Reasons for Choosing Cisco AnyConnect: Cisco Support and partners are very skilled over it. Reviewer Source. Source: Capterra. February 19, 2021. Automotive, 1001-5000 employees. Used the software for: 1-2 years. AnyConnect Essentials and Premium Licensing. We've had contradicting advice on AnyConnect licensing. We currently have two 5520 appliances in active/standby, each ASA had an AnyConnect Premium (50 peers) license installed, but following the (very sensible) change in 8.3 (I think), the total available premium peers is now 100, since we can now.
This post will try to help understand the differences between anyconnect premium and anyconnect essentials licenses.
For a more complete understanding of all of the licensing on the Cisco ASA see this post.
Note: You cannot have both Essentials and Premium running at once.
Note: Cisco ASA 8.3+ no longer requires both the Active and Standby unit to each have a license. The active license is shared between the failover units. This should not be confused with the ‘shared premium license’.
Note: Cisco Secure Desktop is now deprecated. Cisco has stopped development for it.
Source of this image: Cisco’s Partner Education center – ASA Licensing Webex.
To enable AnyConnect essentials:
Purchase the license (L-ASA-AC-E-55xx= it costs $100-$500).
Apply the license to the ASA using the activation-key command. This does not require a reboot.
Apply the config:
Now your firewall will be licensed to have up to however many connections that are on the “Total VPN Connections”. For instance if your show version says this:
You will now be licensed to accommodate 250 anyconnect connectionns.
To enable AnyConnect Premium
Buy the license. You must purchase a license for a specific number of users (L-ASA-SSL-10= costs around $800).
Apply the license to the ASA using the activation-key command. This does not require a reboot.
Configure the ASA:
If you’ve already licensed this ASA for Essentials in the past then it will still show as an enabled license.
Once this is complete your ASA will be licensed to accept however many Anyconnect connections as you have Premium Licenses for. So if your show version looks like this:
Then your ASA can have 10 Anyconnect or webvpn users at once.
Note: The name “Anyconnect Premium” has changed a lot in different versions. Here are the different naming schemes.
- 7.1(1) known as “ssl vpn”
- 8.2(1) name changed to “anyconnect premium ssl vpn edition”
- 8.3(1) name changed to “anyconnect premium ssl vpn”
- 8.4(1) name changed to “anyconnect premium”
AnyConnect for Mobile
This license allows AnyConnect connections from mobile devices. There is current support for iPhone, iPad, Android version 4.0 and up, rooted Androids and Samsung Galaxy’s.
The mobile license is on or off and not tied to a number of users. It costs between $100-$500.
This license is applied by simply using the activation-key command. A reboot is not needed. There is no further configuration needed after that.
Advanced Endpoint Assessment
Advanced Endpoint Assessment includes all of the Endpoint Assessment features, and lets you configure an attempt to update noncompliant computers to meet version requirements.
This license is applied by simply using the activation-key command. A reboot is not needed.
Shared Premium License
New to ASA 8.3+ code is the ability to share licensing. This is only for Anyconnect Premium. It allows for one ASA to have a shared license which other ASAs can use.
This configuration requires two extra licenses. A license is needed for the shared server which indicates how many shared licenses there are and there also is a need for any participating ASAs.
After buying a shared participant license and applying it with the activation-key command, configure it with a command similar to this:
license-server address 10.15.0.15 secret SeKreTkey
The show version on the participant ASA will show this:
Now buy the shared premium license for the server for the amount of users you wish to have.
Apply the license using the activation-key command. Then apply the following config:
The show version at this point looks like this:
Also you can see the show shared license output:
If the license count isn’t going up when joining a shared pool here are a couple of other settings that may help you:
These two settings will limit how many sessions this host or the other hosts can use. This may be set already and limiting what is usable.
More and more, employees wish to work on corporate laptops as well as personal mobile devices from anywhere. With the Cisco AnyConnect Secure Mobility Client (Figure 1), you can empower your employees to do this and still provide the security necessary to help ensure that your organization is safe and protected. Cisco AnyConnect is a unified security endpoint agent that delivers multiple security services to protect the enterprise. It also provides the visibility and the control you need to identify who and which devices are accessing the extended enterprise. Cisco AnyConnect wide range of security services include functions such remote access, posture enforcement, web security features, and roaming protection. Cisco AnyConnect gives your IT department all the security features necessary to provide a robust, user-friendly, and highly secure mobile experience.
For End Users
●Highly secure access across popular PC and mobile devices
●Consistent user experience
●Intelligent, dependable, and always-on connectivity
For Security Administrators
●Low total cost of ownership from a single client providing multiple services
●Context-aware, comprehensive, and continuous endpoint security
●Extending flexible, policy-driven access to corporate resources across wired, wireless, and VPN.
The industry-leading VPN Secure Mobility Client is a modular endpoint software product. It not only provides VPN access through Secure Sockets Layer (SSL) and IPsec IKEv2 but also offers enhanced security through various built-in modules. These modules provide services such as compliance through the VPN with ASA or through wired, wireless, and VPN with Cisco Identity Services Engine (ISE), web security along side Cisco Cloud Web Security, network visibility into endpoint flows within Cisco Secure Network Analytics, or offnetwork roaming protection with Cisco Umbrella. VPN clients are available across a broad set of platforms, including Windows, macOS, Linux, iOS, Android, Windows Phone/Mobile, BlackBerry, and ChromeOS.
Major features are shown in Table 1.
Anyconnect License Cost
Table 1.AnyConnect Secure Mobility Client Features
Feature | Description |
Unified Endpoint Compliance | The Cisco AnyConnect ISE Posture Module in Cisco ISE deployments provides unified endpoint posture checks and automated remediation across wired, wireless, and VPN environments. This module serves as the main source of endpoint posture checking for OS levels, latest antivirus/spyware/malware updates, application and hardware inventory and other endpoint checks to determine compliance state and strengthen endpoint security. For VPN only environments, the Cisco Adaptive Security Appliance provides endpoint posture using Cisco AnyConnect Hostscan Module. |
Highly Secure Network Access | The Cisco AnyConnect Network Access Manager provides superior connectivity features. Administrators can control which networks or resources for endpoints to connect. It provides an IEEE 802.1X supplicant that can be provisioned as part of authentication, authorization, and accounting (AAA) capabilities along with some unique encryption technologies such as MACsec IEEE 802.1AE. |
Web Security | A built-in VPN module implements web security either through the on-premise Cisco Secure Web Appliance or the cloud-based Cisco Secure Web offering. Combining web security with VPN access, administrators can provide comprehensive, highly secure mobility to all end users, which is vital for bring-your-own-device (BYOD) deployments. Enterprises have a choice of deployments to defend the network against web malware and to control and safeguard web usage. |
Network Visibility | The VPN Network Visibility Module on Windows, macOS, Linux, and Samsung Knox-enabled devices gives administrators the ability to monitor endpoint application usage to uncover potential behavior anomalies and to make more informed network design decisions. Usage data can be shared with NetFlow analysis tools such as Cisco Secure Network Analytics. |
Off-Network Protection(DNS-Layer Security) | Cisco Umbrella Roaming is a cloud-delivered security service that protects devices when they are off the corporate network. Whether users turn off the VPN or forget to turn it on, Umbrella Roaming enforces security at the DNS layer to protect against malware, phishing, and command-and-control callbacks over any port or protocol. |
Mobile Device Support | Administrators need to support end-user productivity by providing personal mobile devices with remote access to the company network. VPN services can be deployed on the most popular devices used by today’s diverse workforce. Highly secure remote access can either be device-based or through select per-application VPN, which eliminates unapproved applications from accessing confidential business resources further reducing malware intrusion risks and bandwidth costs for remote access. |
Cisco AnyConnect Secure Mobility Client
For more information, visit the following sites:
●Licensing and ordering: The Cisco AnyConnect Ordering Guide covers licensing for VPN, clientless SSL VPN, and third-party Internet Key Exchange version 2 (IKEv2) remote-access VPN usage.
●Cisco AnyConnect Secure Mobility Client: https://www.cisco.com/go/anyconnect.
Anyconnect Apex License Cost
●Cisco ASA 5500-X Series: https://www.cisco.com/go/asa.
●To view buying options and speak with a Cisco sales representative, visit https://www.cisco.com/c/en/us/buy