Cisco Secure Remote Access Cisco ASA 5500 Series SSL/Ipsec VPN Edition [Cisco ASA 5500-X Series Next-Generation Firewalls]

Delivering Safe, Secure, and Flexible Remote Access to Any Location

Today's remote-access VPN deployments require the ability to safely and easily extend corporate network access beyond managed desktops to different users devices, while protecting these endpoints and key corporate resources from ever-evolving threats.

Secure Remote Access, powered by the Cisco^® ASA 5500 Series SSL/IPsec VPN Edition enables organizations to securely and seamlessly provide resources access to a broad array of users, contractors, and business partners on the largest variety of mobile and fixed endpoints.

Supporting a wide range of deployment and application environments, the ASA 5500 Series delivers maximum value to your organization with the most comprehensive set of Secure Socket Layer (SSL) and IP security (IPsec) VPN features, performance, and scalability in the industry. The solution, comprised of a single unified platform: the ASA 5500 series and the AnyConnect Secure Mobility Client, enables organizations to use a powerful combination of seamless controlled access and market-proven, best-of-breed firewall, intrusion prevention inspection and web threat prevention that enables mobile workers to be productive while protecting corporate interests. With inclusive support for unrestricted full-network access, as well as controlled access to select web-based applications and network resources, the platform provides the flexibility required by any VPN deployment (Figure 1).

Industry-Leading Secure Mobility Technology for Your Organization

The ASA 5500 series VPN Edition offers the growing list of AnyConnect industry-leading Secure Mobility features and the simplicity and ubiquity of clientless secure access. The ASA - AnyConnect Secure Mobility solution is easy to deploy and simple to use. Its client and clientless options respond securely and dynamically to today's wide array of fixed and mobile endpoint requirements by offering granular access controls and robust endpoint security. As a result, it maintains the integrity of confidential information to solve the unique challenges associated with diverse user groups and endpoints accessing the enterprise network. The AnyConnect Secure Mobility solution also offers integrated web security protection via the AnyConnect client. By seamlessly redirecting select traffic to either an on-premise appliance, or to a cloud-based service for off-VPN web traffic protection, the AnyConnect client provides consistent policy and security without having to backhaul public Internet-bound traffic.

Figure 1. Customizable SSL VPN and IPsec Services for Any Deployment Scenario

Cisco ASA 5500 Series-Secure Remote Access: Profile and Benefits

Deployment flexibility: Extends the appropriate remote-access VPN technology, either clientless or full network (SSL/TLS, DTLS, IPsec IKEv1 or IKEv2) access, on a per-session basis, depending on the user group or endpoint accessing the network, its security posture, and administration's policies.

Comprehensive network access: Broad application and network resource access is provided through Cisco's AnyConnect Secure Mobility client, an automatically downloadable network-tunneling client that enables access to virtually any corporate application or resource.

Ubiquitous clientless access: Delivers secure remote access to authenticated users on both managed and unmanaged endpoints, enabling increased productivity by providing "anytime access" to the network.

Granular control: Empowers network and IT management to provide and monitor controlled access to corporate resources and applications.

Seamless connectivity: The Cisco AnyConnect Secure Mobility client automatically connects or disconnects a user session based on the user's location and network availability, providing a transparent secure connectivity experience to the roaming worker, who in turns gains in productivity and flexibility.

Optimized performance: The Cisco AnyConnect Secure Mobility client provides an optimized VPN connection for latency-sensitive traffic, such as voice over IP (VoIP) traffic or TCP-based application access. AnyConnect can automatically determine and establish connectivity to the most optimal network access point.

Consistent security: Enables high scale secure mobility protection by extending location-aware security policies to every transaction when using AnyConnect Secure Mobility with integrated web security. The user's location and the nature of the corporate resources accessed (for instance, an enterprise/"in-house" application versus a SaaS application) define the level of Acceptable Use Policies, malware protection and Data Security policies. AnyConnect is optimized for use with the Cisco IronPort^® Web Security Appliance and the Cisco ScanSafe cloud-based Web Security service. Both deployment options provide Cisco's industry leading usage policy enforcement and protection of enterprise resources from both known and zero-day malware.

Unparalleled management flexibility: Simplifies the complexity of managing diverse remote-access connectivity requirements common in today's enterprise.

Low total cost of ownership: Reduces expensive help-desk calls associated with network connectivity issues and eliminates the administration costs of managing client software on every endpoint.

Combined Technologies for Enhanced Capabilities: SSL and IPsec VPN in One Platform

In addition to the SSL VPN features, users can also take advantage of Cisco's award-winning IPsec VPN technology. By offering converged, state of the art SSL and IPsec (IKEv1 and IKEv2) VPN technologies on a single platform, the ASA 5500 Series delivers a highly customizable, simple, flexible one-box solution for diverse VPN deployment environments, eliminating the cost of deploying parallel remote-access solutions.

Cisco ASA 5500 Product Family

The Cisco ASA 5500 Series delivers site-specific scalability from the smallest business and small office/home office (SOHO) deployments to the largest enterprise networks with its 11 models, shown in Figure 2. Each model is built with concurrent services scalability, investment protection, and future technology extensibility as its foundation. Table 1 lists the specifications of the Cisco ASA 5500 Series models.

Figure 2. Cisco ASA 5500 Series Products

Table 1. Specifications of Cisco ASA 5500 Series Adaptive Security Appliance Models

Platform	Cisco ASA 5505	Cisco ASA 5510	Cisco ASA 5520	Cisco ASA 5540	Cisco ASA 5550	Cisco ASA 5580-20	Cisco ASA 5580-40	Cisco ASA 5585-S10	Cisco ASA 5585-S20	Cisco ASA 5585-S40	Cisco ASA 5585-S60
Maximum VPN throughput¹	100 Mbps	170 Mbps	225 Mbps	325 Mbps	425 Mbps	1 Gbps	1 Gbps	1 Gbps	2 Gbps	3 Gbps	5 Gbps
Maximum concurrent AnyConnect or clientless VPN sessions1	25	250	750	2500	5000	10,000	10,000	5000	10,000	10,000	10,000
Maximum concurrent site-to-site and IPsec IKEv1 VPN sessions1	25	250	750	5000	5000	10,000	10,000	5000	10,000	10,000	10,000
Interfaces	8-port 10/100 switch with 2 Power over Ethernet ports	5,10/100/ 2, 10/100/ 1000, 3,10/100 +4 10/100/ 1000, 4 SFP (with 4GE SSM)	4, 10/100/ 1000, 1, 10/100 +4-10/100/ 1000, 4 SFP (with 4GE SSM)	4,10/100/1000, 1, 10/100 +4,10/100/1000, 4 SFP (with 4GE SSM)	8, 10/100/ 1000, 4 SFP, 1, 10/100	2,10/100/1000 Management +4,10/100/1000 (with ASA 5580-4GE-CU) +4, GE SR LC (with ASA5580-4GE-FI) +2, 10GE SR LC (with ASA 5580-2X10GE-SR)	2, 10/100/ 1000 Management +4,10/100/1000 (with ASA 5580-4GE-CU) +4, GE SR LC (with ASA 5580-4GE-FI) +2, 10GE SR LC (with ASA 5580-2X10GE-SR)	8-port 10/100/ 1000, 2-port 10 Gigabit Ethernet* (SFP+) Maximum interfaces: 16-port 10/100/ 1000, 4-port 10 Gigabit Ethernet* (SFP+) (requires IPS SSP-10)	8-port 10/100/ 1000, 2-port 10 Gigabit Ethernet* (SFP+) Maximum interfaces: 16-port 10/100/ 1000, 4- port 10 Gigabit Ethernet* (SFP+) (requires IPS SSP-20)	6-port 10/100/ 1000, 4-port 10 Gigabit Ethernet (SFP+) Maximum interfaces: 12-port 10/100/ 1000, 8-port 10 Gigabit Ethernet (SFP+) (requires IPS SSP-40)	6-port 10/100/ 1000, 4-port 10 Gigabit Ethernet (SFP+) Maximum interfaces: 12-port 10/100/ 1000, 8-port 10 Gigabit Ethernet (SFP+) (requires IPS SSP-60)
Profile	Desktop	1-RU	1-RU	1-RU	1-RU	4-RU	4-RU	2-RU	2-RU	2-RU	2-RU
Stateful failover	No	Licensed feature²	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
VPN load balancing	No	Licensed feature2	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Shared VPN License Option	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes

¹Devices include a license for two Premium VPN users for evaluation and remote management purposes. The total concurrent IPsec and SSL (clientless and tunnel-based) VPN sessions may not exceed the maximum concurrent IPsec session count shown in the chart. The SSL/IPsec IKEv2 VPN session number (clientless or AnyConnect client) may also not exceed the number of licensed sessions on the device. The ASA 5580 supports greater simultaneous users than the ASA 5550 at comparable overall SSL VPN throughput to the ASA 5550. VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken in to consideration as part of your capacity planning.

²Upgrade is available with Cisco ASA 5510 Security Plus license.

Ordering Information

Tables 2 through 6 provide a subset of ordering information for Cisco AnyConnect Premium SSL VPN Edition bundles and licenses, as well as for Cisco AnyConnect Essentials licenses. For additional licensing details, please see the Cisco Secure Remote Access: VPN Licensing Overview. Premium licenses may be purchased for either single devices or for a shared environment.

All Cisco ASA 5500 Series appliances include the maximum number of IPsec (IKEv1) concurrent users in the base configuration of the chassis.

The use of the AnyConnect client can be enabled through the purchase of an Essential VPN license, which enables the basic AnyConnect features, including IPsec IKEv2 and SSL VPN access.

Every Cisco ASA 5500 Series model can support clientless VPN, the advanced AnyConnect features, and the Cisco Secure Desktop (CSD) features through the purchase of a Premium VPN license. Premium VPN on the Cisco ASA 5500 Series may be purchased under a single part number as an edition bundle, or the chassis and SSL VPN feature license may be purchased separately, as indicated in Table 3. Premium licenses can be applied to an individual ASA (single-device license), or to an ASA acting as a shared license server.

To place an order, visit the Cisco Ordering homepage.

Table 2. Ordering Information for Premium Bundles (Single-Device)

VPN User Requirements	Premium IPsec / SSL VPN Bundles	Edition Bundle Part Number
10 Premium VPN users	Cisco ASA 5505 SSL/IPsec VPN Edition for 10 concurrent SSL/DTLS/IPsec IKEv2 VPN users (AnyConnect Premium - SSL VPN Edition)	ASA5505-SSL10-K9
25 Premium VPN users	Cisco ASA 5505 SSL/IPsec VPN Edition for 25 concurrent SSL/DTLS/IPsec IKEv2 VPN users (AnyConnect Premium - SSL VPN Edition)	ASA5505-SSL25-K9
50 Premium VPN users	Cisco ASA 5510 SSL/IPsec VPN Edition for 50 concurrent SSL/DTLS/IPsec IKEv2 VPN users (AnyConnect Premium - SSL VPN Edition)	ASA5510-SSL50-K9
100 Premium VPN users	Cisco ASA 5510 SSL/IPsec VPN Edition for 100 concurrent SSL/DTLS/IPsec IKEv2 VPN users (AnyConnect Premium - SSL VPN Edition)	ASA5510-SSL100-K9
250 Premium VPN users	Cisco ASA 5510 SSL/IPsec VPN Edition for 250 concurrent SSL/DTLS/IPsec IKEv2 VPN users (AnyConnect Premium - SSL VPN Edition)	ASA5510-SSL250-K9
500 Premium VPN users	Cisco ASA 5520 SSL/IPsec VPN Edition for 500 concurrent SSL/DTLS/IPsec IKEv2V PN users (AnyConnect Premium - SSL VPN Edition)	ASA5520-SSL500-K9
1000 Premium VPN users	Cisco ASA 5540 SSL/IPsec VPN Edition for 1000 concurrent SSL/DTLS/IPsec IKEv2 VPN users (AnyConnect Premium - SSL VPN Edition)	ASA5540-SSL1000-K9
2500 Premium VPN users	Cisco ASA 5540 SSL/IPsec VPN Edition for 2500 concurrent SSL/DTLS/IPsec IKEv2 VPN users (AnyConnect Premium - SSL VPN Edition)	ASA5540-SSL2500-K9
2500 Premium VPN users	Cisco ASA 5550 SSL/IPsec VPN Edition for 2500 concurrent SSL/DTLS/IPsec IKEv2 VPN users (AnyConnect Premium - SSL VPN Edition)	ASA5550-SSL2500-K9
5000 Premium VPN users	Cisco ASA 5550 SSL/IPsec VPN Edition for 5000 concurrent SSL/DTLS/IPsec IKEv2 VPN users (AnyConnect Premium - SSL VPN Edition)	ASA5550-SSL5000-K9
5000 Premium VPN users	Cisco ASA 5585-S10 SSL/IPsec VPN Edition for 5000 concurrent SSL/DTLS/IPsec IKEv2 VPN users (AnyConnect Premium - SSL VPN Edition)	ASA5585-S10-5K-K9
10,000 Premium VPN users	Cisco ASA 5580-20 SSL/IPsec VPN Edition for 10,000 concurrent SSL/DTLS/IPsec IKEv2 VPN users (AnyConnect Premium - SSL VPN Edition	ASA5580-20-10K-K9
10,000 Premium VPN users	Cisco ASA 5585-S20/40/60 SSL/IPsec VPN Edition for 10,000 concurrent SSL/DTLS/IPsec IKEv2 VPN users (AnyConnect Premium - SSL VPN Edition)	ASA5585S20-10K-K9 ASA5585S40-10K-K9 ASA5585S60-10K-K9

Table 3. Ordering Information for Individual (Single-Device) AnyConnect Premium Licenses

Cisco ASA Chassis and applicable AnyConnect Premium - IPsec / SSL VPN Edition Licenses
VPN User Require-ments	Part Number	Cisco ASA 5505	Cisco ASA 5510	Cisco ASA 5520	Cisco ASA 5540	Cisco ASA 5550	Cisco ASA 5585-S10	Cisco ASA 5580-20	Cisco ASA 5580-40	Cisco ASA 5585-S20/40/60
10 Premium VPN users	ASA5500-SSL-10	X	X	X	X	X	X	X	X	X
25 Premium VPN users	ASA5500-SSL-25	X	X	X	X	X	X	X	X	X
50 Premium VPN users	ASA5500-SSL-50	-	X	X	X	X	X	X	X	X
100 Premium VPN users	ASA5500-SSL-100	-	X	X	X	X	X	X	X	X
250 Premium VPN users	ASA5500-SSL-250	-	X	X	X	X	X	X	X	X
500 Premium VPN users	ASA5500-SSL-500	-	-	X	X	X	X	X	X	X
750 Premium VPN users	ASA5500-SSL-750	-	-	X	X	X	X	X	X	X
1000 Premium VPN users	ASA5500-SSL-1000	-	-	-	X	X	X	X	X	X
2500 Premium VPN users	ASA5500-SSL-2500	-	-	-	X	X	X	X	X	X
5000 Premium VPN users	ASA5500-SSL-5000	-	-	-	-	X	X	X	X	X
10,000 Premium VPN users	ASA5500-SSL-10K	-	-	-	-	-	-	X	X	X

Table 4. Ordering information for AnyConnect Premium - SSL VPN Edition Shared Licenses (Shared License Server)

VPN User Requirements	AnyConnect Premium - IPsec / SSL VPN Edition Shared Licenses	Part Number
500 Premium Shared VPN users	Premium Shared VPN Server License - 500 shared seats (AnyConnect Premium - SSL/IPsec VPN Edition)	ASA-VPNS-500=
1000 Premium Shared VPN users	Premium Shared VPN Server License - 1000 shared seats (AnyConnect Premium - SSL/IPsec VPN Edition)	ASA-VPNS-1,000=
2500 Premium Shared VPN users	Premium Shared VPN Server License - 2500 shared seats (AnyConnect Premium - SSL/IPsec VPN Edition)	ASA-VPNS-2,500=
5000 Premium Shared VPN users	Premium Shared VPN Server License - 5000 shared seats (AnyConnect Premium - SSL/IPsec VPN Edition)	ASA-VPNS-5,000=
7500 Premium Shared VPN users	Premium Shared VPN Server License - 7500 shared seats (AnyConnect Premium - SSL/IPsec VPN Edition)	ASA-VPNS-7,500=
10,000 Premium Shared VPN users	Premium Shared VPN Server License - 10,000 shared seats (AnyConnect Premium - SSL/IPsec VPN Edition)	ASA-VPNS-10K=
20,000 Premium Shared VPN users	Premium Shared VPN Server License - 20,000 shared seats (AnyConnect Premium - SSL/IPsec VPN Edition)	ASA-VPNS-20K=
30,000 Premium Shared VPN users	Premium Shared VPN Server License - 30,000 shared seats (AnyConnect Premium - SSL/IPsec VPN Edition)	ASA-VPNS-30K=
40,000 Premium Shared VPN users	Premium Shared VPN Server License - 40,000 shared seats (AnyConnect Premium - SSL/IPsec VPN Edition)	ASA-VPNS-40K=
50,000 Premium Shared VPN users	Premium Shared VPN Server License - 50,000 shared seats (AnyConnect Premium - SSL/IPsec VPN Edition)	ASA-VPNS-50K=
100,000 Premium Shared VPN users	Premium Shared VPN Server License - 100,000 shared seats (AnyConnect Premium - SSL/IPsec VPN Edition)	ASA-VPNS-100K=

Note: Premium Shared VPN Server Licenses are stackable. As such, there is no license limit to the maximum number of shared seats that can be activated on the Shared License Server.

Table 5. Ordering Information for AnyConnect Premium - SSL/IPsec VPN Edition Shared Licenses (Participant)

VPN User Requirements	Premium VPN Bundles	Edition Bundle Part Number
ASA 5510 (up to 250 simultaneous sessions)	Premium Shared VPN Participant License - ASA 5510 (AnyConnect Premium - SSL/IPsec VPN Edition)	ASA-VPNP-5510=
ASA 5520 (up to 750 simultaneous sessions)	Premium Shared VPN Participant License - ASA 5520 (AnyConnect Premium - SSL/IPsec VPN Edition)	ASA-VPNP-5520=
ASA 5540 (up to 2500 simultaneous sessions)	Premium Shared VPN Participant License - ASA 5540 (AnyConnect Premium - SSL/IPsec VPN Edition)	ASA-VPNP-5540=
ASA 5550 (up to 5000 simultaneous sessions)	Premium Shared VPN Participant License - ASA 5550 (AnyConnect Premium - SSL/IPsec VPN Edition)	ASA-VPNP-5550=
ASA 5580 (up to 10,000 simultaneous sessions)	Premium Shared VPN Participant License - ASA 5580 (AnyConnect Premium - SSL/IPsec VPN Edition)	ASA-VPNP-5580=
ASA 5585-S10 (up to 5000 simultaneous sessions)	Premium Shared VPN Participant License - ASA 5585-S10 (AnyConnect Premium - SSL/IPsec VPN Edition)	ASA-VPNP-5585=
ASA 5580-S20/S40/S60 (up to 10,000 simultaneous sessions)	Premium Shared VPN Participant License - ASA 5585-S20/40/60 (AnyConnect Premium - SSL/IPsec VPN Edition)	ASA-VPNP-5585=

Table 6. Ordering Information for AnyConnect Essentials Spares (Requires Cisco ASA Software Release 8.2 and Later)

AnyConnect Essentials Platform/Users	AnyConnect Essentials VPN Spares Licenses	Part Numbers
ASA 5505 (up to 25 simultaneous sessions)	AnyConnect Essentials VPN license - 25 concurrent AnyConnect VPN Essentials users	ASA-AC-E-5505=
ASA 5510 (up to 250 simultaneous sessions)	AnyConnect Essentials VPN license - 250 concurrent AnyConnect VPN Essentials users	ASA-AC-E-5510=
ASA 5520 (up to 750 simultaneous sessions)	AnyConnect Essentials VPN license - 750 concurrent AnyConnect VPN Essentials users	ASA-AC-E-5520=
ASA 5540 (up to 2500 simultaneous sessions)	AnyConnect Essentials VPN license - 2500 concurrent AnyConnect VPN Essentials users	ASA-AC-E-5540=
ASA 5550 (up to 5000 simultaneous sessions)	AnyConnect Essentials VPN license - 5000 concurrent AnyConnect VPN Essentials users	ASA-AC-E-5550=
ASA 5580 (up to 10,000 simultaneous sessions)	AnyConnect Essentials VPN license - 10,000 concurrent AnyConnect VPN Essentials users	ASA-AC-E-5580=
ASA 5585-S10 (up to 5000 simultaneous sessions)	AnyConnect Essentials VPN license - 5000 concurrent AnyConnect VPN Essentials users	ASA-AC-E-5585=
ASA 5585-S20/S40/S60 (10,000 simultaneous sessions)	AnyConnect Essentials VPN license - 10,000 concurrent AnyConnect VPN Essentials users	ASA-AC-E-5585=

Electronic License Delivery (eDelivery)

Most licenses are available for electronic delivery, which significantly speeds up license fulfillment time. To order a license electronically, be sure to choose to order part number(s) that begin with "L."

Cisco Services

Cisco and its partners provide services that can help you deploy and manage security solutions. Cisco has adopted a lifecycle approach to services that addresses the necessary set of requirements for deploying and operating Cisco adaptive security appliances, as well as other Cisco security technologies. This approach can help you improve your network security posture to achieve a more available and reliable network, prepare for new applications, lower your network costs, and maintain network health through day-to-day operations. For more information about Cisco Security Services, visit http://www.cisco.com/go/services/security.

For More Information

For more information, please visit the following links:

• Cisco ASA 5500 Series: http://www.cisco.com/go/asa

• Cisco AnyConnect Secure Mobility Solution with WSA: http://www.cisco.com/go/asm

• Cisco AnyConnect Secure Mobility Client:

http://www.cisco.com/go/anyconnect

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494.html

• Cisco VPN solutions: http://www.cisco.com/go/vpn

• Cisco Secure Remote Access VPN Licensing Overview information:

http://www.cisco.com/en/US/products/ps6120/products_licensing_information_listing.html

• Cisco Adaptive Security Device Manager: http://www.cisco.com/go/asdm

• Cisco Product Certifications: http://www.cisco.com/go/securitycert