Cisco Security Appliance Command Line Configuration Guide, Version 7.0
Feature Licenses and Specifications
Downloads: This chapterpdf (PDF - 207.0KB) The complete bookPDF (PDF - 15.34MB) | Feedback

Feature Licenses and Specifications

Table Of Contents

Feature Licenses and Specifications

Supported Platforms

Platform Feature Licenses

Security Services Module Support

VPN Specifications

Cisco VPN Client Support

Site-to-Site VPN Compatibility

Cryptographic Standards


Feature Licenses and Specifications


This appendix describes the feature licenses and specifications. This appendix includes the following sections:

Supported Platforms

Platform Feature Licenses

Security Services Module Support

VPN Specifications

Supported Platforms

This software version supports the following platforms:

ASA 5510

ASA 5520

ASA 5540

PIX 515/515E

PIX 525

PIX 535

Platform Feature Licenses

The following tables list the feature support for each platform license.


Note Items that are in italics are separate, optional licenses that you can add on to a base license. You can mix and match licenses, for example, the 10 security context license plus the Strong Encryption license; or the VPN Plus license plus the GTP/GPRS license; or all four licenses together.


Table A-1 ASA 5500 Series Adaptive Security Appliance License Features 

Platforms and Features
Licenses
ASA 5510
Base License
Security Plus

Security Contexts

No support

No support

VPN Peers

50 IPSec
50 WebVPN

150 IPSec
150 WebVPN

Failover

None

Active/Standby

GTP/GPRS

Not supported

Not supported

Maximum VLANs

0

10

Concurrent Connections*

32 K

64 K

Max. Physical Interfaces

3 at 10/100 plus the Management interface for management traffic only (to-the-security-appliance)

Unlimited

Encryption

Base (DES)

Add-on license:
Strong (3DES/AES)

Base (DES)

Add-on license:
Strong (3DES/AES)

Minimum RAM

256 MB

256 MB

Note The ASA 5510 does not support VPN load balancing.

ASA 5520
Base License
N/A

Security Contexts

2

Add-on Licenses:

 

5

10

VPN Peers

300 IPSec
300 WebVPN

Add-on license:
VPN Plus
750 IPSec
750 WebVPN

Failover

Active/Standby
Active/Active

GTP/GPRS

None

Add-on license: Enabled

Maximum VLANs

25

Concurrent Connections*

130 K

Max. Physical Interfaces

Unlimited

Encryption

Base (DES)

Add-on license:
Strong (3DES/AES)

Minimum RAM

512 MB

ASA 5540
Base License
N/A

Security Contexts

2

Add-on licenses:

 

5

10

20

50

VPN Peers

500 IPSec
500 WebVPN

Add-on license:
VPN Plus
2000 IPSec
1250 WebVPN

Add-on license:
VPN Premium
5000 IPSec
2500 WebVPN

Failover

Active/Standby
Active/Active

GTP/GPRS

None

Add-on license: Enabled

Maximum VLANs

100

Concurrent Connections*

280 K

Max. Physical Interfaces

Unlimited

Encryption

Base (DES)

Add-on license:
Strong (3DES/AES)

Minimum RAM

1024 MB


* The concurrent connections are based on a traffic mix of 80% TCP and 20% UDP, with one host and one dynamic translation for every four connections.

Table A-2 PIX 500 Series Security Appliance License Features 

Platforms and Features
Licenses
PIX 515/515E*
R (Restricted)
UR (Unrestricted)
FO (Failover)**
FO-AA (Failover Active/Active)***

Security Contexts

No support

2

Add-on license:

2

Add-on license:

2

Add-on license:

5

5

5

VPN Peers

2000 IPSec

2000 IPSec

2000 IPSec

2000 IPSec

Failover

No support

Active/Standby
Active/Active

Active/Standby

Active/Standby
Active/Active

GTP/GPRS

None

Add-on license:
Enabled

None

Add-on license:
Enabled

None

Add-on license:
Enabled

None

Add-on license:
Enabled

Maximum VLANs

10

25

25

25

Concurrent Connections

48 K

130 K

130 K

130 K

Max. Physical Interfaces

3

6

6

6

Encryption

None

Add-on license:
Base (DES)

Add-on license:
Strong (3DES/AES)

None

Add-on license:
Base (DES)

Add-on license:
Strong (3DES/AES)

None

Add-on license:
Base (DES)

Add-on license:
Strong (3DES/AES)

None

Add-on license:
Base (DES)

Add-on license:
Strong (3DES/
AES)

Minimum RAM

64 MB

128 MB

128 MB

128 MB

PIX 525*
R (Restricted)
UR (Unrestricted)
FO (Failover)**
FO-AA (Failover Active/Active)

Security Contexts

No support

2

Add-on licenses:

2

Add-on licenses:

2

Add-on licenses:

5

10

20

50

5

10

20

50

5

10

20

50

VPN Peers

2000 IPSec

2000 IPSec

2000 IPSec

2000 IPSec

Failover

No support

Active/Standby
Active/Active

Active/Standby

Active/Standby
Active/Active

GTP/GPRS

None

Add-on license:
Enabled

None

Add-on license:
Enabled

None

Add-on license:
Enabled

None

Add-on license:
Enabled

Maximum VLANs

25

100

100

100

Concurrent Connections

140 K

280 K

280 K

280 K

Max. Physical Interfaces

6

10

10

10

Encryption

None

Add-on license:
Base (DES)

Add-on license:
Strong (3DES/AES)

None

Add-on license:
Base (DES)

Add-on license:
Strong (3DES/AES)

None

Add-on license:
Base (DES)

Add-on license:
Strong (3DES/AES)

None

Add-on license:
Base (DES)

Add-on license:
Strong (3DES/
AES)

Minimum RAM

128 MB

256 MB

256 MB

256 MB

PIX 535*
R (Restricted)
UR (Unrestricted)
FO (Failover)**
FO-AA (Failover Active/Active)

Security Contexts

No support

2

Add-on licenses:

2

Add-on licenses:

2

Add-on licenses:

5

10

20

50

5

10

20

50

5

10

20

50

VPN Peers

2000 IPSec

2000 IPSec

2000 IPSec

2000 IPSec

Failover

No support

Active/Standby
Active/Active

Active/Standby

Active/Standby
Active/Active

GTP/GPRS

None

Add-on license:
Enabled

None

Add-on license:
Enabled

None

Add-on license:
Enabled

None

Add-on license:
Enabled

Max. VLANs

50

150

150

150

Concurrent Connections

250 K

500 K

500 K

500 K

Max. Physical Interfaces

8

14

14

14

Encryption

None

Add-on license:
Base (DES)

Add-on license:
Strong (3DES/AES)

None

Add-on license:
Base (DES)

Add-on license:
Strong (3DES/AES)

None

Add-on license:
Base (DES)

Add-on license:
Strong (3DES/AES)

None

Add-on license:
Base (DES)

Add-on license:
Strong (3DES/
AES)

Minimum RAM

512 MB

1024 MB

1024 MB

1024 MB


* The PIX 500 series security appliance does not support WebVPN.

** This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model.

*** The concurrent connections are based on a traffic mix of 80% TCP and 20% UDP, with one host and one dynamic translation for every four connections.

Security Services Module Support

Table A-3 shows the SSMs supported by each platform:

Table A-3 SSM Support 

Platform
SSM Models

ASA 5510

AIP SSM 10

4GE SSM

ASA 5520

AIP SSM 10

AIP SSM 20

4GE SSM

ASA 5540

AIP SSM 10

AIP SSM 20

4GE SSM

PIX 515/515E

No support

PIX 525

No support

PIX 535

No support


VPN Specifications

This section describes the VPN specifications for the security appliance. This section includes the following topics:

Cisco VPN Client Support

Site-to-Site VPN Compatibility

Cryptographic Standards

Cisco VPN Client Support

The security appliance supports a wide variety of software and hardware-based Cisco VPN clients, as shown in Table A-4.

Table A-4 Cisco VPN Client Support 

Client Type
Client Versions

Software IPSec VPN clients

Cisco VPN client for Windows, Version 3.6 or higher

Cisco VPN client for Linux, Version 3.6 or higher

Cisco VPN client for Solaris, Version 3.6 or higher

Cisco VPN client for Mac OS X, Version 3.6 or higher

Hardware IPSec VPN clients (Cisco Easy VPN remote)

Cisco VPN 3002 hardware client, Version 3.0 or higher

Cisco IOS Software Easy VPN remote, Release 12.2(8)YJ

Cisco PIX 500 series security appliance, Version 6.2 or higher

Cisco ASA 5500 series adaptive security appliance, Version 7.0 or higher


Site-to-Site VPN Compatibility

In addition to providing interoperability for many third-party VPN products, the security appliance interoperates with the Cisco VPN products for site-to-site VPN connectivity shown in Table A-5.

Table A-5 Site-to-Site VPN Compatibility 

Platforms
Software Versions

Cisco ASA 5500 series adaptive security appliances

Version 7.0 or higher

Cisco IOS routers

Release 12.1(6)T or higher

Cisco PIX 500 series security appliances

Version 5.1(1) or higher

Cisco VPN 3000 series concentrators

Version 2.5.2 or higher


Cryptographic Standards

The security appliance supports numerous cryptographic standards and related third-party products and services, including those shown in Table A-6.

Table A-6 Cryptographic Standards 

Type
Description

Asymmetric (public key) encryption algorithms

RSA public/private key pairs, 512 bits to 4096 bits

DSA public/private key pairs, 512 bits to 1024 bits

Symmetric encryption algorithms

AES—128, 192, and 256 bits

DES—56 bits

3DES—168 bits

RC4—40, 56, 64, and 128 bits

Perfect forward secrecy (Diffie-Hellman key negotiation)

Group 1— 768 bits

Group 2—1024 bits

Group 5— 1536 bits

Group 7—163 bits (Elliptic Curve Diffie-Hellman)

Hash algorithms

MD5—128 bits

SHA-1—160 bits

X.509 certificate authorities

Cisco IOS software

Baltimore UniCERT

Entrust Authority

iPlanet/Netscape CMS

Microsoft Certificate Services

RSA Keon

VeriSign OnSite

X.509 certificate enrollment methods

SCEP

PKCS #7 and #10