I hope I’m not the only one who experienced trouble finding out what the thousand license available for Cisco hardware are for.

As many of you may know, Cisco do not support 64 bits OS for Cisco VPN Client (IPSec), for this reason the only way is to migrate to the “newer” technology, SSL VPN.

My job is to migrate an IPSec Solution (with Cisco VPN Client) to AnyConnect.

Ok, let’s start, first of all what kind of AnyConnect are available?

The two main options available are:

1. AnyConnect Essentials
- AnyConnect tunneling without clientless SSL VPN and Cisco Secure Desktop

Full Tunneling access to Enterprise applications.

2. AnyConnect Premium
Premium SSL VPN capabilities, including clientless SSL VPN, Cisco Secure Desktop (Host Scan and Vault), and AnyConnect connectivity. Optionally provides Full Tunneling access to Enterprise applications.

Licensing requirements for ASA 5510 (with Security Plus License)

My first question was, how many concurrent SSL VPN tunnel may I have already with the Security Plus License? The ASA came, regardless of Base of SecPlus, with 2 combined SSL session on plate.

The tricky part came along, if you enable your AnyConnect Premium on the ASA without buying some license upgrade, you will be able to have just 2 simultaneus SSL client. By now it seems all ok, it’s well explained how to upgrade to multiple users and there are about a thausend different licenses you may buy for your firewall in order to properly enable AnyConnect Premium.

But what if you use the Essential feature instead of the Premium? How are this 2 bundled SSL session involved? Well differently as I tough, looking through the configuration guide I discovered that Essential is just binded with his own license (ASA-AC-E-55XX).

The license needed for Essential to work is the ASA-AC-E-55XX= and cost around 100-500 USD depending on your firewall model. Yes this is all you need.

Licenses for Essentials are based on the number of Maximum SSL VPN user sessions of your FW, this is why you will find the license for ASA5505 with 25 Users and the license for ASA5510 with 250 users.

Once activated on my 5510 I’m now able to manage 250 concurrent AnyConnect Clients at a very affordable price of 150 USD!

One last note, Cisco is developing AnyConnect 3.0 who will support also IPSec Tunnelling, the release is expected for the end of 2010.