Yet Another ASA VPN Licensing Question :)

I have a pretty good understanding of ASA VPN concepts, but not sure about this scenario.  Two questions regarding 5525 VPN SSL Anyconnect Premium Licensing.
1.  Assuming we already own a ASA 5525-x with 750 Anyconnect Essentials and Mobile ( p/n ASA5525VPN-EM750K9 ) and want the ability for 200 Clientless (Anyconnect Premium) VPN connections, including mobile devices, what part number do I need?  
2.  Assuming we do not yet own a ASA5525, but want the same 200 clientless VPN connections plus mobile device connectivity, what part number do I need?   I'm assuming this is correct  >>  ASA5525VPN-PM250K9
Thanks!

It's no problem - I sometimes look for an answer to a question myself and find my own 2 year old post explaining the answer. As long as I don't find my 2 week old answer, I'm OK with that. :)
Anyhow, no there's not a SKU to upgrade Essentials to Premium. All the Premium upgrade SKUs are between Premium licensed user tiers (10-25, 25-50, 50-100 etc.).
If you're a persuasive customer and make a strong case with your reseller they may be able to get a deal with Cisco outside the normal channels to get some relief as a customer satisfaction issue. That's very much a case by case thing though and not the normal fulfillment method.

Similar Messages

  • VPN License question on 5505 ASA Firewall

    Inherited a firewall project, it's getting a VPN running on a ASA 5505 Firewall for remote workers.  Firewall was configured by someone else who isn't available. 
    Basic question on the License: The current license is good for 2 SSL VPN Peers, and 20 "Total VPN Peers".  Can anyone elaborate on "Total VPN Peers"?  Can I configure Clientless SSL VPN connections, or do I need to go IPSec to get the 20 VPN sessions?
    Thank you in advance,
    Jeff

    Hi Linda,
    The default IKE SA lifetime is 86,400 seconds and the default IPSEC SA lifetime is 28,800 seconds. However, these values are configurable so you'll need to check your 5505 configuration to answer these questions. You can look at the output of 'show run crypto' to see the configured values.
    -Mike

  • ASA 5505 VPN licensing question

    I have three locations, that i want to connect via site-to-site vpn's deployed on three ASA 5505. How is the term "Peers" in the licensing text, affecting my scenario? Is each ASA one peer in a site-to-site solution, or is each user transmitting data in the established tunnels also counted?

    Users transmitting across the site to site tunnel are not counted. Only the peers themselves.

  • Asa failover & SSL vpn license question

    with a failover pair, if you want to purchase an SSL license, do you have to purchase the same license for each one, or can they 'share' a license since only one will ever be active?

    Steven,
    You must purchase license for each and every device that you want to enable SSL Feature. It does not matter if the chassis is in active or standby mode in failover, you need a separate license.
    Regards,
    Arul
    *Pls rate if it helps*

  • Asa vpn ip question

    Hi all,
    I feel like this is a dumb question, but I can't seem to find the documentation fitting my scenario on cisco. I can setup VPN without any problems. My issue though is that, all the configuration examples rely on the outside interface IP as the "PEER IP" in L2L or target IP in RA. Is there any special configuration needed to use a public IP other that my outside interface?
    Example:
    outside interface (ASA) ip 1.1.1.1
    L2L vpn ip 1.1.1.2
    RA vpn ip 1.1.1.3
    Gateway ip 1.1.1.4
    I want to use 1.1.1.2 and 1.1.1.3 in my ASA configuration instead of using the outside interface, but im unsure as to where I define this parameter.....
    Any suggestions using this example?
    Tia,
    Fred

    Fred, you are right in stating all docs pertaining to l2l vpn points to outside interface as it is the most commonly setup scenario. I am not aware you could do what you are trying to do using a different IP as your vpn termination point instead of the actual IP address of the interface, if there is a was Im willing to learn it.
    You could however, not that I have tried it but will see if I could simulate this at some point in future would be to have three outside subinterfaces one sub for L2l 1.1.1.2 end termination point, one sub RA 1.1.1.3 and your outside physical with 1.1.1.1 . This is Just a thought , perhaps we could see some other comments.
    Rgds
    Jorge

  • Cisco ASA -VPN Ping Question

    Hey guys, I have a Cisco ASA 5505 8.4 I have a Remote Access VPN up and working...for the most part. When I VPN in I would like to be able to access our Mitel phone manager which is just a internal IP you put in the browser. Here is the issue when I am connected I can't ping the address of 10.0.0.250. But I can ping my other servers 10.0.0.2 and 10.0.0.3. Why can I ping some address but not others.
    Thanks
    Nick

    Hi,
    Are you saying that the ASA replaced the previous device that acted as the default gateway for the phone system? And also the IP address was changed and this was not taken into consideration on the phone systems network configurations?
    This would indicate that the problem is with the phone system having the old gateway IP address configured and it doesnt know where to forward the traffic that is coming from a different network (for which it would require the correct default gateway)
    If the internal network that can ping and access the phone system means the hosts that are on the same internal network with the phone system (10.0.0.x) then this is expected as the default gateway is not needed between the hosts in the same network as they communicate directly.
    So would be the problem now simply be with the default gateway IP set on the phone system.
    - Jouni

  • ASA vpn nat question

    i have an ASA 5520 ver 8.4 with the following config
    WAN
    207.211.25.34
    Production
    10.11.12.1 255.255.255.0
    Mgmt
    10.11.11.1 255.255.255.0
    i need to create a peer-2-peer VPN to a remote site ASP16 from both Prod and Mgmt
    what would my nat statement look like ?
    currently i have the following but can only ping from Mgmt not Prod  (ASP17 is an network object group that contain the Prod and Mgmt subnets )
    nat (Production,WAN) source static ASP17_VPN ASP17_VPN destination static ASP16 ASP16 no-proxy-arp route-lookup
    nat (Mgmt,WAN) source static ASP17_VPN ASP17_VPN destination static ASP8_Prod ASP8_Prod

    Hello Tejas,
    After reading your configuration I can see that the crypto-maps are applyed to the outside interface, and the Access-list for the interesting traffic has both networks (Managment and production) so you should be able to access the other network from this site.
    Can you do the following packet tracers to see the features the ICMP packet is hitting when the Request is sent.
    I will need the output of the following commands:
    1- Packet-tracer input Mgmt icmp 10.11.34.15 8 0 10.30.6.15
    2-Packet-tracer input Production icmp 10.11.35.15 8 0 10.30.6.15
    Please rate helpful posts,
    Julio!!

  • ASA VPN client question

    Hello.
    I have a question about a connection between an asa5505-sec-bun-k9 (that acts as Easy VPN client) and a EASY VPN server.
    The connection with the Easy VPN server is OK but I cannot more connect to internet and create VPN connections to my ASA5505 when I enable the feature.
    Is this a normal condition with Easy VPN Client enabled?

    u need to do split tunneling on ur vpn server and apply it to the vpn client config on the vpn server that encypt only traffic destined to the server side pravite network
    lets say the private network behind the vpn server is 192.168.1.0/24
    so make a standard ACL
    access-list split standard permit 192.168.1.0 255.255.255.0
    group-policy [ur grop policy name] attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split
    then when u connect from the easy client only traffic to 192.168.1.0 will go through the tunnel other traffic will not be part of encrypted traffic
    good luck
    Rate if helpful

  • ASA VPN configuration question

    I am trying to configure a VPN tunnel to a remote 3rd party site from an ASA. I have set up a new tunnel group
    But it seems to be trying to use the DefaultRAGroup and then the Defaultl2lGroup one. What do I need to do to ensure it uses the new one I have set up ?

    The name of the tunnel-group has to be the ip address of the remote gateway. With that, the ASA can match the IPsec packets to the correct tunnel-group.

  • Yet another Applescript file renaming question...

    Hi all,
    Well, having been a full-time Applescripter for five years at Apple, I thought it would be easy to dust my chops off and write a simple script to get a file name from one folder and paste that name onto a file in another folder.... but I guess 15 years of no-scripting has proven too much of a challenge to my aging brain... and I am on a time crunch to get this done for my client.
    SO, here is what I'm hoping to get help with.  I have no doubt it is pretty simple.
    File "A" is in a folder.
    File "B" is in a different folder.
    I need to GET the name of File A and use it to rename File B.
    Can one of you youngin's take 30 seconds and help an old dude out?
    Thanks a bunch,
    matt

    Niel... almost there.
    The script works perfectly (with me placing the path instead of just the folder)... thank you so much.
    One extra thing though... I didn't realize that the files are different file types (jpg and psd).
    So what do I need to do to change the name without changing the file type?
    THANKS again!
    Matt

  • Yet another Playbook VPN issue

    I have a client that needs to upgrade their router. Since they now have the Playbook can anyone suggest a router, preferably wireless, that will work with the Playbook VPN connectivity? Recent discussion with Cisco states that none of the Small Business series routers will work as they only support the QuickVPN client on Windows environment.
    Thank you

    look at the netgear n600
    Be a Shepard and not an iSheep.

  • Yet another missing album art question...

    OK, I just received my second 80 GB Apple ipod Classic. The first one was defective out of the box and this (these?) is (are?) my first ipod. I'd heard all the horror stories about itunes and since I have other media players, ripping and tagging utilities I'm happy with, I really have no intention of using itunes for anything more then updating my ipod and manually synching my music.
    I do have one question though. How do I get album art to display for my music? First of all, I unchecked every option in itunes that I could find about updating missing data and downloading album art. I even unchecked the box under My ipod that says "show album art" (maybe mistakenly thinking that was referring to synching album art. All of my mp3's are tagged properly and have the album art, scanned by me from my actual discs embedded in the file in the album art tag. I would think these should display if the ipod is capable of displaying album art, regardless of any checkboxes I've fooled with in itunes but all I get on my ipod are little gray boxes with black musical note symbols in them.
    What did I do wrong? Does anyone have any ideas? Thanks in advance.
    Sicnerely,
    - Byron Followell

    bfollowell wrote:
    I even unchecked the box under My ipod that says "show album art" (maybe mistakenly thinking that was referring to synching album art.
    That's indeed the reason your album art doesn't show on the iPod. Check this box, maybe resync, and the iPod should show the images you embedded in the mp3-files.
    Matko
    Btw, If you scan and add album art yourself a lot, you might want to have a look at this site :
    http://www.albumartexchange.com/

  • Yet another "font not available" question

    Hello,
    First, I'm using FM 8.1.3 on Windows (XP). So I don't have the Font Pod or any of that other FM 10 good stuff.
    I'm trying to open a chapter in a book that contains both English and Simplified Chinese text. The error I keep getting says that "MS Mincho" is not available, and a Kazuka Gothic font is being substituted. I click OK and the file opens. I save and close the file. Then I try to open it again and the error is still there. All of the chapters in the book have the same problem.
    I saved one of the chapters as a .mif and opened that as a text file. I searched for "Mincho", and it wasn't there. I searched for "FFamily" in the file and didn't find anything similar to Mincho in any of the references. There were many entries but no unfamiliar fonts being referenced.
    I also tried the trick of opening all the files, accepting the substitution for each, and then trying to update the book. That doesn't seem to work. The update is finished much too quickly. Something flashes by really quickly in the status bar of the book file - I thought I saw titles of a couple of the chapters (different title each time I ran the update), but (1) the book file does not have a new time stamp, even if I do something that should trigger a change to the book file, eg, change the order of a couple of chapters in the book file, and (2) there's no error message. I don't think it actually did an update. (When I try to update the book with all the chapter files closed, I'm still getting the "could not open file because of missing font" errors.)
    Are there any other things I might try?
    Thanks,
    Joyce

    Joyce,
    You have your preferences set to Remember missing fonts. When you open a file with missing fonts, FrameMaker warns you; but when you click OK, it opens the file with the substituted font just to display the document. FrameMaker does NOT substitute the font permanently, just for the current display. If you make a change and save the file, you are saving any content changes but not the font substitution.
    If you are happy with the substituted font, you can open the preferences and uncheck Remember missing fonts. Then when you open the file, FrameMaker's response is as before; however, when you save the file, the font substitution is saved in the file.
    You can then turn Remember missing fonts back on, if you want. The purpose of this feature is to allow you or others to edit the document without actually having the font on your system but retain the font information in the file.
    Van

  • Yet another rm-1500 related question

    Ive bought sound blaster 24bit external because i needed better sound quality on my laptop. And i was more than happy to get a remote to. But it appears that this little device has shortened my li've by 5 years Whole week i was trying to make it work. I have browsed google for hours. How to turn the device sleep (stand by) off!? Whenever it automaticaly goes to sleep mode, to use it again i have to sit for 2 min and press the buttons on remote rapidly til the thing starts to work. Mainly i've tried to control winamp, so i downloaded rmx, which is by no doubt good plugin. everything works fine except that frustrating stand by mode. Plz help.
    PS all drivers updated.

    sicboy188 wrote:
    basicaly the pc asks for a "network key" which i am assuming is the network password i setup, but this never works.
    What encryption are you using?
    Problems connecting an XP PC to an Airport Base Station
    http://tech.ifelix.net/2002.html
    iFelix

  • Asa in active/active vpn solution licensing question

    Hello All
    I have a customer with the following requirements:
    1) A Cisco VPN Solution that will be support SSL VPN and Cisco Client VPN - The  solution will be a failover configuration running in an active-active set up.  The solution offered will be fully supported (i.e. it will not go into End of  Life or and lower level of support etc) by Cisco for the next 5 Years.
    a. We  would expect the devices to be similar to the ASA 5520 Appliance with  SW,HA,$GE+1FE,£DES/AES (Including ASA 5500 Advanced Endpoint ASS)
    2) User  licenses for the above - Please quote for both the following
    a. 500 appropriate SSL VPN User Licenses
    b. 250  appropriate SSL VPN User Licenses
    I am quoting them for the 500 ssl vpn bundle
    ASA5520-SSL500-K9 and for the
    ASA5520-BUN-K9.
    Is it right that in active/active  software 8.3 and above that the 500 ssl vpn licenses will be shared between the 2 asa's or will I need to have 250 licenses on each asa.
    Also I have read that in active/active I cannot use shared licenses, is this relevant in a vpn solution?
    http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license_86.html#wp2003381
    Url above has this “The  backup server mechanism is separate from, but compatible with,  failover.
    Shared  licenses are supported only in single context mode, so Active/Active failover is  not supported.”
    Also “Failover  Guidelines
    •Shared licenses are not supported in Active/Active mode. See the "Failover  and Shared Licenses" section for more  information.
    I also need to purchase the
    ASA-ADV-END-SEC and
    ASA-AC-M-5520 (any connect mobile) as the vpn client is eos/eol.
    Do I need to buy this for both asa's or can they share them in active/active mode.
    Thanks in advance.
    Feisal

    Hi Vibhor and thanks for the quick reply. We will be using version 9.3. I was aware that the ASA does not support PBR but I thought with the new code you could do some policy nat that could help influence the outbound flow?
    So in this case we have 2x ISPs and 2x public address space, one from each ISP. How is the NAT and routing handled by the ASA in this design?
    Can I not identify the guest subnet (192.168.0.0/22) and NAT this to a public address from ISP1 and also identify the corp subnets (10.x.x.x)  and NAT them to ISP2?
    My understanding (which is probably wrong) is that the NAT will select the egress interface rather than the routing table, so guest will be sent via ISP1 since the SVI interface of the ASA that connects to this ISP1 has an IP address from the same public address space..?
    Is that incorrect?
    Many thanks
    Rays

Maybe you are looking for