SNPA50SL02

Cisco Adaptive
Security
Appliance and PIX
Security Appliance
Families
Lesson 2
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-1

Models and Features of
Cisco Security Appliances

ASA 5500 Series
ASA 5550
ASA 5540
Price
ASA 5520
ASA 5510
ASA 5505
Gigabit Ethernet
SOHO ROBO SMB Enterprise SP
Functionality SP = service provider

PIX 500 Series
PIX 535
PIX 525
Price
PIX 515E
PIX 506E
PIX 501
Gigabit Ethernet
SOHO ROBO SMB Enterprise SP
Functionality
Cisco ASA 5505 Adaptive Security
Appliance
 Delivers small office, home office, and remote office security and VPN solutions
 Provides up to 16,000 concurrent connections with Security Plus license
 Provides up to 100-Mbps firewall throughput
 Provides Interface support
– Built-in Layer 2 switch with eight Fast Ethernet ports
– Up to three VLANs
– One 802.1Q trunk port
– PoE on two ports
 Supports failover
– Active/standby
– Stateless
 Supports VPNs
– Site to site
– Remote access
– WebVPN

ASA 5505 Adaptive Security Appliance:
Front Panel
Power Active SSC

Link and activity Status VPN
indicator
Speed
indicator
USB port

ASA 5505 Adaptive Security Appliance:
Back Panel
SSC slot Console

port
Power USB Reset

connector ports button
Ethernet
ports 0–5
PoE ports
6–7

Appliance
 Delivers advanced security and networking services,
including high-performance VPN services, for small and
medium-sized businesses and enterprise branch offices
 Provides up to 130,000 concurrent connections
 Provides interface support
– Up to 5 10/100 Fast Ethernet interfaces
– Up to 25 VLANs
– Up to 5 contexts
– Active/standby
 Supports VPNs
– Site to site (250 peers)
– Remote access
– WebVPN
 Supports optional SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, and four-port
Gigabit Ethernet SSM)

Appliance
 Delivers advanced security services, including high-performance VPN services, for
medium-sized enterprise networks
– 4 10/100/1000 Gigabit Ethernet interfaces
– 1 10/100 Fast Ethernet interface
– Up to 100 VLANs
– Active/standby
– Active/active
 Supports VPNs
– Remote access
– WebVPN

Appliance
 Delivers high-performance, high-density security services, including high-performance
VPN services, for medium-sized and large enterprise networks and service provider
networks
– 4 10/100/1000 Gigabit Ethernet interfaces
– Up to 200 VLANs
– Active/standby
– Active/active
 Supports VPNs
– Site to site (5,000 peers)
– Remote access
– WebVPN
ASA 5510, 5520, and 5540 Adaptive
Security Appliances Front Panel
Status Flash
Power Active VPN

Security Appliances Back Panel
CompactFlash
Fixed interfaces
Security services
module

Security Appliances Connectors
CompactFlash
10/100 out-of-band Console Power supply

management port port (AC or DC)
Four 10/100/1000 AUX ports

Gigabit Ethernet ports*
Two USB 2.0 ports
*ASA 5510 Adaptive Security Appliance supports 10/100 Fast Ethernet ports.

Appliance
 Delivers high-performance, high-density security services,
including high-performance VPN services, for large enterprise
networks and service-provider networks
 Provides 650,000 concurrent connections
 Provides up to 1.2-Gbps firewall throughput
– 8 10/100/1000 Gigabit Ethernet interfaces Only 8 of these 12 ports
– 4 SFP fiber ports can be active simultaneously.
– Up to 200 VLANs
– Active/active
– Active/standby
 Supports VPNs
– Remote access
– WebVPN
ASA 5550 Adaptive Security Appliance
Front Panel
Status Flash
Power Active VPN

Back Panel
Slot 1 Slot 0
Copper Fiber Copper
Incoming and Incoming and

outgoing traffic outgoing traffic

Connectors
10/100 out-of-band
management port
CompactFlash
Slot 1 Slot 0
Console Power
port connector
Four 10/100/1000 Four 10/100/1000 Power switch

Gigabit Ethernet ports Gigabit Ethernet ports
USB 2.0
ports AUX port
Four Fiber
Gigabit Ethernet
ports

Cisco ASA Security Services Module
 High-performance module
designed to provide additional
security services
 Diskless (Flash-based)
design for improved reliability
 Gigabit Ethernet port for
out-of-band management

SSM Models
SSM-10
 2.0-GHz processor
 1.0 GB RAM
SSM-20 Speed
 2.4-GHz processor
 2.0 GB RAM
Link and
activity
Power Status

Four-Port Gigabit Ethernet SSM
RJ-45 link SFP link
LED LED
RJ-45 SFP
speed speed
LED LED
Status
LED SFP
RJ-45 Power ports
ports LED
Cisco PIX 501 Security Appliance
 Designed for small offices and teleworkers

 7500 concurrent connections
 60-Mbps throughput
 Interface support
– Supports one 10/100BASE-T Ethernet interface (outside)
– Has a four-port 10/100 switch (inside)
 VPN throughput
– 3-Mbps 3DES
– 4.5-Mbps 128-bit AES
 10 simultaneous VPN peers

PIX 501 Security Appliance: Front
Panel LEDs
Power Link and activity
VPN Tunnel 100 mbps

PIX 501 Security Appliance: Back Panel
Four-port 10/100 Console port Security

switch (RJ-45) (RJ-45) lock slot
10/100BASE-T Power
(RJ-45) connector

PIX 506E Security Appliance
 Designed for remote offices and small to

medium-sized businesses
 Provides up to 100-Mbps clear text throughput
 Supports two interfaces
– 10BASE-T or 100BASE-T
– Two VLANs
 Provides VPN throughput
– 17-Mbps 3DES
– 30-Mbps 128-bit AES
 Provides 25 simultaneous VPN peers

PIX 506E Security Appliance: Front
Panel LEDs
Power
LED
Act
Network

PIX 506E Security Appliance: Back Panel
Act Act
LED LED Power
Link Switch
Link
LED LED
10BASE-T or USB
100BASE-T port
(RJ-45) 10BASE-T or
Console
100BASE-T port (RJ-45)
(RJ-45)

 Designed for small- to medium-sized business and enterprise

networks
– Up to six 10/100 Fast Ethernet interfaces
– Up to 25 VLANs
– Up to five contexts
– Active/standby
– Active/active
 Supports VPNs (2000 tunnels)
– Site to site
– Remote access
PIX 515E Security Appliance: Front
Panel LEDs
Act
Power Network

PIX 515E Security Appliance: Back Panel
Expansion
Fixed
slots
interfaces

PIX 515E Security Appliance: Fixed
Interface Connector

PIX 515E Security Appliance: Expansion
Slot Option Cards
Expansion Slots
Fast Ethernet VPN Accelerator
Single-port Four-port
PIX Firewall VAC PIX Firewall VAC+
Fast Ethernet Fast Ethernet-66

PIX 515E Security Appliance: Fast
Ethernet Card Port Numbering
Single-port
card
Four-port
card
 PIX 515E Security Appliance option cards require the UR license.

PIX 525 Security Appliance
 Designed for medium to large enterprise networks

– Up to 10 10/100 Fast Ethernet interfaces
– Up to 100 VLANs
– Active/standby
– Active/active
 Supports VPNs (2,000 tunnels)
– Site to site
– Remote access

Panel LEDs
Power
Act

Expansion slots
Fixed interfaces

PIX 525 Security Appliance: Fixed
Interface Connectors
Activity Activity Failover

100-Mbps LED Link LED Link Connector
LED LED LED (DB-15)
10/100BASE-TX 10/100BASE-TX USB

Console
ETHERNET 1 ETHERNET 0 port
(RJ-45) port (RJ-45)
(RJ-45)

PIX 525 Security Appliance: Expansion
Cards and VACs
PIX Firewall Single-port Gigabit Single-port Four-port Fast

VAC and VAC+ Ethernet-66 Fast Ethernet Ethernet-66 Card
Card

 Designed for enterprise and service providers

 Provides up to 1.7-Gbps clear text throughput
– Up to 14 Fast Ethernet or 9 Gigabit Ethernet interfaces
– Up to 150 VLANs
– Active/standby
– Active/active
 Supports VPNs (2000 tunnels)
– Site to site
– Remote access

Panel LEDs
Power
Active

DB-15
failover Slots Slots
8 7 6 5 4 3 2 1 0
Console USB Bus 2 Bus 1 Bus 0

RJ-45 port (32-bit, 33-MHz) (64-bit, 66-MHz)

PIX 535 Security Appliance: Option
Cards
Gigabit Ethernet Fast Ethernet
Single-port
Gigabit Ethernet Single-port
Single-port Fast Ethernet
Four-port
Gigabit Ethernet -66 Fast Ethernet-66
VPN Accelerator Four-port

Fast Ethernet
(EOS)
PIX Firewall
VAC
PIX Firewall
VAC+

DB-15
failover
USB Slot 8 Slot 6 Slot 4 Slot 2 Slot 1

port
Console Slot 7 Slot 5 Slot 3 Slot 0
RJ-45

ASA Licensing

ASA Security Appliance Security Context
Licenses
Dept./Cust. 1 Dept./Cust. 2
Default
 Two contexts for ASA 5520,
5540, and 5550 Security Appliances
Available Context Licenses
(depending on model)
 5 contexts
 10 contexts
 20 contexts
 50 contexts
 Upgrade Licenses
 (depending on model)
 From 5 to 10 contexts
ASA 5505 and 5510 Adaptive Security
Appliances Licensing
Failover Concurrent
Security IPsec
Licenses Interfaces VLANs Firewall
Contexts VPN Peers A/S A/A Connections
ASA 5505 Adaptive Security Appliances
Base 8 x 10/100 N/A 3 10 N/A N/A 10,000
Security 8 x 10/100 N/A 3 25 Yes N/A 25,000
Plus
ASA 5510Adaptive Security Appliances
Base 3 x 10/100 N/A 10 250 N/A N/A 50,000
Security 5 x 10/100 5 25 250 Yes N/A 130,000
Plus

Security Appliance Licensing
Security IPsec Failover WebVPN
Licenses Interfaces VLANs
Contexts VPN Peers A/S A/A Peers
Base 4 x 10/100/1000 2 100 750 Yes Yes 2
1 x 10/100
Optional N/A 5, 10, 20 N/A N/A N/A N/A 10, 25, 50, 100,
250, 500, 750
Base 4 x 10/100/1000 2 200 5000 Yes Yes 2
1 x 10/100
Optional N/A 5, 10, 20 ,50 N/A N/A N/A N/A 10, 25, 50,100,
250, 500,750,
1000, 2500
Base 8 x 10/100/1000 2 200 5000 Yes Yes 2
4 fiber
1 x 10/100
Optional N/A 5, 10, 20, 50 N/A N/A N/A N/A 10, 25, 50,100,
250, 500, 750,
1000, 2500,
5000
PIX Firewall Security
Appliance Licensing

PIX Security Appliance License Types
 UR: Allows installation and use of the maximum number of interfaces and
RAM supported by the platform.
 Restricted: Limits the number of interfaces supported and the amount of
RAM available within the system (no contexts and no failover).
 Active/standby failure: Places one security appliance in a failover mode
for use alongside a security appliance that has a UR license. Only one
unit can be actively processing user traffic; the other unit acts as a hot
standby.
 Active/active failover: Places a security appliance that has a UR license
in a failover mode for use alongside another security appliance that has a
UR license or two UR licenses. Both units can actively process traffic
while serving as a backup for each other.
Applies to PIX 515E, 525, and 535 Security Appliances

VPN Encryption License
 DES license
– Provides 56-bit DES
 3DES/AES license
– Provides 168-bit 3DES
– Provides up to 256-bit AES

PIX Security Appliance Security Context
Licenses
Dept. 1 Dept. 2 Dept. 3 Dept. 4
Dept. 1 Dept. 2
Default Upgrade
PIX 515E, 525, and 535 Security
Appliances Licensing
License Physical
VLANs Contexts Memory Failover
Type Interfaces
Restricted 3 10 N/A 64 No
UR 6 25 License up to five 128 Yes
UR 10 100 License up to 50 256 Yes
UR 14 150 License up to 50 1024 Yes

Summary

Summary
 There are currently 10 Cisco ASA and PIX security appliance models.
– In the Cisco PIX 500 Series Security Appliance: PIX 501, 506E, 515E,
525, and 535 Security Appliances
– In the Cisco ASA 5500 Series Adaptive Security Appliance: ASA
5505, 5510, 5520, 5540, and 5550 Adaptive Security Appliances
 You can extend the capabilities of your ASA 5505 or 5510 Adaptive
Security Appliances with the Security Plus license and feature licenses.
 You can extend the capabilities of your ASA 5520, 5540, or 5550
Adaptive Security Appliances with feature licenses.
 A Security Plus license extends the capabilities of multiple features.
 A feature license extends the capabilities of a single feature.
 Restricted, unrestricted, and failover licenses are available for PIX 515E,
525, and 535 Security Appliances.


SNPA50SL02

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

SNPA50SL02

Caricato da

Copyright:

Formati disponibili

Cisco Adaptive

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-1

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-2

SOHO ROBO SMB Enterprise SP

Functionality SP = service provider

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-3

SOHO ROBO SMB Enterprise SP

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-5

Power Active SSC

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-6

SSC slot Console

Power USB Reset

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-7

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-8

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-9

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-11

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-12

10/100 out-of-band Console Power supply

Four 10/100/1000 AUX ports

Two USB 2.0 ports

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-13

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-15

Copper Fiber Copper

Incoming and Incoming and

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-16

Four 10/100/1000 Four 10/100/1000 Power switch

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-17

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-18

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-19

 Designed for small offices and teleworkers

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-21

Power Link and activity

VPN Tunnel 100 mbps

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-22

Four-port 10/100 Console port Security

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-23

 Designed for remote offices and small to

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-24

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-25

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-26

 Designed for small- to medium-sized business and enterprise

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-28

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-29

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-30

Fast Ethernet VPN Accelerator

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-31

 PIX 515E Security Appliance option cards require the UR license.

 Designed for medium to large enterprise networks

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-33

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-34

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-35

Activity Activity Failover

10/100BASE-TX 10/100BASE-TX USB

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-36

PIX Firewall Single-port Gigabit Single-port Four-port Fast

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-37

 Designed for enterprise and service providers

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-38

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-39

Console USB Bus 2 Bus 1 Bus 0

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-40

VPN Accelerator Four-port

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—2-41