Tuesday, July 29, 2014

Cisco ASA SSL VPN Licensing



Cisco ASA users who bought the right Cisco ASA hardware in their network may be frustrated by getting the hardware working with proper license and functionality that requires one to navigate a maze of confusing choices with different bundles, rules, and restrictions. Some of them has put their questions when they need Cisco asa license or upgrading. Some questions are raised like this:
“Can someone clarify for me the SSL VPN/AnyConnect licensing for the ASA 5520?  Specifically, the differences between the AnyConnect Essentials and AnyConnect Premium. …I'd like to add 25 or perhaps 50 SSL VPN Licenses and be able to use a combination of clientless, thin client and full client AnyConnect groups.  Would the "ASA5500-SSL-25" (or 50) be the correct license I need to purchase?”


“Our ASA 5505 with BASE license by default allowing only 10 concurrent vpn sessions (including 2 Anyconnect+IPsec). attached TXT file with license information. this firewal is use only for vpn access, and we have  IPSec L2L vpn tunnel, anyconnect, client less SSL vpn and IPSec client access vpn configurations up and running, we are in plan to upgrade vpn license to archive 10 IPSec and 10 Anyconnect and 1 anyconect mobile VPN sessions at time. so my questions are;
1. can I buy "ASA5500-SSL-10=" license and upgrade our ASA 5505 without buying "L-ASA5505-SEC-PL="  security pus license.
2. Does asa Support to upgrade only SSL Anyconnect vpn license while keeping 10 IPSec vpn comes with base license.”
  


There are some typical questions we get asked by customers on a daily basis regarding how ASA licensing works?
Q: If we buy a new ASA (the same model) to replace our old ASA, do we need a new license? Can we transfer?
A: Typically, licenses are non-transferable. Unless the old ASA is covered by SMARTNet, and that the new replacement ASA is a RMA issued directly by Cisco. That’s the only way to keep them.

Q: What license will I need for the new replacement ASA?
A: This depends on the ASA’s topology and function in the network.

-If the ASA is to replace the main Shared Licensing Server, then it’ll need the Shared Licensing Server license which will act as the license issuing server for the participant licenses.
-If the ASA is to replace the Fail-over Server, it’ll only need a Participant License. This server will act as a back-up licensing server in case the primary server is unreachable. However, the Shared Licensing Server license is only good for ONE fail-over server.
-If the ASA is to be used as a participant, only a Participant License is required.

If you are interested in the Cisco Adaptive Security Appliances as an option for your network and don’t know where to start, you can contact our excellent sales team who can get you started right away.

For more about router-switch.com, you can visit here.
cisco@router-switch.com (Sales Inquiries)
ccie-support@router-switch.com (CCIE Technical Support)

*Note: ASA with IOS version prior to 8.3 and after 8.3 have different licensing options in regards to different active/standby configurations.



More Cisco ASA License Topics

Monday, July 28, 2014

Cisco ASA 5500 Model Comparison: Cisco ASA 5505 vs. ASA 5510 vs. ASA 5520


Cisco ASA 5500 series is a big family that has many popular Cisco ASA models chosen by users. For example, Cisco asa 5505 was designed for Small Offices, home offices and remote office security and for VPN Solutions. It supports up to 16,000 concurrent connections with security Plus license, active/Standby Failover and Site to Site, Remote access and WebVPN. And it delivers 100-Mbps firewall throughput. Cisco asa 5510 and ASA 5520, they deliever advanced security and networking services, including high-performance VPN services, for small and medium-sized business and enterprise branch offices. What are the main differences? You can check the following comparison table of Cisco asa 5505, 5510 and ASA 5520.


Cisco ASA 5505 vs. ASA 5510 vs. ASA 5520
Cisco ASA Model
ASA 5505 /Security Plus
ASA 5510 / Security Plus
ASA 5520




Stateful Inspection throughput (max1)
Up to 150 Mbps
Up to 300 Mbps
450 Mbps
Stateful Inspection throughput (multiprotocol2)
-
-
-
Next-Generation throughput3(multiprotocol)
-
-
-
ASA IPS Throughput4
Up to 75 Mbps with AIP SSC-5
Up to 150 Mbps with AIP SSM-10; 300 Mbps with AIP SSM-20
Up to 225 Mbps with AIP SSM-10; 375 Mbps with AIP SSM-20; 450 Mbps with AIP SSM-40
Concurrent sessions
10,000 /25,000
50,000 /130,000
280,000
Connections per second
4,000
9,000
12,000
Packets per second (64 byte)
85,000
190,000
320,000
3DES/AES VPN throughput5
100 Mbps
170 Mbps
225 Mbps
Site-to-site and IPsec IKEv1 client VPN user sessions
10/25
250
750
Cisco AnyConnect or Clientless VPN User Sessions6 (AnyConnect license required)
25
250
750
Cisco Cloud Web Security users
25
75
300
VLANs
3 (trunking disabled) / 20 (trunking enabled)
50 / 100
150
High-availability support7
Stateless Active/Standby Only*
Active/Acitve* and Active/Standby*
A/A and A/S
Integrated I/O
8-port FE with 2 Power over Ethernet (PoE) ports
5-port FE / 2-port 10/100/1000, 3-port FE
4-port 10/100/1000 and 1-port FE
Expansion I/O
Not available
4-port 10/100/1000 or 4-port GE (SFP)
4-port 10/100/1000 or 4-port GE (SFP)
Dual power supplies
Not available
Not available
Not available
Power
AC/DC
AC/DC
AC/DC

Notes:
1Maximum throughput with UDP traffic measured under ideal test conditions
2Multiprotocol = Traffic profile consisting primarily of TCP-based protocols/applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS
3Throughput was measured using ASA CX Software Release 9.1.1 with multi-protocol traffic profile with both Application Visibility Control (AVC) and Web Security Essentials (WSE). Traffic logging was enabled as well.
4Firewall traffic that does not go through IPS service can have higher throughput.
5VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning. Maximum throughput numbers are based on IPsec IKEv1 Remote Access VPN Connectivity.
62 AnyConnect Premium User Licenses are included by default
7A/A = Active/Active; A/S = Active/Standby
* Requires security plus license

More Related Cisco ASA Firewall Topics: