Cisco ASA Series Cli Configuration Manual page 1630

Using an Identify Certificate When Negotiating
AnyConnect for Mobile
AnyConnect for Cisco VPN Phone
Advanced Endpoint Assessment
UC Phone Proxy Sessions
Total UC Proxy Sessions
Botnet Traffic Filter
Intercompany Media Engine
This platform has an ASA 5510 Security Plus license.
hostname#
To limit AnyConnect VPN sessions (either IPsec/IKEv1 or SSL) to a lower value than the ASA allows,
use the vpn-sessiondb max-anyconnect-premium-or-essentials-limit command in global
configuration mode. To remove the session limit, use the no version of this command.
For example, if the ASA license allows 500 SSL VPN sessions, and you want to limit the number of
AnyConnect VPN sessions to 250, enter the following command:
hostname(config)# vpn-sessiondb max-anyconnect-premium-or-essentials-limit 250
hostname(config)#
To remove the session limit, use the no version of this command.:
hostname(config)# no vpn-sessiondb max-anyconnect-premium-or-essentials-limit 250
hostname(config)#
To limit Cisco VPN client (IPsec IKEv1), Lan-to-Lan VPN, and clientless SSL VPN sessions to a lower
value than the ASA allows, enter the vpn-sessiondb max-other-vpn-limit command in global
configuration mode:
For example, if the ASA license allows 750 IPsec sessions, and you want to limit the number of IPsec
sessions to 500, enter the following command:
hostname(config)# vpn-sessiondb max-other-vpn-limit 500
hostname(config)#
To remove the session limit, use the no version of this command:
hostname(config)# no vpn-sessiondb max-other-vpn-limit 500
hostname(config)#
For a complete description of the features available with each license, see the document Managing
Feature Licenses for Cisco ASA 5500 Version 8.4 at this URL:
Using an Identify Certificate When Negotiating
The ASA needs to use an identity certificate when negotiating the IKEv2 tunnel with AnyConnect
clients. For ikev2 remote access trustpoint configuration, use the following commands
crypto ikev2 remote-access trustpoint <name> [line<number>]
Using this command allows the AnyConnect client to support group selection for the end user. You can
configure two trustpoints at the same time: two RSA, two ECDSA, or one of each. The ASA scans the
configured trustpoint list and chooses the first one that the client supports. If ECDSA is preferred, you
should configure that trustpoint before the RSA trustpoint.
The line number option specifies where in the line number you want the trustpoint inserted. Typically,
this option is used to insert a trustpoint at the top without removing and re-adding the other line. If a line
is not specified, the ASA adds the trustpoint at the end of the list.
Cisco ASA Series CLI Configuration Guide
1-18
http://www.cisco.com/en/US/docs/security/asa/asa84/license_standalone/license_management/
license.html
Chapter 1
: Disabled perpetual
: Disabled perpetual
: Enabled perpetual
: 2 perpetual
: 2 perpetual
: Disabled perpetual
: Disabled perpetual
Setting General VPN Parameters