Cisco ASA Update Cisco Anyconnect Update€¦ · Cisco ASA with FirePower Rene Straube CSE, Cisco...

Cisco ASA Update Cisco Anyconnect Update

Rene Straube

CSE, Cisco Germany

May 2015

Cisco ASA with FirePower

Rene Straube

CSE, Cisco Germany

May 2015

Platform Update

Cisco Confidential 3 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Introducing Cisco ASA with FirePOWER Services for SMB, Midsized, & Distributed Enterprise

Refresh for 5505 FirePOWER Services

Default

Desktop Form Factor

5506-X 5506W-X Wireless

Enable additional SMB & branch deployments

Integrated Wireless AP

5508-X

Green field opportunity with new

pricing point

1 RU Rack-Mount

5516-X

1 RU Rack-Mount

Higher performance Refresh for 5512 and

5515


7.92” x 8.92” x 1.73”

Desktop 5506-X

Parameter Value

CPU Multicore [email protected] GHz

Accelerator Hardware Crypto Accelerator

RAM / Storage 4 GB /64 GB mSata

Management Ports 1 Management Port with 10/100/1000 Base-T

Console Port RJ45, Mini USB

USB Port Type ‘A’ supports 2.0

Data Ports 8 * 1 G Interface, All L3 interfaces

Cooling Convection

Power AC external, No DC


Wireless Desktop 5506W-X

Parameter Value

Wireless AP ASA5506_AP702, IEEE 802.11n, 2 x 2 MIMO. Dual band AP 2.5 GHz and 5GHz

Port 8 x External Data ports, 1 Access Point (attached to 1 internal data port - g1/9)

Management Port Any data Data Port of g1/1 - g1/8, Management 1/1 is used only for firewall management

Management Autonomous (AP OnBox GUI) or Cisco’s Wireless LAN Controller

* 5506W-X configuration is same as Desktop 5506-X. Below is the information on wireless.

7.92” x 8.92” x 1.73”


Rackmount 5508-X / 5516-X

17.2” x 11.11” x 1.72”

CPU Complex CPU Intel Rangeley 8

Core 2 GHz

CPU: DRAM 8GB for Intel 1GB for

Octeon

Accelerator Cavium CN7020 2

Core 1GHz

Console Port 1 RJ 45, Mini USB

(Mini USB has priority)

8 x 1GE data interface

Ports ad 1 Management port (10

/100/1000)

USB port type ’A’ support with 2.0

FAN cooling, No DC and No POE

120 GB SSD

Parameter Value

CPU Multicore 5508-X@2 GHz [email protected]


RAM / Storage 8 GB Intel /120 GB SSD

Ports 1 Management Port with 10/100/1000 Base-T



Memory 8 * 1 G Interface, All L3 interfaces

Cooling FAN

Power AC internal, No DC


New! Combines Control Over Access Policies and Advanced Threat Defense Functions. The enhanced UI provides quick views on trends and the ability to drill-down for details.

On Box Manager: ASDM 7.3.x


Provides security teams with:

Management for multiple devices

Comprehensive visibility and control over network activity

Optimal remediation through infection scoping and root cause determination

Centralized Management Centralized Management:

Same as larger models — uses CSM &

FireSIGHT

BEFORE Discover Enforce Harden

DURING Detect Block

Defend

AFTER Scope Contain

Remediate


Which ASA with FirePOWER platform?

Maximum AVC and IPS throughput

Branch Locations

150 Mbps NGFW

100K Connections

10,000 CPS

ASA 5512-X

250Mbps NGFW

250K Connections

15,000 CPS

ASA 5515-X

Small/Medium Internet Edge

650Mbps NGFW

500K Connections

20,000 CPS

ASA 5525-X

1 Gbps NGFW

750K Connections

30,000 CPS

ASA 5545-X

1.25 Gbps NGFW

1 M Connections

50,000 CPS

ASA 5555-X

ASA 5506-X

125 Mbps NGFW

50K Connections

5,000 CPS

ASA 5508-X ASA 5516-X

600Mbps NGFW

250K Connections

20,000 CPS

250Mbps NGFW

100K Connections

10,000 CPS


440 byte HTTP Transactional test in Mbps

IPS uses Balanced Profile, AVC uses Network Discovery: Applications

As with all performance discussions, YOUR MILEAGE MAY VARY!!

Model 5506-

X 5508-X 5512-X 5515-X 5516-X 5525-X 5545-X 5555-X 5585-10

5585-20

5585-40

5585-60

FirePOWER IPS or AVC

90 180 100 150 300 375 575 725 1200 2000 3500 6000

FirePOWER IPS + AVC

65 115 75 100 200 255 360 450 800 1200 2100 3500

FirePOWER IPS + AVC +

AMP 40 85 60 85 150 205 310 340 550 850 1500 2300


IPS

URL

URL

IPS

TAMC TAC TA

URL

URL

AMP

IPS

TAM

AMP

IPS

• Security plus (HA) • Anyconnect licenses • Security Context (only 5508X

and 5516X)

ASA Licensing NGFW Licensing

1,3 and 5 year subscription, AVC updates are available with SmartNet.

Licensing overview Same model as on existing ASA Platforms

NGFW License (AVC) included

Cisco AnyConnect

Rene Straube

CSE, Cisco Germany

May 2015

Update


AnyConnect 4.x Update

New Licensing Scheme for AnyConnect 4.0

How to migrate to the new Licensing?

Agenda


Simply and securely work anywhere on any device

Delivers reliable and transparent secure remote access for the off-premises user based on VPN

Helps ensure endpoint integrity Multiple authentication options Comprehensive posture checks

Provides secure connectivity End-to-end encryption Integrated web security Per-app VPN for mobile

Cisco AnyConnect Secure Mobility Client Extending Control of Context to the Endpoint


AnyConnect NAM

• Wired & Wireless Connection Manager

• 802.1x Supplicant

• 802.1ae (MACsec) Link Encryption

• Various authentication methods (user/pass, certs, OTP)

• As of now available only for Windows OS

AnyConnect VPN

• VPN Profile & Connection Manager

• SSL-VPN Client

• IPSec/IKEv2 Client (only works with ASA headend, IOS support planned)


• Available for MacOS, Windows, Linux

AnyConnect Websecurity

• ScanSafe Mobility Client

• Intercepts all Web traffic on the client

• Builds a tunnel to a ScaSafe Datacenter and forwards all Web traffic

• Authentication via user or group key


Cisco AnyConnect Module Details


Supports device posture and authorization across multiple access methods

Simplifies management with only one agent to manage

Prevents noncompliant devices from accessing the network

What’s New in Cisco AnyConnect 4.0? Posture Check and Secure VPN Access with Unified Agent and Cisco ISE 1.3


Common Context-Based Access Policy Services (Cisco ISE + Cisco AnyConnect®)

Cisco Prime™ Cisco® ISE Third-Party MDM

Office Wired Access Office Wireless Access Remote Access

Wired Network Devices

Cisco Catalyst® Switches

ASA Firewall

Centralized Endpoint Secure Access Policy


Selectively Tunnels Traffic Through VPN

Provide secure remote access for selected applications by user, role, device, etc. (per-app VPN)

Reduce the potential for non-approved applications to compromise enterprise data

Support a range of remote users and endpoints (employees, partners, contractors), streamlining IT operations

WWW

What’s New in Cisco AnyConnect 4.0? Connect Only Approved Applications over VPN


Desktop User FireAMP PORTAL

Cisco ASA

Deploying AMP Connector to endpoints with AnyConnect

What’s New in Cisco AnyConnect 4.1? Cisco AnyConnect AMP Enabler


Request Connect

Credentials

Auth Challenge

AMP Portal

VPN Desktop

ASA

Config with AC/AMP Profile

Download AMP connector image (via https)

Enterprise Hosted Server

FA connector image

1

3

2

What’s New in Cisco AnyConnect 4.1? AMP Enabler Flow with ASA


AnyConnect on Windows Phone 8.x (beta already started)

AnyConnect on Blackberry 10 (this summer)

AnyConnect on LinuxARM for IoT Use Cases (2HCY15)

What‘s coming up next?





Agenda


AnyConnect o Simplify

o Feature / value alignment

o Remove lock to appliance (helps with ASA migrations & RMA Process)

o Consistent model regardless of headend

o Solve Share / Flex / Essentials + Premium mix challenges

ISE o Adapt to new ISE feature content / AC integration in 1.3

- Unified Agent (single agent for compliance)

o Consistency with AC selling motion

o Different 3rd Party MDM offer structure

Why we Change the AnyConnect Licensing?


FLEX License (for 54 days daily use)

Good for Short Periods of High Demand (Emergencies, Events, etc.; per box)

MOBILE License

(per ASA model)

MOBILE License

(per ASA)

ADVANCED ENDPOINT

ASSESSMENT License (per ASA)

Premium Licenses Shared by Multiple Cisco® ASA Devices

SHARED License

(per user + per ASA)

ESSENTIALS License (per ASA model)

Basic Remote Access Connectivity

Or Always-On, Clientless, Posture Assessment, Mobile Posture,

Suite B

PREMIUM License (per user for each ASA)

Other Licenses:

VPN Phone & FIPS (per ASA model)

AnyConnect Licensing – Today

This is too complex, even if we‘re all got used to it ...


Per user (with their multiple devices)

Plus License Apex License

IPSec/SSL VPN Mobile per-app

VPN (new) Web security Network access

manager Any Headend

Plus features

Unified Endpoint Compliance (new)

Clientless

Suite B

Any Headend

New endpoint licensing portable across any hardware platforms, simplifying transfer

New two-tiered licensing structure to allow customers to grow based on new enterprise mobility needs

New Licensing in Cisco AnyConnect 4.0 Simpler Licensing with Greater Flexibility


New AC Features & Licensing

“PLUS” • Basic PC + Mobile Services

• Device VPN / Per app VPN • Always On • ASA, ISE, ASR, CSR • FIPS • CWS / Web Security • NAM

Current AnyConnect 3.X

New!

New AnnyConnect 4.X

Essentials (Perpetual)

Premium (Perpetual)

Shared (Perpetual)

Mobile (Perpetual)

AEA (Perpetual)

“APEX” • Advanced PC + Mobile Services

• Unified Endpoint Compliance /Remediation (Posture)

• Suite B • Clientless • Includes PLUS !!!

Flex (Perpetual)

* VPN Phone goes away because of VCS gateway

Non-Lic (NAM, CWS)

New!

Loose with • ASA • ISR • ASR • CSR • CWS

Tied only to ASA


APEX (Term) Two Licensing Models to choose

or

• 25-250K per user* pricing ($)

• “Right to Use” based on user/seat count vs concurrency

• 1, 3 and 5 Yr options (includes

support) • Compliance -> Trust (Phase 1)

• Built in “Shared, Flex” functionality

• Covers PC and Mobile

• Includes “near” zero day OS support

for all supported platforms

PLUS (Perpetual)

PLUS (Term)

• 25-250K per user* pricing ($$$)

• “Right to Use” based on user/seat

count vs concurrency • Support (SASU) ordered separately • Compliance -> Trust (Phase 1)





* Please be aware of „user“ based licensing not device based !!


AnyConnect Premium & Essentials Licensing

Essentials – almost free

Essentials – Perpetual License

Premium – Perpetual License

Essential & Premium cannot be mixed on one device

Premium & Essentials are charged based on concurrent connections

Licenses applied on a device

Plus – not free anymore

Plus – Perpetual or Subscription License

Apex – Subscription License only

Plus & Apex can be mixed in a single customer deployment

Apex & Plus are charged per User

Licenses applied to all devices needed

AnyConnect Apex & Plus Licensing


ASA + AC Support Matrix

AC Mobile AC Desktop

3.x 4.x 3.x 4.x

End of Sale Announcement

Q4 CY 2014 N/A Q4 CY 2014 N/A

End of New OS Support

Q2 CY 2015 N/A Q2 CY 2015 N/A

End-of-Sale Date (All AC and ASA+AC SKUs)

Q2 CY 2015 NA Q2 CY 2015 NA

5500 ✔ ✔ ✔ ✔

5500-X ✔ ✔

✔ ✔

Standard End of Sale Policies Apply


Frequently Answered Questions

Does a customer need to upgrade to Plus/Apex from Essentials/Premium? AnyConnect Plus/Apex licenses required for AnyConnect 4.x software (Desktop & Mobile)

New AnyConnect 4.0 capabilities like Per-app VPN functions will require Plus or Apex licenses along with ASA 5500-X with 9.3.1 or later

Essentials and Premium licenses and version 3.x AnyConnect software will be phased out but can further be used with current software versions an features

Can AnyConnect 4.x be used without a Plus or Apex license? No, with one exception: basic mobile VPN use cases through April 2016 (see below)

AnyConnect 4.x usage requires Plus or Apex license, this includes Network Access Manager, Cloud Web Security and all VPN use cases, regardless of the Cisco head-end

AnyConnect 4.x Apex license also authorizes clientless SSL VPN

How is the 4.x conversion being handled for the mobile versions of AnyConnect? Customer cannot remain on old versions of AnyConnect for iOS & Android All 3.x customers will be permitted to utilize AnyConnect 4.x on mobile devices until April 30,

2016

After this date, a customer will no longer be entitled to utilize AnyConnect on mobile devices without converting licensing models

The Per App VPN capabilities in AnyConnect 4.0 are not available to customers using the original AnyConnect Essentials/Premium licenses





Agenda


Not tied to specific ASA release though some features like per app will only work with 9.3.x+

Don’t have to move to AC 4.x right away but should start planning particularly if interested in New PC/Mobile OS support New features

Special migration offers for existing customers reduces financial impact with even more services (e.g. ISE context sharing)

General Things to Consider


Users o How many users will utilize AC services?

Services o How many users need basic services?

o How many users need advanced services?

Headend Sizing o How many active sessions at any given time?

o What headend platform/s?

o How many locations?

It’s importand to understand that Users/Services and Headend Sizing are decoupled completely

Much easier to scale the deployment, even afterwards

How to Design a Deployment?

PLUS APEX

Cisco Web Security

Cisco ASA Cisco ISE

Router


Yes, there is no migration offer for Plus perpetual !!

Migration Strategy

Existing AC licenses AC APEX Migration Licenses ($0 for 3 Yr, Any User Count)

Premium (Perpetual)

Shared (Perpetual)

AC PLUS Migration Licenses (50% Discount on 5/3/1 Yr licenses, Any User Count)

Old ASA New ASA

APEX (Term)

PLUS (Term)

PLUS (Term)


Non-Lic (NAM, CWS)

Thank you.


Introducing Cisco ASA with FirePOWER Services for SMB, Midsized, & Distributed Enterprise

Refresh for 5505 FirePOWER Services

Default

Desktop Form Factor

5506-X 5506W-X Wireless

Enable additional SMB & branch deployments

Integrated Wireless AP

5508-X

Green field opportunity with new

pricing point

1 RU Rack-Mount

5516-X

1 RU Rack-Mount

Higher performance Refresh for 5512 and

5515


7.92” x 8.92” x 1.73”

Desktop 5506-X

Parameter Value

CPU Multicore [email protected] GHz


RAM / Storage 4 GB /64 GB mSata

Management Ports 1 Management Port with 10/100/1000 Base-T



Data Ports 8 * 1 G Interface, All L3 interfaces

Cooling Convection

Power AC external, No DC


Wireless Desktop 5506W-X

Parameter Value

Wireless AP ASA5506_AP702, IEEE 802.11n, 2 x 2 MIMO. Dual band AP 2.5 GHz and 5GHz

Port 8 x External Data ports, 1 Access Point (attached to 1 internal data port - g1/9)

Management Port Any data Data Port of g1/1 - g1/8, Management 1/1 is used only for firewall management

Management Autonomous (AP OnBox GUI) or Cisco’s Wireless LAN Controller

* 5506W-X configuration is same as Desktop 5506-X. Below is the information on wireless.

7.92” x 8.92” x 1.73”


Rackmount 5508-X / 5516-X

17.2” x 11.11” x 1.72”

CPU Complex CPU Intel Rangeley 8

Core 2 GHz

CPU: DRAM 8GB for Intel 1GB for

Octeon

Accelerator Cavium CN7020 2

Core 1GHz

Console Port 1 RJ 45, Mini USB

(Mini USB has priority)

8 x 1GE data interface

Ports ad 1 Management port (10

/100/1000)

USB port type ’A’ support with 2.0

FAN cooling, No DC and No POE

120 GB SSD

Parameter Value

CPU Multicore 5508-X@2 GHz [email protected]


RAM / Storage 8 GB Intel /120 GB SSD

Ports 1 Management Port with 10/100/1000 Base-T



Memory 8 * 1 G Interface, All L3 interfaces

Cooling FAN

Power AC internal, No DC


New! Combines Control Over Access Policies and Advanced Threat Defense Functions. The enhanced UI provides quick views on trends and the ability to drill-down for details.

On Box Manager: ASDM 7.3.x


Provides security teams with:

Management for multiple devices

Comprehensive visibility and control over network activity

Optimal remediation through infection scoping and root cause determination

Centralized Management Centralized Management:

Same as larger models — uses CSM &

FireSIGHT

BEFORE Discover Enforce Harden

DURING Detect Block

Defend

AFTER Scope Contain

Remediate


Which ASA with FirePOWER platform?

Maximum AVC and IPS throughput

Branch Locations

150 Mbps NGFW

100K Connections

10,000 CPS

ASA 5512-X

250Mbps NGFW

250K Connections

15,000 CPS

ASA 5515-X

Small/Medium Internet Edge

650Mbps NGFW

500K Connections

20,000 CPS

ASA 5525-X

1 Gbps NGFW

750K Connections

30,000 CPS

ASA 5545-X

1.25 Gbps NGFW

1 M Connections

50,000 CPS

ASA 5555-X

ASA 5506-X

125 Mbps NGFW

50K Connections

5,000 CPS

ASA 5508-X ASA 5516-X

600Mbps NGFW

250K Connections

20,000 CPS

250Mbps NGFW

100K Connections

10,000 CPS


440 byte HTTP Transactional test in Mbps

IPS uses Balanced Profile, AVC uses Network Discovery: Applications

As with all performance discussions, YOUR MILEAGE MAY VARY!!

Model 5506-

X 5508-X 5512-X 5515-X 5516-X 5525-X 5545-X 5555-X 5585-10

5585-20

5585-40

5585-60

FirePOWER IPS or AVC

90 180 100 150 300 375 575 725 1200 2000 3500 6000

FirePOWER IPS + AVC

65 115 75 100 200 255 360 450 800 1200 2100 3500

FirePOWER IPS + AVC +

AMP 40 85 60 85 150 205 310 340 550 850 1500 2300


IPS

URL

URL

IPS

TAMC TAC TA

URL

URL

AMP

IPS

TAM

AMP

IPS

• Security plus (HA) • Anyconnect licenses • Security Context (only 5508X

and 5516X)

ASA Licensing NGFW Licensing

1,3 and 5 year subscription, AVC updates are available with SmartNet.

Licensing overview Same model as on existing ASA Platforms

NGFW License (AVC) included

Cisco AnyConnect

Rene Straube

CSE, Cisco Germany

May 2015

Update





Agenda


Simply and securely work anywhere on any device

Delivers reliable and transparent secure remote access for the off-premises user based on VPN

Helps ensure endpoint integrity Multiple authentication options Comprehensive posture checks

Provides secure connectivity End-to-end encryption Integrated web security Per-app VPN for mobile

Cisco AnyConnect Secure Mobility Client Extending Control of Context to the Endpoint


AnyConnect NAM

• Wired & Wireless Connection Manager

• 802.1x Supplicant

• 802.1ae (MACsec) Link Encryption



AnyConnect VPN

• VPN Profile & Connection Manager

• SSL-VPN Client

• IPSec/IKEv2 Client (only works with ASA headend, IOS support planned)


• Available for MacOS, Windows, Linux

AnyConnect Websecurity

• ScanSafe Mobility Client

• Intercepts all Web traffic on the client

• Builds a tunnel to a ScaSafe Datacenter and forwards all Web traffic

• Authentication via user or group key


Cisco AnyConnect Module Details


Supports device posture and authorization across multiple access methods

Simplifies management with only one agent to manage

Prevents noncompliant devices from accessing the network

What’s New in Cisco AnyConnect 4.0? Posture Check and Secure VPN Access with Unified Agent and Cisco ISE 1.3


Common Context-Based Access Policy Services (Cisco ISE + Cisco AnyConnect®)

Cisco Prime™ Cisco® ISE Third-Party MDM

Office Wired Access Office Wireless Access Remote Access

Wired Network Devices

Cisco Catalyst® Switches

ASA Firewall

Centralized Endpoint Secure Access Policy


Selectively Tunnels Traffic Through VPN

Provide secure remote access for selected applications by user, role, device, etc. (per-app VPN)

Reduce the potential for non-approved applications to compromise enterprise data

Support a range of remote users and endpoints (employees, partners, contractors), streamlining IT operations

WWW

What’s New in Cisco AnyConnect 4.0? Connect Only Approved Applications over VPN


Desktop User FireAMP PORTAL

Cisco ASA

Deploying AMP Connector to endpoints with AnyConnect

What’s New in Cisco AnyConnect 4.1? Cisco AnyConnect AMP Enabler


Request Connect

Credentials

Auth Challenge

AMP Portal

VPN Desktop

ASA

Config with AC/AMP Profile

Download AMP connector image (via https)

Enterprise Hosted Server

FA connector image

1

3

2

What’s New in Cisco AnyConnect 4.1? AMP Enabler Flow with ASA


AnyConnect on Windows Phone 8.x (beta already started)

AnyConnect on Blackberry 10 (this summer)

AnyConnect on LinuxARM for IoT Use Cases (2HCY15)

What‘s coming up next?





Agenda


AnyConnect o Simplify

o Feature / value alignment

o Remove lock to appliance (helps with ASA migrations & RMA Process)

o Consistent model regardless of headend

o Solve Share / Flex / Essentials + Premium mix challenges

ISE o Adapt to new ISE feature content / AC integration in 1.3

- Unified Agent (single agent for compliance)

o Consistency with AC selling motion

o Different 3rd Party MDM offer structure

Why we Change the AnyConnect Licensing?


FLEX License (for 54 days daily use)

Good for Short Periods of High Demand (Emergencies, Events, etc.; per box)

MOBILE License

(per ASA model)

MOBILE License

(per ASA)

ADVANCED ENDPOINT

ASSESSMENT License (per ASA)

Premium Licenses Shared by Multiple Cisco® ASA Devices

SHARED License

(per user + per ASA)

ESSENTIALS License (per ASA model)

Basic Remote Access Connectivity

Or Always-On, Clientless, Posture Assessment, Mobile Posture,

Suite B

PREMIUM License (per user for each ASA)

Other Licenses:

VPN Phone & FIPS (per ASA model)

AnyConnect Licensing – Today

This is too complex, even if we‘re all got used to it ...


Per user (with their multiple devices)

Plus License Apex License

IPSec/SSL VPN Mobile per-app

VPN (new) Web security Network access

manager Any Headend

Plus features

Unified Endpoint Compliance (new)

Clientless

Suite B

Any Headend

New endpoint licensing portable across any hardware platforms, simplifying transfer

New two-tiered licensing structure to allow customers to grow based on new enterprise mobility needs

New Licensing in Cisco AnyConnect 4.0 Simpler Licensing with Greater Flexibility


New AC Features & Licensing

“PLUS” • Basic PC + Mobile Services

• Device VPN / Per app VPN • Always On • ASA, ISE, ASR, CSR • FIPS • CWS / Web Security • NAM

Current AnyConnect 3.X

New!

New AnnyConnect 4.X


Premium (Perpetual)

Shared (Perpetual)

Mobile (Perpetual)

AEA (Perpetual)

“APEX” • Advanced PC + Mobile Services

• Unified Endpoint Compliance /Remediation (Posture)

• Suite B • Clientless • Includes PLUS !!!

Flex (Perpetual)

* VPN Phone goes away because of VCS gateway

Non-Lic (NAM, CWS)

New!

Loose with • ASA • ISR • ASR • CSR • CWS

Tied only to ASA


APEX (Term) Two Licensing Models to choose

or

• 25-250K per user* pricing ($)

• “Right to Use” based on user/seat count vs concurrency

• 1, 3 and 5 Yr options (includes

support) • Compliance -> Trust (Phase 1)





PLUS (Perpetual)

PLUS (Term)

• 25-250K per user* pricing ($$$)

• “Right to Use” based on user/seat

count vs concurrency • Support (SASU) ordered separately • Compliance -> Trust (Phase 1)





* Please be aware of „user“ based licensing not device based !!


AnyConnect Premium & Essentials Licensing

Essentials – almost free

Essentials – Perpetual License

Premium – Perpetual License

Essential & Premium cannot be mixed on one device

Premium & Essentials are charged based on concurrent connections

Licenses applied on a device

Plus – not free anymore

Plus – Perpetual or Subscription License

Apex – Subscription License only

Plus & Apex can be mixed in a single customer deployment

Apex & Plus are charged per User

Licenses applied to all devices needed

AnyConnect Apex & Plus Licensing


ASA + AC Support Matrix

AC Mobile AC Desktop

3.x 4.x 3.x 4.x

End of Sale Announcement

Q4 CY 2014 N/A Q4 CY 2014 N/A

End of New OS Support

Q2 CY 2015 N/A Q2 CY 2015 N/A

End-of-Sale Date (All AC and ASA+AC SKUs)

Q2 CY 2015 NA Q2 CY 2015 NA

5500 ✔ ✔ ✔ ✔

5500-X ✔ ✔

✔ ✔

Standard End of Sale Policies Apply


Frequently Answered Questions

Does a customer need to upgrade to Plus/Apex from Essentials/Premium? AnyConnect Plus/Apex licenses required for AnyConnect 4.x software (Desktop & Mobile)

New AnyConnect 4.0 capabilities like Per-app VPN functions will require Plus or Apex licenses along with ASA 5500-X with 9.3.1 or later

Essentials and Premium licenses and version 3.x AnyConnect software will be phased out but can further be used with current software versions an features

Can AnyConnect 4.x be used without a Plus or Apex license? No, with one exception: basic mobile VPN use cases through April 2016 (see below)

AnyConnect 4.x usage requires Plus or Apex license, this includes Network Access Manager, Cloud Web Security and all VPN use cases, regardless of the Cisco head-end

AnyConnect 4.x Apex license also authorizes clientless SSL VPN

How is the 4.x conversion being handled for the mobile versions of AnyConnect? Customer cannot remain on old versions of AnyConnect for iOS & Android All 3.x customers will be permitted to utilize AnyConnect 4.x on mobile devices until April 30,

2016

After this date, a customer will no longer be entitled to utilize AnyConnect on mobile devices without converting licensing models

The Per App VPN capabilities in AnyConnect 4.0 are not available to customers using the original AnyConnect Essentials/Premium licenses





Agenda


Not tied to specific ASA release though some features like per app will only work with 9.3.x+

Don’t have to move to AC 4.x right away but should start planning particularly if interested in New PC/Mobile OS support New features

Special migration offers for existing customers reduces financial impact with even more services (e.g. ISE context sharing)

General Things to Consider


Users o How many users will utilize AC services?

Services o How many users need basic services?

o How many users need advanced services?

Headend Sizing o How many active sessions at any given time?

o What headend platform/s?

o How many locations?

It’s importand to understand that Users/Services and Headend Sizing are decoupled completely

Much easier to scale the deployment, even afterwards

How to Design a Deployment?

PLUS APEX

Cisco Web Security

Cisco ASA Cisco ISE

Router


Yes, there is no migration offer for Plus perpetual !!

Migration Strategy

Existing AC licenses AC APEX Migration Licenses ($0 for 3 Yr, Any User Count)

Premium (Perpetual)

Shared (Perpetual)

AC PLUS Migration Licenses (50% Discount on 5/3/1 Yr licenses, Any User Count)

Old ASA New ASA

APEX (Term)

PLUS (Term)

PLUS (Term)


Non-Lic (NAM, CWS)

Thank you.

Date post:	27-Jul-2020
Category:	Documents
Upload:	others
View:	23 times
Download:	0 times

Cisco ASA Update Cisco Anyconnect Update€¦ · Cisco ASA with FirePower Rene Straube CSE, Cisco...

Documents