

For more about router-switch.com, you can visit here.

cisco@router-switch.com (Sales Inquiries)
ccie-support@router-switch.com (CCIE Technical Support)

http://www.router-switch.com/contact_us.html

*Note: ASA with IOS version prior to 8.3 and after 8.3 have different licensing options in regards to different active/standby configurations.

More Cisco ASA License Topics

General Features of Cisco ASA Licensing

How to Activate a Cisco License?

Cisco ASA 5500 Model Comparison: Cisco ASA 5505 vs. ASA 5510 vs. ASA 5520

Cisco ASA 5500 series is a big family that has many popular Cisco ASA models chosen by users. For example, Cisco asa 5505 was designed for Small Offices, home offices and remote office security and for VPN Solutions. It supports up to 16,000 concurrent connections with security Plus license, active/Standby Failover and Site to Site, Remote access and WebVPN. And it delivers 100-Mbps firewall throughput. Cisco asa 5510 and ASA 5520, they deliever advanced security and networking services, including high-performance VPN services, for small and medium-sized business and enterprise branch offices. What are the main differences? You can check the following comparison table of Cisco asa 5505, 5510 and ASA 5520.

Cisco ASA 5505 vs. ASA 5510 vs. ASA 5520

Cisco ASA Model	ASA 5505 /Security Plus	ASA 5510 / Security Plus	ASA 5520
Stateful Inspection throughput (max1)	Up to 150 Mbps	Up to 300 Mbps	450 Mbps
Stateful Inspection throughput (multiprotocol2)	-	-	-
Next-Generation throughput3(multiprotocol)	-	-	-
ASA IPS Throughput4	Up to 75 Mbps with AIP SSC-5	Up to 150 Mbps with AIP SSM-10; 300 Mbps with AIP SSM-20	Up to 225 Mbps with AIP SSM-10; 375 Mbps with AIP SSM-20; 450 Mbps with AIP SSM-40
Concurrent sessions	10,000 /25,000	50,000 /130,000	280,000
Connections per second	4,000	9,000	12,000
Packets per second (64 byte)	85,000	190,000	320,000
3DES/AES VPN throughput5	100 Mbps	170 Mbps	225 Mbps
Site-to-site and IPsec IKEv1 client VPN user sessions	10/25	250	750
Cisco AnyConnect or Clientless VPN User Sessions6 (AnyConnect license required)	25	250	750
Cisco Cloud Web Security users	25	75	300
VLANs	3 (trunking disabled) / 20 (trunking enabled)	50 / 100	150
High-availability support7	Stateless Active/Standby Only*	Active/Acitve* and Active/Standby*	A/A and A/S
Integrated I/O	8-port FE with 2 Power over Ethernet (PoE) ports	5-port FE / 2-port 10/100/1000, 3-port FE	4-port 10/100/1000 and 1-port FE
Expansion I/O	Not available	4-port 10/100/1000 or 4-port GE (SFP)	4-port 10/100/1000 or 4-port GE (SFP)
Dual power supplies	Not available	Not available	Not available
Power	AC/DC	AC/DC	AC/DC

Notes:
¹Maximum throughput with UDP traffic measured under ideal test conditions
²Multiprotocol = Traffic profile consisting primarily of TCP-based protocols/applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS
³Throughput was measured using ASA CX Software Release 9.1.1 with multi-protocol traffic profile with both Application Visibility Control (AVC) and Web Security Essentials (WSE). Traffic logging was enabled as well.
⁴Firewall traffic that does not go through IPS service can have higher throughput.
⁵VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning. Maximum throughput numbers are based on IPsec IKEv1 Remote Access VPN Connectivity.
⁶2 AnyConnect Premium User Licenses are included by default
⁷A/A = Active/Active; A/S = Active/Standby
* Requires security plus license

More Related Cisco ASA Firewall Topics:

DoesCisco ASA 5500-X Series Support Both IPS and AVC/WSE in One Box?

ASA 5505vs. ASA 5510 vs. ASA 5512-X vs. ASA 5515-X

CiscoASA5510 Vs ASA5512-X or Cisco 5515-X

How to Configure a Cisco ASA 5505?

If you purchase a Cisco ASA 5505, it will be shipped with a default configuration that includes two preconfigured networks (the Inside network and the Outside network) and an Inside interface configured for a DHCP server. Clients on the Inside network obtain a dynamic IP address from the ASA so that they can communicate with each other as well as with devices on the Internet.

What does it look like? First of all let’s have a look at the Cisco ASA 5505. The device has eight 10/100 Ethernet port E0/0 to E0/7, last two port E0/6 & E0/7 are PoE.

More details of its each part-Cisco ASA 5505

About Cisco ASA 5505 Licensing

Base License

l  3Vlans

l  Support three security zones (inside, outside, dmz) but with communication restriction between DMZ & INSIDE
(Note: Inside vlan is permited to send traffic to the dmz only, but reverse traffic is not permited.

l  No failover redundancy

Security Plus License

l  Up to 20 VLANs

l  Failover redundancy

To Verify Serial Number and License type of ASA 5505
ciscoasa# show activation-key
Serial Number: XXXXXXXXXXX
Running Permanent Activation Key: 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX 0xXXXXXXXX
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
The flash permanent activation key is the SAME as the running permanent key.

Clear configuration on ASA 5505
ASA5505# write erase

Resetting ASA 5505 to factory default
ASA5505(config)# config factory-default

Note: Factory default setting

• DHCP is enabled
• Preconfigured with two VLANs:
• Vlan 1 - Switchport E0/1 - E0/7 (inside trusted interface)
• Vlan 2 - Switch port E0/0 ( outside untrusted interface)
• Internal IP address is now 192.168.1.1

To set Privileged level password (enable password)
ASA5505(config)# enable password my secret password

Configure the private inside interface
ASA5505(config)# interface vlan 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 10.0.0.1 255.255.255.0

ASA5505(config)#interface e0/1
ASA5505(config-if)#switchport access vlan 1

Configure the public outside interface
ASA5505(config)# interface vlan 2
ASA5505(config-if)# nameif outside
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0

ASA5505(config)# inteface e0/0
ASA5505(config-if)# switchport access vlan 2

Configure the  DMZ interface (BASE License)ASA5505(config)# interface vlan 3
ASA5505(config-if)#no forward interface vlan 1
ASA5505(config-if)# nameif dmz
ASA5505(config-if)# security-level 50
ASA5505(config)# ip address 172.10.0.1 255.255.255.0

ASA5505(config)#interface e0/2
ASA5505(config-if)#switchport access vlan 3

If ISP is going to provide ip addess to outside interface then we can configure is as follows:
interface vlan 2
nameif outside
security-level 0
ip address dhcp setroute

Note: ip address dhcp setroute : gets ip address and also set default ISP as default gateway

interfae e0/0
  swithport access vlan 2

To enable management access to ASA from internal subnet 10.0.0.0 /24
http server enable
http 10.0.0.0 255.255.255.0 inside

Configure static route to reach internal subnet 10.0.0.0/24
route inside 10.10.10.0 255.255.255.0 ethernet 0/1

Configure default route to reach outside (internet)
route outside 0.0.0.0 0.0.0.0 192.168.1.2

Configure static router to DMZ
route dmz 172.16.0.1 255.255.255.0 ethernet 0/2

To configure DHCP pool for inside subnet
dhcpd address 192.168.1.2-192.168.1.50 inside
dhcpd enable inside

Reference from http://cisco-goa.blogspot.com/2012/02/029-configuring-cisco-asa-5505.html

More Cisco ASA Reviews and Topics

GeneralFeatures of Cisco ASA Licensing

How toActivate a Cisco License?

Cisco Security Advisory: MultipleVulnerabilities in Cisco ASA Software

Enterprise-Class Stackable Switches-Cisco 3750-X Models Comparison

How much do you know about the Cisco 3750-X series switches? If let you describe the features of Cisco Catalyst 3750-X series, what would you say? Gigabit Ethernet, Layer 3 Switch, Stackable, Fixed-Configuration, 1 GE Uplinks, 10 GE Uplinks, Data, PoE, PoE+, LAN Base, IP Base, IP Services, all the key words match the Cisco 3750-X series. So if you wanna a Cisco switch like this, choose the Cisco 3750-X without hesitation.

Cisco Fixed-configuration3750-X Series, all switch models can be configured with four optional network modules. The UPOE, PoE+, and non-PoE switch models are available with either the LAN Base or IP Base feature set. IP Services feature set is available as an upgrade option at the time of ordering or through a license at a later time. The GE SFP switch models are available with either IP Base or IP Services feature set.

Firstly, we will check the main models of Cisco Catalyst 3750-X models witch LAN Base Software, IP Base Software and IP Services Software.

Catalyst 3750-X Models with LAN Base Software

Feature	Total 10/100/1000 Ethernet Ports	Default AC Power Supply Rating with Dual Modular Slots	Default Power over Ethernet (PoE) Power	Uplinks	Stack Power
WS-C3750X-24T-L	24	350W	-	Modular 4 x 1 GE, 2 x 10 GE, 2 x 10GB-T, and Service Module with two 10 GE SFP + Interfaces	Yes Available starting with Cisco IOS Release 15.0.(2)SE.  StackPower cable purchased separately.
WS-C3750X-48T-L	48	350W	-
WS-C3750X-24P-L	24 Power over Ethernet Plus (POE+)	715W	370W
WS-C3750X-48P-L	48 POE+	715W	370W
WS-C3750X-48PF-L	48 POE+	1100W	740W

Cisco 3750-X Models with IP Base Software

Catalyst 3750-X Switches with IP Services Software

After we got the details of main Cisco 3750-X models, we will draw some comparisons of different similar models, which can make you understand the Cisco 3750-X switches well.

Hardware Features-WS-C3750X-24T & WS-C3750X-48T

Hardware Features-WS-C3750X-24P, WS-C3750X-48P and WS-C3750X-48PF

More Cisco 3750-X Reviews and Tips

Cisco3750-E vs. Cisco 3750-X Series

CiscoCatalyst 3750-X Models Comparison

Cisco3850 vs. 3750-X Series

Get Greenwith Catalyst 3750

ASA 5512-X vs. 5515-X vs. 5525-X vs. 5545-X vs. 5555-X

Without requiring additional hardware modules, ASA 5500-X Series provides next-generation security capabilities at scale. These appliances support services such as application visibility and control, web security essentials, intrusion prevention, remote access and cloud web security to provide an end-to-end, scalable security solution. Furthermore, integrating with Cisco ISE (Identity Services Engine) and Cisco Any Connect Mobility solution, ASA 5500-X Series Firewalls provide a comprehensive BYOD solution for high-end enterprises and small businesses alike.

What’s New on Cisco ASA 5500-X Series Next-Generation Firewalls?

•Cisco ASA Next-Generation Firewall provides services such as Application Visibility and Control (AVC) Services to control specific behaviors within allowed micro-applications, Web Security Essentials (WSE) Services to restrict web and web application usage based on reputation of the site and Intrusion Prevention (IPS) to provide critical threat protection from internet edge related attacks on your personal use computing systems. Through Cisco Security Intelligence Operations (SIO)*, these services provide web reputation that protects against zero-day threats.

•Cisco Prime Security Manager can now be used to centrally manage core ASA-X features along with Next-Generation services such as Application Visibility and Control, Web Security and IPS.

•ASA IPS is the only context aware IPS that uses device awareness, network reputation of the source, target value and user identity to drive mitigation decisions and provides a proactive protection against threats. It uses a combination of on- and off-box intelligence and does not require an additional hardware module.

•4x increase in firewall throughput protects users as their current and future data consumption demands increase.

•Redundant power supplies (on the ASA 5545-X and 5555-X appliances) protect against power outages.

•Multicore enterprise-class CPUs deliver better performance.

•Additional copper and small form-factor pluggable (SFP) Gigabit Ethernet ports provide greater flexibility for network configuration.

•Cisco Cloud Web Security provides unmatched web security, application visibility and control for organizations of all sizes through a network of global data centers.

•Cisco AnyConnect enables seamless secure remote access by providing an always-on secure connectivity experience across a broad set of desktop and mobile devices

Cisco ASA 5500-X Series Next-Generation Firewalls Comparison

Cisco ASA 5500-X Series Hardware and Physical Specifications

More Related Cisco ASA Firewall Reviews:

Migrating from Cisco ASA 5500 Series to ASA5500-X Series

ASA 5505 vs. ASA 5510 vs. ASA 5512-X vs.ASA 5515-X

Cisco ASA IPS Module Configuration

WAYS to Help You Set Up Your Small, Mediumand Large Networks

How to Configure New ASA 5510 inTransparent Mode?

Multiple Vulnerabilities in Cisco ASASoftware