Asa ssl licensing

We have a 5520 ASA with a 100 user ssl license. We need to increase this but 250 is overkill. Is there an option to just add 50 more licenses or do we have to go up to 250?
Sent from Cisco Technical Support iPhone App

That's right - the next level after 100 is 250. Please refer to this post for more details.

Similar Messages

  • ASA SSL Licensing query

    Hi,
    We are planning on putting Active/Standby pairs of ASA CSC bundles at three of our sites. We would also like to use these pairs as SSL head end devices.
    The question is whether we really need to purchase two sets of SSL licenses (and for that matter CSC user licenses) when only one device will ever be active in the proposed scenario?
    I would be very grateful if anyone can clear this up as I have not been able to find anything definitive on Cisco's web or through their distribution channels.
    Thanks
    Richards

    Hi Raj,
    Thanks for the response,i was worried that this was the case. Are you totally sure, have you deployed a similar scenario?
    We're looking at the 500 user license (list at $30k) so it is harsh that we need to purchase the license twice. I'm sure Cisco will rectity this over time though.
    Thanks

  • Ikev2 VPN without using a SSL license? (ASA-5512)

    Hi All,
    I've enabled Cisco "Anyconnect Premium Peers" for client less ssl vpn connections, the obvious catch is that for ikev2 Anyconnect sessions it wants to use up the SSL license pool instead of the IPSEC pool  (which I have lots of connection licenses for "Total VPN Peers : 250".
    * Is there any way to configure Anyconnect to connect via IPSEC and use an IPSEC license (while keeping the Anyconnect Premium Peers enabled)?
    * Do I have to consider 3rd party vpn clients, outside Anyconnect?
    cya
    Craig

    Remote-Access sessions with IKEv2 will always consume a Premium license. Changing to a different client won't help unless you change to a client that uses the legacy EasyVPN technology. But that shouldn't be the solution.
    If you enable AnyConnect Essentials, you can use AnyConnect with IPSec up to the platform-limit but you can't use the premium-features (like clientless) anymore at the same time.
    In a situation like that where lots of AnyConnect-Sessions were needed and only a couple of clientless sessions, I installed AnyConnectEssentials on the main ASA and deployed another ASA only for clientless VPN. Due to the high cost of the VPN-premium licenses it was much cheaper then buying Premium licenses for all VPN users.
    Sent from Cisco Technical Support iPad App

  • Upgrade SSL License for ASA5540

    Hi,
    I have ASA5540 with 1000 SSL-VPN License, then I would like upgrade from 1000 to 2000. Which part I have to add between
    L-ASA-SSL-1000=
    L-ASA-SSL-1K-2500=
    ASA5500-SSL-1000=
    Thanks,
    Pongsatorn

    SSL-VPN licenses are not additive. So if you want to move up from a 1000 user license, the next tier is 2500 users. The second SKU above is the correct part to order in that case.
    The first SKU is for 1000 users only (base AnyConnect Premium license for 1000 users). The third SKU is another way of packaging the same thing as the first one.

  • TN3270 Plugin / ASA SSL Portal

    Hi Guys, I'm working on the ssl portal of my company  and  we need to have an  3270 emulator available in it, Do you know if there is a tn3270 plugin for cisco asa ssl portal? or is there a workaround to make it work?
    Thanks in advance,
    Regards
    Oscar

    Hello,
    Regarding the plugin, Nop.. There are no that much available plug-ins.
    So you have to other options:
    1- Smart tunnel ( You do not need to have administrative rights over the remote system, you only need to have the application locally installed)
    2- Port-forwarding ( You do  need to have administrative rights over the remote system and have the application locally installed)
    If those does not fit your expectations I will go for a tunnel all vpn ( Anyconnect or Ipsec remote access)
    Hope I could help.
    Julio
    Do rate all the helpful posts

  • Yet Another ASA VPN Licensing Question :)

    I have a pretty good understanding of ASA VPN concepts, but not sure about this scenario.  Two questions regarding 5525 VPN SSL Anyconnect Premium Licensing.
    1.  Assuming we already own a ASA 5525-x with 750 Anyconnect Essentials and Mobile ( p/n ASA5525VPN-EM750K9 ) and want the ability for 200 Clientless (Anyconnect Premium) VPN connections, including mobile devices, what part number do I need?  
    2.  Assuming we do not yet own a ASA5525, but want the same 200 clientless VPN connections plus mobile device connectivity, what part number do I need?   I'm assuming this is correct  >>  ASA5525VPN-PM250K9
    Thanks!

    It's no problem - I sometimes look for an answer to a question myself and find my own 2 year old post explaining the answer. As long as I don't find my 2 week old answer, I'm OK with that. :)
    Anyhow, no there's not a SKU to upgrade Essentials to Premium. All the Premium upgrade SKUs are between Premium licensed user tiers (10-25, 25-50, 50-100 etc.).
    If you're a persuasive customer and make a strong case with your reseller they may be able to get a deal with Cisco outside the normal channels to get some relief as a customer satisfaction issue. That's very much a case by case thing though and not the normal fulfillment method.

  • ASA SSL trustpoints

    Hello,
    I have a scenario where a web server is hosted on the inside and users accessing to it through https are being authenticated first on the ASA( there is a certificated installed on the ASA for secure access)
    I want to add another web server and do the same setup, will I need a separate cetificate on the ASA( can I have multiple certificates for the same trustpoint knowing that I can assign only one trustpoint on the outside interface)
    What's the best practise?

    Yes you can assign the trustpoint to be used for SSL connections on the outside interface.
    A trustpoint contains the identity of a certificate authority, CA-specific configuration parameters, and an association with one enrolled identity certificate. You need one trustpoint to connect with the Citrix server. You can configure up to two trustpoints, each to be assigned to a different interface on the security appliance; however, you can assign a single trustpoint to two interfaces.

  • ASA SSL Portal : Remove Application help

    Hello,
    I've done some customization on the SSL Web portal on an ASA 8.2.
    Everything's fine except I want to remove the help column on the right when I click on application.
    See the attachment the column entitled 'Terminal Servers Help'
    Regards

    Yes it works. so easy !
    Thanks much.

  • Accessing Home Dir's via ASA SSL VPN

    I have an ASA 5540 and an ACS 4.0. i am configuring an SSL based VPN for users in an active directory. I want to give the users access to their Windows Home Dir and have created a CIFS link in the URL list in the tunnel group policy for those users.
    I want to give the users access to \\SERVER\Share\%username% as it is described in windows terms. how do a go about this in the ASA, as the above does not work at all? the ASA wants to use the / instead of \ in the CIFS shares. It works fine for normal shares and hidden share specified with $, but not using the %username% variable.
    The documentation on SSL VPNS on both ASA and ACS 4.0 is terrible.
    Best regards,
    Neal Lewis

    This question might be a bit outdated, yet I stumbled across it since even in times of OS 8.4(3), I've had exactly the same problem. Menawhile I've found the solution to it:
    You can work with the usual WebVPN variables which ASA offers for single sign-on (SSO) purposes. The following example works for my customer for a profile in which he applies two-factor authentication and allows his users to access their Windows home share using SSO (using the secondary WebVPN login information, which is their AD login name, accessed via LDAP):
    Bookmark URL:
    cifs:///CSCO_WEBVPN_SECONDARY_USERNAME%24 (where %24 is a code substitution for the '$' sign)
    SSO config:
    group-policy attributes
      webvpn
        auto-signon allow ip auth-type ntlm username CSCO_WEBVPN_SECONDARY_USERNAME password CSCO_WEBVPN_SECONDARY_PASSWORD
    There are two important things to consider, though:
    The share name *must* match the user's login name
    The folder effectively has to be configured to be a share (not just an ordinary folder). My tests have shown that it doesn't work even if that desired, ordinary destination folder is a subfolder of an accessible share.
    Hope that helps other people.
    Toni

  • ASA SSL VPN not working

    Dear Sir,
    I have a windows 2003 server and an ASA 5512
    I'm trying to use SSLVPN and it was all working, and I don't believe any configs on either box have been changed.
    On Friday people were connecting, but now I get a message "Login Error" in the browser.
    In the ASDM home 'latest ADSM Syslog Messsages' I get "AAA authentication server not accessible", followed by two messsages
    AAA Marking LDAP server in group as FAILED
    AAA Marking LDAP server in group as ACTIVE
    When I go to configuration --> Remote Access VPN --> AAA/Local Users AAA server groups and click on my RADIUS server and click Test, it takes a while and says ERROR: AD agent Server not responding: No error
    If I stop my IAS server on my Windows box i get the same error but much more quickly.
    I have a sonciwall set up doing the same thing, and RADIUS seems to work happily, so I don't think it's the server config...
    Do you have any ideas what may have changed?
    Thanks
    Dave

    Dear Jennifer, I'm using IAS (windows RADIUS server) it was working fine, and I'm not aware anything changed...
    when i 'test' the aaa server it says ERROR: AD-agent server not responding: No Error
    I have an old sonicwall firewall doing the same thing and it tests successful, implying RADIUS is working OK, if you want a screenshor?
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server tethys protocol radius
    ad-agent-mode
    aaa-server tethys (inside) host 10.11.1.10
    timeout 5
    key *****
    radius-common-pw *****
    aaa-server tethysLDAP protocol ldap
    aaa-server tethysLDAP (inside) host 10.11.1.10
    ldap-base-dn DC=tethys,DC=net
    ldap-scope subtree
    ldap-naming-attribute sAMAccountName
    ldap-login-password *****
    ldap-login-dn CN=SSLVPNAdmin,CN=Users,DC=tethys, DC=net
    server-type microsoft
    no user-identity enable
    user-identity default-domain LOCAL
    aaa authentication ssh console tethys LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 10.11.1.73 255.255.255.255 inside
    http 10.11.1.10 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ca trustpoint ASDM_TrustPoint0
    crl configure
    crypto ca trustpoint ASDM_TrustPoint1
    crl configure
    crypto ca trustpoint ASDM_TrustPoint2
    crl configure
    crypto ca trustpoint ASDM_TrustPoint3
    keypair ASDM_TrustPoint3
    crl configure
    crypto ca certificate chain ASDM_TrustPoint3
    certificate ca 0400000000012f4ee14143
        3082045a 30820342 a0030201 02020b04 00000000 012f4ee1 4143300d 06092a86
        de36bf03 04003df9 ef9ea967 a4f4863e 2397b82a 71e2edfe 698867bf 265c
      quit
    certificate 112119e126c272d2d5aabd8bb4a6f90fe78b
        308204f3 308203db a0030201 02021211 2119e126 c272d2d5 aabd8bb4 a6f90fe7
        a07c90b2 5e4c1b59 56bec070 d5a77145 5b74297f 68c7d6
      quit
    crypto ikev2 remote-access trustpoint ASDM_TrustPoint3
    telnet 10.11.1.10 255.255.255.255 inside
    telnet 10.14.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh 10.11.1.10 255.255.255.255 inside
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    Result of the command: "sh aaa-server protocol ldap"
    Server Group:  tethysLDAP
    Server Protocol: ldap
    Server Address:  10.11.1.10
    Server port:  0
    Server status:  ACTIVE, Last transaction at unknown
    Number of pending requests  0
    Average round trip time   0ms
    Number of authentication requests 205
    Number of authorization requests 1
    Number of accounting requests  0
    Number of retransmissions  0
    Number of accepts   0
    Number of rejects   0
    Number of challenges   0
    Number of malformed responses  0
    Number of bad authenticators  0
    Number of timeouts   206
    Number of unrecognized responses 0

  • ASA SSL Authentication special caracters

    Hi,
    I have a ASA 5540 configured in WebVPN to authenticate users through an ACS server. The ACS server can use my Active Directory Users Database.
    a user with those credentials:
    login : testuser
    pass : céli20
    can login through Remote Access VPN (classic cisco ipsec vpn client)
    but can't throught webvpn portal page..!!If we change the password and remove the "é" it can log-in...How to allow specials characters in the webvpn session connection?

    ASDM does not support any non-English characters or any other special characters. If you enter non-English characters in any text entry field, they become unrecognizable when you submit the entry, and you cannot delete or edit them.
    If you are using a non-English keyboard or usually type in language other than English, be careful not to enter non-English characters accidentally. For a workaround, see caveat CSCeh39437

  • ASA CSC License renewal

    Hi!
    I have a gneral Question concerning a CSC Renewal for a SSM Module. The License will expire in Mid-October but I already have bought a renewal.
    If I register the PAK on Ciscos Site today does the new license counts from today or when the old license is has finally expired.
    If it would start counting from today I would waste some time of my previous license.
    Does anybody know?
    Thx..Andy

    If you have got a license file with you as well, which you can possibly download from cisco.com and try to open that with a notepad you will see the start date and the end date.
    That will have a start date from when the previous license expires.
    So you will not be losing a single day in this case
    Sachin

  • Asa 3des license installation

    Hi all,
    Is it required for the 3des license upgrade for the asa5510 to reboot for the further
    configuration of site2site tunnels.
    thanks
    Anand

    Hello Anand,
    The reboot is not required for the activation of this key,
    Any other question...Sure.. Just remember to rate all of my answers.
    Julio

  • ASA SSL digital Certificates

    I have a single URL which will direct users to one of four ASA5520 devices, can I export a single certificate onto all four devices or do I require four individual certificates?

    You can export ceriticate use use the crypto ca export command. If a security appliance has trustpoints that share the same CA, only one of the trustpoints sharing the CA can be used to validate user certificates.

  • Asa failover & SSL vpn license question

    with a failover pair, if you want to purchase an SSL license, do you have to purchase the same license for each one, or can they 'share' a license since only one will ever be active?

    Steven,
    You must purchase license for each and every device that you want to enable SSL Feature. It does not matter if the chassis is in active or standby mode in failover, you need a separate license.
    Regards,
    Arul
    *Pls rate if it helps*

Maybe you are looking for

  • Asset Write-Up

    Hello - My client is trying to add $20,000 to an asset that they capitalized last year.   We will just add the 20,000 as of 01/01/2008. When I try to do the write-up  (tcode abzu) using transaction type 700, I get an error saying that there is an inc

  • MM Report for Reorder and lead time

    Hi, Can anyone suggest me a report that can show information by materail such as min./max. quantity, re-order or safety stock, and replensihment lead time. Thanks Atif

  • Solved: New iPod nano 8g not seen in My Computer/iTunes after Apple Support

    I received this iPod as a Christmas gift and it has taken months to get it working but I am happy to say I finally did. I wanted to post what I did to solve the problem in case anyone else is having the same issue. Background Information: - Windows X

  • Indesign CS6 epub export bug

    I am using Indesign CS6 to export a book to epub. Having problems with automatic numbers and bullets as well as spacing issues; however, I've made some adjustments and am getting a pretty decent epub. Here's the issue: When I convert my epub to Mobi

  • Show image at certain points during embedded video?

    Hi all, Just before deployment, we have had a change request :-) I have slides with embedded videos, and these videos pause the slide until the video ends, the moves onto the next slide.  During the videos, we want certain images to appear in the sli