How SSL VPN packages for two ASAs clustered licenses

Hi all!

If I have installed two Cisco ASA 5550 (ASA5550-BUN-K9) in failover mode, which I know support only 2 concurrent sessions of SSL VPN and you want to upgrade my boxes to support 15 AnyConnect SSL VPN sessions, how many licenses packages I need to buy?

An ASA5500-SSL-25 for both boxes or two ASA5500-SSL-25 for one per box?

Depends on what version of ASA you are running.

If you are running version 8.3 and above, then you just buy 1 ASA5500-SSL-25 for a failover pair and it would work. If you buy 2 ASA5500-SSL-25, one license per box in failover pair, then the license gets grouped into 50 SSL user license.

Here is the license information for ASA version 8.3 for failover pair:

http://www.Cisco.com/en/us/docs/security/ASA/asa83/license_standalone/license_management/license.html#wp1315746

For ASA running version 8.2 and below, you are required to buy 2 ASA5500-SSL-25 (one of each ASA in the failover pair) as the license should be exactly the same for the pair to failover to work, in the earlier version of the SAA.

Hope that makes sense.

Tags: Cisco Security

Similar Questions

Third-party SSL VPN ended the DMZ ASA

Hi all

Any help is appreciated. Is it possible:

I have a DMZ set in ASA 5520, and worked well so far. The DMZ subnet is 192.168.10.0/24 and IP on the DMZ interface is 192.168.10.1. Now, I'm trying to add a third-party SSL VPN device (not Cisco). The device has an IP 192.168.10.101. The SSL VPN appliance will give IP addreess SSLVPN customers in the range of 192.168.20.x. After the connection is established, the client is indeed getting the IP addr 192.168.20.x. However, clients are unable to connect to the internal LAN. If I change the IP address range clients on the same subnet that the area demilitarized, everything works. My question is that, as customers SSLVPN are complete on the demilitarized zone and get a different subnet IP address, how can I / road map these addresses before they6 can access internal network inside the interface, or it can be done at all?

All advice is appreciated.

You just need to add the routes appropriate on the SAA for this pool. And also on any Layer 3 routing devices inside the ASA.

Concerning

Farrukh

prevent the SSL VPN user to access ASA cli

Hello

I set up multiple users on my ASA in its local database.

These users are used for the ssl vpn connection, but the problem I have is that users

also have SSH access. Is it possible to avoid this?

Thank you

Hello Raf,

If you do something like this:

username xxx attributes

type of remote access service

the user should not get access CLI more.

Kind regards

Bastien

Router WAN double with SSL VPN inaccessible for customers

I have a configured in a Dual WAN setup Cisco 888. There is an ADSL link connected to the VLAN 100 and a SDSL link associated with the Dialer0. The customer wishes to use the ADSL link to the normal navigation and external SSL VPN users to complete on the SDSL connection. I tried to configure the link failover for the ADSL SDSL.

What works:

-Access to the Internet for clients the

What does not work:

-The ADSL SDSL connection failover.

-Access SSL VPN for customers. Surf to the external IP address will cause only a page by default HTTP. Specification webvpn.html results in a 404 not found error.

Here is my configuration:

version 15.0

no service button

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

host name x

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 x

!

AAA new-model

!

!

AAA authentication login local sslvpn

!

!

!

!

!

AAA - the id of the joint session

iomem 10 memory size

!

Crypto pki trustpoint TP-self-signed-3964912732

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 3964912732

revocation checking no

rsakeypair TP-self-signed-3964912732

!

!

TP-self-signed-3964912732 crypto pki certificate chain

self-signed certificate 03

x

quit smoking

IP source-route

!

!

IP dhcp excluded-address 192.168.10.254

DHCP excluded-address IP 192.168.10.10 192.168.10.20

!

DHCP IP CCP-pool

import all

network 192.168.10.0 255.255.255.0

default router 192.168.10.254

DNS-server 213.75.63.36 213.75.63.70

Rental 2 0

!

!

IP cef

no ip domain search

property intellectual name x

No ipv6 cef

!

!

udi pid CISCO888-K9 sn x license

!

!

username secret privilege 15 ciscoadmin 5 x

username password vpnuser 0 x

!

!

LAN controller 0

atm mode

Annex symmetrical shdsl DSL-mode B

!

interface Loopback1

Gateway SSL dhcp pool address description

IP 192.168.250.1 255.255.255.0

!

interface Loopback2

Description address IP VPN SSL

IP 10.10.10.1 255.255.255.0

route PBR_SSL card intellectual property policy

!

interface BRI0

no ip address

encapsulation hdlc

Shutdown

Multidrop ISDN endpoint

!

ATM0 interface

no ip address

load-interval 30

No atm ilmi-keepalive

PVC KPN 2/32

aal5mux encapsulation ppp Dialer

Dialer pool-member 1

!

!

interface FastEthernet0

switchport access vlan 100

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

LAN description

IP address 192.168.10.254 255.255.255.0

IP nat inside

IP virtual-reassembly

IP tcp adjust-mss 1300

!

interface Vlan100

Description KPN ADSL 20/1

DHCP IP address

NAT outside IP

IP virtual-reassembly

!

interface Dialer0

Description KPN SDSL 2/2

the negotiated IP address

IP access-group INTERNET_ACL in

NAT outside IP

IP virtual-reassembly

encapsulation ppp

Dialer pool 1

Dialer-Group 1

PPP pap sent-username password 0 x x

No cdp enable

!

IP local pool sslvpnpool 192.168.250.2 192.168.250.100

IP forward-Protocol ND

IP http server

local IP http authentication

IP http secure server

IP http timeout policy slowed down 60 life 86400 request 10000

!

pool nat SSLVPN SDSL 10.10.10.1 IP 10.10.10.1 netmask 255.255.255.0

IP nat inside source static tcp 10.10.10.1 443 interface Dialer0 443

IP nat inside source static tcp 10.10.10.1 80 Dialer0 80 interface

IP nat inside source overload map route NAT_ADSL Vlan100 interface

IP nat inside source overload map route NAT_SDSL pool SSLVPN SDSL

IP route 0.0.0.0 0.0.0.0 x.x.x.x

IP route 0.0.0.0 0.0.0.0 Dialer0 10

!

INTERNET_ACL extended IP access list

Note: used with CBAC

allow all all unreachable icmp

allow icmp all a package-too-big

allow icmp all once exceed

allow any host 92.64.32.169 eq 443 tcp www

deny ip any any newspaper

Extended access LAN IP-list

permit ip 192.168.10.0 0.0.0.255 any

refuse an entire ip

!

Dialer-list 1 ip protocol allow

not run cdp

!

!

!

!

NAT_SDSL allowed 10 route map

match the LAN ip address

match interface Dialer0

!

NAT_ADSL allowed 10 route map

match the LAN ip address

match interface Vlan100

!

PBR_SSL allowed 10 route map

set interface Dialer0

!

!

control plan

!

!

Line con 0

no activation of the modem

line to 0

line vty 0 4

privilege level 15

transport input telnet ssh

!

max-task-time 5000 Planner

!

WebVPN MyGateway gateway

hostname d0c

IP address 10.10.10.1 port 443

redirect http port 80

SSL trustpoint TP-self-signed-3964912732

development

!

WebVPN install svc flash:/webvpn/anyconnect-dart-win-2.5.0217-k9.pkg sequence 1

!

WebVPN install svc flash:/webvpn/anyconnect-macosx-i386-2.5.0217-k9.pkg sequence 2

!

WebVPN install svc flash:/webvpn/anyconnect-macosx-powerpc-2.5.0217-k9.pkg sequence 3

!

WebVPN context SecureMeContext

title "SSL VPN Service"

secondary-color #C0C0C0

title-color #808080

SSL authentication check all

!

login message "VPN".

!

Group Policy MyDefaultPolicy

functions compatible svc

SVC-pool of addresses "sslvpnpool."

SVC Dungeon-client-installed

Group Policy - by default-MyDefaultPolicy

AAA authentication list sslvpn

Gateway MyGateway

development

!

end

Any suggestions on where to look?

Hello

It works for me. When the client tries to resolve the fqdn for the domain specified in "svc split dns.." he will contact the DNS server assigned through the Tunnel. For all other questions, he contacts the DNS outside the Tunnel.

You can run a capture of packets on the physical interface on the Client to see the query DNS leaving?

Also in some routers, DNS is designated as the router itself (who is usually address 192.168.X.X), if you want to make sure that assigned DNS server doesn't not part of the Split Tunnel.

Naman

How is used to monitor two ASA (active/stby) with modules IPS Cisco MARCH?

Hello

The two ASA with IPS modules are in Active mode / standby. When I try to add both the two IP (active / standby) in MARCH, the MARCH will complain of duplicate names.

How set up in MARCH to monitor the ASA with IPS with topology standby active?

Thank you!

Hello

The fundamental problem with this scenario is that you have modules able non-basculement in a tipping chassis - think of the pair of failover ASA as a device and modules IPS as two completely separate devices.

Then, as we have already mentioned, add only the ASA elementary school. (High school will never be passing traffic in standby mode so it is not really necessary in MARCH) Then, with the first IPS module you can add it as a module of ASA or as a standalone device (MARCH doesn't care). With the second module IPS, the only option is to add it as a separate unit anyway.

In a failover scenario of the SAA swap IP but SPI considering you'll ever messages from ASA active you will get messages from the intellectual property of these two IPS depending on whether you are in the ASA active at the time.

Remember that you must manually reproduce all IPS configuration whenever you make a change.

HTH

Andrew.

How to create packages for distribution?

Hello
I'm trying to distribute updates, what would be the best way (our organisation does not allow downloads of large files)

Hi panties,

I think you want to create the package for applications cloud creatives.

Please check the help below document:

Using creative cloud | Packer

Kind regards

Sheena

How backup VPN configuration between two universities?

Hello, I am a student of the Greece and I have a graduation project to configure Backup VPN between two universities. Principal of communication made with leased lines. I study a lot, but now that it's time for implementation I have some thoughts:

-What hardware and software IOS do I need? Cisco 1841 it is ok for A & D routers?

-Use GRE IPSec transport mode or IPsec Tunnel mode?

-What will be the failover mechanism for switching traffic lines leased to IP VPN Backup and opposite? A teacher told me something about the Interface Prioritys. I read somewhere that this is done with the such as EIGRP routing protocol. who was right the Professor or the book? :-D

-In the same place, they have Firewall and NAT, I need to do any action for this?

The attached file contains topology I want to implement

'My' talk site 1

2 a Central Site

E communicates with A, but no traffic is to A of E with normal circumstances. Subnet on E access Internet through F, then press D. VPN will be implemented on the LAN but the specific source E traffic will pass through the Backdoor VPN (I think that the solution to this is ACL on the router). They have no routing protocol in 'my' site A directly connected routers and the default routes.

How imlement this?

I think the first thing to do is A to D connectivity

I will try to do this to tracers package first, but how can ' I imitate the SP network?

I need help I can get!

Hi John,.

In our scenario, given that our main connection is a direct leased line between E and F, so I guess there is no other network between the two routers. In this case we do not need to configure SLA monitoring or any interface a priority. We can simply enter two default routes:

IP route

IP route 254

In this scenario, if the leased line interface goes down, the second default route is used and the traffic should be routed by A router.

SLA monitoring monitors connection (using the ping tests) by one of the interfaces of the router, and when we are not able to ping from one server (specified in the configuration of the SLA) through the interface, then we change the default track to track traffic through some other interface.

So, in your scenario, we can monitor the connection between E and F, and when the link goes down, we can change the default route to point a.

This is useful in the scenario where we have another ISP connection as our primary connection.

Here is a link on how to configure SLA monitoring on the router:

http://www.Cisco.com/en/us/docs/iOS/12_4/ip_sla/configuration/guide/hsicmp.html

After you have configured the SLA followed by using the link above, you can bind it to the default route by using the following command line:

track road IP / / default main route

IP route 255 / / default route with a metric of higer that comes into play when the main default route goes down

In addition, the sample configuration that you give in the doc is almost correct, defined transformation is missing just a hashing algorithm. Here is a link with an example for a tunnel from lan-to-lan between two routers:

http://www.Cisco.com/en/us/partner/products/HW/routers/ps221/products_configuration_example09186a008073e078.shtml

Site2site two vpn "Server" for two different ISPS

Hello. I have two lines of two different ISPS. Both are 4 / 4 Mbit/s leased lines. I want to create a vpn site-to site with a few points of end for each of them. I have ASA 5540 firewall as a VPN endpoint on my network. My question is. I have two different VPN? Can I create two outside interfaces and use each one for each ISP one here to create my VPN? I first thought of contexts, but I abandoned em as soon as I saw that there's no VPN with contexts.

Thanks in advance.

Simple topology is

VPN - RTR - ASAOut1 VPN1ISP

-ASAOut2 VPN2ISP

Hello

I understand that you need create a tunnel between ASA 1 and 2 of the ASA with an ISP and the other tunnel on ASA 2 other ASA 2 ISPS.

It is possible as long as you take care of the delivery. For the remote access clients it will end interface ehich has the default gateway.

Site to Site VPN tunnel between two ASA

I use the Site Wizard to Site on an ASA 5520, and ASA 5505 of the ADSM. Both are using 8.4 (5). When you create configurations. You follow the wizard configurations with manual what ACL s to allow the traffic of every subnet connected to talk to each other? Or they are automatically generated in the configuration file? Have not been to school yet to understand how to create the CLI VPN tunnels and what to look for.

Thank you

Carlos

Hello

First, I would like to say that I don't personally use ASDM for the configuration.

But you should be able to configure all the necessary elements for a connection VPN L2L base through the wizard.

I guess that typical problems to do so could relate to the lack of configuration NAT exempt or might not choose the setting "Bypass Interface Access List" that would mean you would allow traffic from the remote site in the 'external' ACL of ASA local interface. Like all other traffic coming from behind the 'outer' interface

If you share format CLI configurations and say what networks must be able to connect via VPN L2L then I could give the required CLI format configurations.

-Jouni

ASA 5520 - SSL VPN (Anyconnect) licenses

Hello

Can someone clarify for me the SSL VPN/AnyConnect for the ASA 5520 license? Specifically, the differences between the AnyConnect Essentials and AnyConnect Premium. Our current license looks like this:

The devices allowed for this platform:
The maximum physical Interfaces: unlimited
VLAN maximum: 150
Internal hosts: unlimited
Failover: Active/active
VPN - A: enabled
VPN-3DES-AES: enabled
Security contexts: 2
GTP/GPRS: disabled
SSL VPN peers: 2
Total of the VPN peers: 750
Sharing license: disabled
AnyConnect for Mobile: disabled
AnyConnect Cisco VPN phone: disabled
AnyConnect Essentials: disabled
Assessment of Advanced endpoint: disabled
Proxy sessions for the UC phone: 2
Total number of Sessions of Proxy UC: 2
Botnet traffic filter: disabled

This platform includes an ASA 5520 VPN Plus license.

I guess that means that we have just the 2 'free trial' SSL VPN licenses and nothing else.

I would like to add 25 or maybe 50 SSL VPN licenses and be able to use a combination of full free client, thin client and groups client AnyConnect. The 'ASA5500-SSL-25' (or 50) would be the correct license I need to buy?

Thank you

Rob

Hello

The essentials license is per device and does not allow full-tunnel.

If you need other features like Secure Desktop, without client SSL and other optional features such as shared licenses, you must go to the Premium license.

http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494_ps10884_Products_Data_Sheet.html

Federico.

SSL VPN license for ASA

It must be an easy question - but I'm having a hard time finding an answer. How are the SSL VPN to the end user a license?

Let's say I have 300 users, SSL, but only 20 concurrent SSL at any time. Do I need licenses for the 300 full or 20 competitors?

Thank you

Jim

Hey Jim,.

SSL licenses for only simultaneous connections. The only limitation you will encounter is how SSL sessions each platform supports (i.e. 750 concurrent sessions on an ASA5520).

Cisco ASA AnyConnect SSL VPN - certificates + token?

Hello

I'm looking for an answer is it possible such configuration:

The Cisco AnyConnect SSL VPN service with two-factor - first method is the Microsoft CA certificate local and second method - a token solution Symantec VIP password?

I don't know if two-factor authentication is user/password from Active Directory + OTP by Symantec VIP there is no problem, because you can send the user + pass with Radius, but with certificates I do not really understand who will check the validity of the certificate, which certificate, we will send you to the RADIUS for the validation server and how the configuration of the point of view of ASA will look like.

Thank you very much for the help!

Hi Alex,

I don't see a problem with having certificate + token to connect to the VPN. Certificate authentication must be performed on the SAA, see an example below:

https://supportforums.Cisco.com/blog/152941/AnyConnect-certificate-based-authentication

Authentication token can be specified as primary/secondary (authentication SDI) on the SAA, an example below:

http://www.Cisco.com/c/en/us/TD/docs/security/vpn_client/AnyConnect/anyconnect31/Administration/Guide/anyconnectadmin31/ac11authenticate.html#pgfId-1060345

It may be useful

-Randy-

SSL VPN

Hello

I want to configure SSL VPN on my Cisco ASA 5510 for more information, then 30 users will have to access simultaneously, but I don't know if my license that allow.

Below is the features of my ASA license:

The devices allowed for this platform:
The maximum physical Interfaces: unlimited
VLAN maximum: 50
Internal hosts: unlimited
Failover: disabled
VPN - A: enabled
VPN-3DES-AES: enabled
Security contexts: 0
GTP/GPRS: disabled
SSL VPN peers: 2
The VPN peers total: 250
Sharing license: disabled
AnyConnect for Mobile: disabled
AnyConnect for Linksys phone: disabled
AnyConnect Essentials: disabled
Assessment of Advanced endpoint: disabled
Proxy sessions for the UC phone: 2
Total number of Sessions of Proxy UC: 2
Botnet traffic filter: disabled

This platform includes a basic license.

Concerning

Walid

You ASA have a license for this. You need to order AnyConnect MORE if you want to use the AnyConnect Client or you have licenses AnyConnect APEX order if you want to use the VPN without client.

The two are not allowed on the simultaneous connections. You must count users who use them. MOR info is in the Guide of command AnyConnect.

SSL VPN without disabled in ASA5505 after the Activation of the AnyConnect client

Hello everyone,

I am facing a problem with the VPN service in ASA 5505. Initially, I was using SSL VPN without customer who was working absolutely fine, no problem. Recently I bought AnyConnect Essentials License with license AnyConnect VPN, Mobile (for focusing on the Client SSL VPN Service for desktop and mobile respectively) and have activated these keys inside of the firewall. After that I may be able to connect to based on the VPN Client, using the AnyConnect client. Clientless VPN access is not allowing you to connect and displays an error (see the attached screenshot).

I created two VPN profiles Viz, basic (for clientless VPN) and rvsvpn (for client based VPN). Download the AnyConnect Client I can connect to the rvsvpn profile. But if I try to connect using the basic profile, it throws an error has been to what is displayed in the exhibition.

Please help me in this regard, as what can be done to use both the vpn connection profile. Or what the use of AnyConnect disables client access?

Waiting for your help.

Thanks in advance.

Samrat.

"Anyconnect essentials" in your configuration command to disable all profiles without customer (as well as other features that require the Premium license).

Essentials and Premium are mutually exclusive as the performance of duties. You can have both installed licenses, but only use one or the other (and never both at once) in your running configuration.

2901 router as an SSL VPN using

Hello world!

I was wondering if someone could give me a hand on this. I'm trying to use a Cisco 2901 to allow remote workers to access resources on the local network using the Client AnyConnect Secure Mobility Client. I just read this doco

http://www.Cisco.com/c/en/us/support/docs/routers/3800-series-integrated...

But it seems it does not support the 2901 platforms. I quote:

WebVPN or VPN SSL technology relies on these router IOS platforms:
- 870, 1811, 1841, 2801, 2811, 2821, no. 2851
- 3725, 3745, 3825, 3845, 7200 and 7301
Is that all just because this topic is old?

Before I have to spend money on the wrong license, I decided to give it a go (above the following article). So, when I went to

' Configure > Security > VPN > SSL VPN > SSL VPN Manager "CCP says I need license"(securityk9). I then followed the link "activate license" and clicked on the tab 'evaluation licenses. But where there are two that seems good:
- securityk9 (the CCP one says it needs)
- SSL_VPN (one who seems reasonable as AnyConnect uses SSL VPN, right?)
What is the license of right? Anyone can enlighten us please?

Also, is there any resource that explains better than all the options and how to configure the AnyConnect on a router ISR2, using CLI?

Thanks in advance

Alvaro

Hello Alvaro,

What IOS version you are using?

Beginning in Cisco IOS version 15.0 (1) M, the SSL VPN gateway is a licensing feature sits a count on Cisco 880, 890 Cisco, Cisco 1900, Cisco 2900 and 3900 Cisco platforms. A Chair does refers to the maximum number of sessions allowed both.

For more information, go through:

http://www.Cisco.com/c/en/us/TD/docs/iOS-XML/iOS/sec_conn_sslvpn/CONFIGU...

"Please note useful posts.

How SSL VPN packages for two ASAs clustered licenses

Similar Questions

Maybe you are looking for