reference deployment

Cisco ASAv RA-VPN on AWS

A scalable remote-access VPN that uses adaptive security

This Quick Start reference deployment guide provides step-by-step instructions for deploying a scalable Cisco Remote Access Virtual Private Network (RA-VPN) on the AWS Cloud. This Quick Start is for users who want to deploy or learn about Cisco AnyConnect RA-VPN services on Cisco Adaptive Security Virtual Appliance (ASAv) firewalls using the AWS Cloud architecture.

As companies address the ever-increasing demand for secure remote connectivity, the need for a stable and scalable RA-VPN has increased. For many organizations, investing in additional hardware appliances to scale up a network’s infrastructure may not meet timeline objectives or available budget requirements. Cloud-based architectures provide computing environments that are highly scalable and flexible in terms of both costs and resources.

Cisco logo

This Quick Start was developed by Cisco in collaboration with AWS. Cisco is an AWS Partner.

AWS Service Catalog administrators can add this architecture to their own catalog.  

  •  What you'll build
  • The Quick Start sets up the following:

    • A highly available architecture that spans two or more Availability Zones (up to four, depending on the number of ASAvs).
    • An Amazon Route 53–hosted zone, including associated records with a weighted policy for Domain Name System (DNS)–based load balancing.
    • An internet gateway for connecting users to the AWS Cloud.
    • ASAv instances (up to four) with zero-day configuration. This sets up the AnyConnect client VPN, elastic network interfaces, and options to accept RA-VPN clients. ASAv instances are spread across Availability Zones for redundancy and to maintain a fixed one-to-one ratio of ASAvs to Availability Zones.
    • A virtual private cloud (VPC) to provide you with your own virtual network.
    • In the VPC, a public route table, VPC route table, and AWS Transit Gateway route table.
    • A private route table in each Availability Zone.
    • In the public subnets:
      • Elastic network interfaces with associated IP addresses.
      • Cisco ASAv instances.
    • In the private subnets:
      • An elastic network interface with a private IP address for the management subnet.
      • An elastic network interface with a private IP address for the private subnet.
      • An elastic network interface with a private IP address for the AWS Transit Gateway subnet.
    • AWS Transit Gateway to extend connectivity to on-premises resources that use either an AWS Site-to-Site VPN or an AWS Direct Connect gateway.
    • AWS Direct Connect for private connectivity between AWS and your data center, office, or colocation environment.
  •  How to deploy
  • To deploy Cisco RA-VPN, follow the instructions in the deployment guide. The deployment process takes about 20 minutes and includes these steps:

    1. If you don't already have an AWS account, sign up at, and sign in to your account.
    2. Subscribe to the Cisco RA-VPN AMI.
    3. Launch the Quick Start.
    4. Test the deployment.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Quick Start, we recommend that you enable the AWS Cost and Usage Report. This report delivers billing metrics to an S3 bucket in your account. It provides cost estimates based on usage throughout each month and finalizes the data at the end of the month. For more information about the report, see the AWS documentation.

    This Quick Start requires an RA-VPN license from Cisco. The Cisco ASAv virtual firewall provides the following licensing options:

    • Option 1: Use AWS pay-as-you-go licensing, which is based on hourly billing. This is the default option for this Quick Start.
    • Option 2: Use Amazon’s Bring Your Own License model in conjunction with Cisco’s Smart Licensing.

    To use this Quick Start in a production environment, see Cisco Adaptive Security Virtual Appliance (ASAv) — Standard Package. Ensure that you subscribe to the image using the correct Region. If you want to use option 2, you must use the correct Amazon Machine Image (AMI). For more information, see how to Deploy the ASAv on the AWS Cloud.

    This Quick Start requires a subscription to the AMI for Cisco RA‑VPN, which is available from AWS Marketplace. Additional pricing, terms, and conditions may apply. For instructions, see the deployment guide.