ASDM 6.0 User Guide
Feature Licenses and Specifications
Downloads: This chapterpdf (PDF - 213.0KB) The complete bookPDF (PDF - 28.5MB) | Feedback

Feature Licenses and Specifications

Table Of Contents

Feature Licenses and Specifications

Security Appliance and ASDM Release Compatibility

Client PC Operating System and Browser Requirements

Supported Platforms and Feature Licenses

Security Services Module Support

VPN Specifications

Cisco VPN Client Support

Cisco Secure Desktop Support

Site-to-Site VPN Compatibility

Cryptographic Standards


Feature Licenses and Specifications


This appendix describes the feature licenses and specifications. This appendix includes the following sections:

Security Appliance and ASDM Release Compatibility

Client PC Operating System and Browser Requirements

Supported Platforms and Feature Licenses

Security Services Module Support

VPN Specifications

Security Appliance and ASDM Release Compatibility

Table 1 shows the ASDM or PDM versions that can be used with each security appliance release.

Table 1 Security Appliance and ASDM /PDM Release Compatibility

Security Appliance Release
ASDM/PDM Version

8.0(x)

ASDM 6.0(x)

7.2(x)

ASDM 5.2(x)

7.1(x)

ASDM 5.1(x)

7.0(x)

ASDM 5.0(x)

PIX 6.3(x)

PDM 4.1(x)


Client PC Operating System and Browser Requirements

Table 2 lists the supported and recommended platforms for ASDM. While ASDM might work on other browsers and browser versions, these are the only officially supported browsers. Note that unlike earlier PDM versions, you must have Java installed. The native JVM on Windows is no longer supported and does not work.

Table 2 Operating System, Browser, and Java Requirements 

 
Operating System
Browser with Java Applet
ASDM Launcher
Other Requirements

Windows1

Processor: Intel Pentium IV, AMD Athlon or equivalent

Memory: Min. 512 MB RAM

Display: Min. 1024x768 resolution and 256 colors

Windows 2000 (Service Pack 4) or Windows XP operating systems, English or Japanese

Internet Explorer 6.0 with Java Plug-in2 1.4.2 or 5.0 (1.5)

Note HTTP 1.1—Settings for Internet Options > Advanced > HTTP 1.1 should use HTTP 1.1 for both proxy and non-proxy connections.

Firefox 1.5 with Java Plug-in2 1.4.2 or 5.0 (1.5)

Java 1.4.2 or 5.0 (1.5)2

SSL Encryption Settings—All available encryption options are enabled for SSL in the browser preferences.

Sun SPARC Solaris

Memory: Min. 512 MB RAM

Display: Min. 1024x768 resolution and 256 colors

Sun Solaris 8 or 9

Firefox 1.5 with Java Plug-in2 1.4.2 or 5.0 (1.5)

Not available.

Linux

Memory: Min. 256 MB RAM

Display: Min. 1024x768 resolution and 256 colors

Red Hat Linux Desktop or Red Hat Linux Enterprise WS, Version 3

GNOME or KDE desktop environment

Firefox 1.5 with Java Plug-in2 1.4.2 or 5.0 (1.5)

Not available.

1 ASDM is not supported on Windows 3.1, 95, 98, ME or Windows NT4.

2 Download the latest Java from http://java.sun.com/.


Supported Platforms and Feature Licenses

This software version supports the following platforms; see the associated tables for the feature support for each model:

ASA 5505, Table A-3

ASA 5510, Table A-4

ASA 5520, Table A-5

ASA 5540, Table A-6

ASA 5550, Table A-7

PIX 515/515E, Table A-8

PIX 525, Table A-9

PIX 535, Table A-10


Note Items that are in italics are separate, optional licenses that you can replace the base license. You can mix and match licenses, for example, the 10 security context license plus the Strong Encryption license; or the 500 Clientless SSL VPN license plus the GTP/GPRS license; or all four licenses together.


Table A-3 ASA 5505 Adaptive Security Appliance License Features 

ASA 5505
Base License
Security Plus

Users, concurrent1

10

Optional Licenses:

10

Optional Licenses:

50

Unlimited

50

Unlimited

Security Contexts

No support

No support

VPN Sessions2

10 combined IPSec and Clientless SSL VPN

25 combined IPSec and Clientless SSL VPN

Max. IPSec Sessions

10

25

Max. Clientless SSL VPN Sessions

2

Optional License: 10

2

Optional License: 10

VPN Load Balancing

No support

No support

TLS Proxy for SIP and Skinny Inspection

Supported

Supported

Failover

No support

Active/Standby (no stateful failover)

GTP/GPRS

No support

No support

Maximum VLANs/Zones

3 (2 regular zones and 1 restricted zone that can only communicate with 1 other zone)

20

Maximum VLAN Trunks

No support

Unlimited

Concurrent Firewall Conns3

10 K

25 K

Max. Physical Interfaces

Unlimited, assigned to VLANs/zones

Unlimited, assigned to VLANs/zones

Encryption

Base (DES)

Optional license:
Strong (3DES/AES)

Base (DES)

Optional license:
Strong (3DES/AES)

Minimum RAM

256 MB (default)

256 MB (default)

1 In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view the host limits.

2 Although the maximum IPSec and Clientless SSL VPN sessions add up to more than the maximum VPN sessions, the combined sessions should not exceed the VPN session limit. If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately.

3 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with one host and one dynamic translation for every four connections.


Table A-4 ASA 5510 Adaptive Security Appliance License Features 

ASA 5510
Base License
Security Plus

Users, concurrent

Unlimited

Unlimited

Security Contexts

No support

2

Optional Licenses:

5

VPN Sessions1

250 combined IPSec and Clientless SSL VPN

250 combined IPSec and Clientless SSL VPN

Max. IPSec Sessions

250

250

Max. Clientless SSL VPN Sessions

2

Optional Licenses:

2

Optional Licenses:

10

25

50

100

250

10

25

50

100

250

VPN Load Balancing

No support

No support

TLS Proxy for SIP and Skinny Inspection

Supported

Supported

Failover

No support

Active/Standby or Active/Active

GTP/GPRS

No support

No support

Max. VLANs

50

100

Concurrent Firewall Conns2

50 K

130 K

Max. Physical Interfaces

Unlimited at Fast Ethernet speeds

Unlimited at Gigabit Ethernet speeds

Encryption

Base (DES)

Optional license:
Strong (3DES/AES)

Base (DES)

Optional license:
Strong (3DES/AES)

Min. RAM

256 MB (default)

256 MB (default)

1 Although the maximum IPSec and Clientless SSL VPN sessions add up to more than the maximum VPN sessions, the combined sessions should not exceed the VPN session limit. If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately.

2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.


Table A-5 ASA 5520 Adaptive Security Appliance License Features 

ASA 5520
Base License

Users, concurrent

Unlimited

Unlimited

Security Contexts

2

Optional Licenses:

5

10

20

VPN Sessions1

750 combined IPSec and Clientless SSL VPN

Max. IPSec Sessions

750

Max. Clientless SSL VPN Sessions

2

Optional Licenses:

10

25

50

100

250

500

750

VPN Load Balancing

Supported

TLS Proxy for SIP and Skinny Inspection

Supported

           

Failover

Active/Standby or Active/Active

GTP/GPRS

None

Optional license: Enabled

Max. VLANs

150

Concurrent Firewall Conns2

280 K

Max. Physical Interfaces

Unlimited

Encryption

Base (DES)

Optional license: Strong (3DES/AES)

Min. RAM

512 MB (default)

1 Although the maximum IPSec and Clientless SSL VPN sessions add up to more than the maximum VPN sessions, the combined sessions should not exceed the VPN session limit. If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately.

2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.


Table A-6 ASA 5540 Adaptive Security Appliance License Features 

ASA 5540
Base License

Users, concurrent

Unlimited

Unlimited

Security Contexts

2

Optional licenses:

5

10

20

50

VPN Sessions1

5000 combined IPSec and Clientless SSL VPN

Max. IPSec Sessions

5000

Max. Clientless SSL VPN Sessions

2

Optional Licenses:

10

25

50

100

250

500

750

1000

2500

VPN Load Balancing

Supported

TLS Proxy for SIP and Skinny Inspection

Supported

Failover

Active/Standby or Active/Active

GTP/GPRS

None

Optional license: Enabled

Max. VLANs

200

Concurrent Firewall Conns2

400 K

Max. Physical Interfaces

Unlimited

Encryption

Base (DES)

Optional license: Strong (3DES/AES)

Min. RAM

1 GB (default)

1 Although the maximum IPSec and Clientless SSL VPN sessions add up to more than the maximum VPN sessions, the combined sessions should not exceed the VPN session limit. If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately.

2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.


Table A-7 ASA 5550 Adaptive Security Appliance License Features 

ASA 5550
Base License

Users, concurrent

Unlimited

Security Contexts

2

Optional licenses:

5

10

20

50

VPN Sessions1

5000 combined IPSec and Clientless SSL VPN

Max. IPSec Sessions

5000

Max. Clientless SSL VPN Sessions

2

Optional Licenses:

10

25

50

100

250

500

750

1000

2500

5000

VPN Load Balancing

Supported

TLS Proxy for SIP and Skinny Inspection

Supported

Failover

Active/Standby or Active/Active

GTP/GPRS

None

Optional license: Enabled

Max. VLANs

250

Concurrent Firewall Conns2

650 K

Max. Physical Interfaces

Unlimited

Encryption

Base (DES)

Optional license: Strong (3DES/AES)

Min. RAM

4 GB (default)

1 Although the maximum IPSec and Clientless SSL VPN sessions add up to more than the maximum VPN sessions, the combined sessions should not exceed the VPN session limit. If you exceed the maximum VPN sessions, you can overload the security appliance, so be sure to size your network appropriately.

2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.


Table A-8 PIX 515/515E Security Appliance License Features 

PIX 515/515E
R (Restricted)
UR (Unrestricted)
FO (Failover) 1
FO-AA (Failover Active/Active) 1

Users, concurrent

Unlimited

Unlimited

Unlimited

Unlimited

Security Contexts

No support

2

Optional license: 5

2

Optional license: 5

2

Optional license: 5

IPSec Sessions

2000

2000

2000

2000

Clientless SSL VPN Sessions

No support

No support

No support

No support

VPN Load Balancing

No support

No support

No support

No support

TLS Proxy for SIP and Skinny Inspection

No support

No support

No support

No support

Failover

No support

Active/Standby
Active/Active

Active/Standby

Active/Standby
Active/Active

GTP/GPRS

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

Max. VLANs

10

25

25

25

Concurrent Firewall Conns2

48 K

130 K

130 K

130 K

Max. Physical Interfaces

3

6

6

6

Encryption

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Min. RAM

64 MB (default)

128 MB

128 MB

128 MB

1 This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model.

2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.


Table A-9 PIX 525 Security Appliance License Features 

PIX 525
R (Restricted)
UR (Unrestricted)
FO (Failover) 1
FO-AA (Failover Active/Active) 1

Users, concurrent

Unlimited

Unlimited

Unlimited

Unlimited

Security Contexts

No support

2

Optional licenses:

2

Optional licenses:

2

Optional licenses:

5

10

20

50

5

10

20

50

5

10

20

50

IPSec Sessions

2000

2000

2000

2000

Clientless SSL VPN Sessions

No support

No support

No support

No support

VPN Load Balancing

No support

No support

No support

No support

TLS Proxy for SIP and Skinny Inspection

No support

No support

No support

No support

Failover

No support

Active/Standby
Active/Active

Active/Standby

Active/Standby
Active/Active

GTP/GPRS

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

Max. VLANs

25

100

100

100

Concurrent Firewall Conns2

140 K

280 K

280 K

280 K

Max. Physical Interfaces

6

10

10

10

Encryption

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Min. RAM

128 MB (default)

256 MB

256 MB

256 MB

1 This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model.

2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.


Table A-10 PIX 535 Security Appliance License Features 

PIX 535
R (Restricted)
UR (Unrestricted)
FO (Failover) 1
FO-AA (Failover Active/Active) 1

Users, concurrent

Unlimited

Unlimited

Unlimited

Unlimited

Security Contexts

No support

2

Optional licenses:

2

Optional licenses:

2

Optional licenses:

5

10

20

50

5

10

20

50

5

10

20

50

IPSec Sessions

2000

2000

2000

2000

Clientless SSL VPN Sessions

No support

No support

No support

No support

VPN Load Balancing

No support

No support

No support

No support

TLS Proxy for SIP and Skinny Inspection

No support

No support

No support

No support

Failover

No support

Active/Standby
Active/Active

Active/Standby

Active/Standby
Active/Active

GTP/GPRS

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

Max. VLANs

50

150

150

150

Concurrent Firewall Conns2

250 K

500 K

500 K

500 K

Max. Physical Interfaces

8

14

14

14

Encryption

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Min. RAM

512 MB (default)

1024 MB

1024 MB

1024 MB

1 This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model.

2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.


Security Services Module Support

Table A-11 shows the SSMs supported by each platform:

Table A-11 SSM Support 

Platform
SSM Models

ASA 5505

No support

ASA 5510

AIP SSM 10

CSC SSM 10

CSC SSM 20

4GE SSM

ASA 5520

AIP SSM 10

AIP SSM 20

CSC SSM 10

CSC SSM 20

4GE SSM

ASA 5540

AIP SSM 10

AIP SSM 20

CSC SSM 101

CSC SSM 201

4GE SSM

ASA 5550

No support (4GE SSM is built-in and not user-removable)

PIX 515/515E

No support

PIX 525

No support

PIX 535

No support

1 The CSC SSM licenses support up to 1000 users while the Cisco ASA 5540 Series appliance can support significantly more users. If you deploy CSC SSM with an ASA 5540 adaptive security appliance, be sure to configure the security appliance to send the CSC SSM only the traffic that should be scanned.


VPN Specifications

This section describes the VPN specifications for the security appliance. This section includes the following topics:

Cisco VPN Client Support

Cisco Secure Desktop Support

Site-to-Site VPN Compatibility

Cryptographic Standards

Cisco VPN Client Support

The security appliance supports a wide variety of software and hardware-based Cisco VPN clients, as shown in Table A-12.

Table A-12 Cisco VPN Client Support 

Client Type
Client Versions

SSL VPN clients

Cisco SSL VPN client, Version 1.1 or higher

Software IPSec VPN clients

Cisco VPN client for Windows, Version 3.6 or higher

Cisco VPN client for Linux, Version 3.6 or higher

Cisco VPN client for Solaris, Version 3.6 or higher

Cisco VPN client for Mac OS X, Version 3.6 or higher

Hardware IPSec VPN clients (Cisco Easy VPN remote)

Cisco VPN 3002 hardware client, Version 3.0 or higher

Cisco IOS Software Easy VPN remote, Release 12.2(8)YJ

Cisco PIX 500 series security appliance, Version 6.2 or higher

Cisco ASA 5500 series adaptive security appliance, Version 7.0 or higher


Cisco Secure Desktop Support

The security appliance supports CSD software Version 3.1.1.16.

Site-to-Site VPN Compatibility

In addition to providing interoperability for many third-party VPN products, the security appliance interoperates with the Cisco VPN products for site-to-site VPN connectivity shown in Table A-13.

Table A-13 Site-to-Site VPN Compatibility 

Platforms
Software Versions

Cisco ASA 5500 series adaptive security appliances

Version 7.0(1) or higher

Cisco IOS routers

Release 12.1(6)T or higher

Cisco PIX 500 series security appliances

Version 5.1(1) or higher

Cisco VPN 3000 series concentrators

Version 3.6(1) or higher


Cryptographic Standards

The security appliance supports numerous cryptographic standards and related third-party products and services, including those shown in Table A-14.

Table A-14 Cryptographic Standards 

Type
Description

Asymmetric (public key) encryption algorithms

RSA public/private key pairs, 512 bits to 4096 bits

DSA public/private key pairs, 512 bits to 1024 bits

Symmetric encryption algorithms

AES—128, 192, and 256 bits

DES—56 bits

3DES—168 bits

RC4—40, 56, 64, and 128 bits

Perfect forward secrecy (Diffie-Hellman key negotiation)

Group 1— 768 bits

Group 2—1024 bits

Group 5— 1536 bits

Group 7—163 bits (Elliptic Curve Diffie-Hellman)

Note The group 7 command option was deprecated in ASA version 8.0(4). Attempts to configure group 7 will generate an error message and use group 5 instead.

Hash algorithms

MD5—128 bits

SHA-1—160 bits

X.509 certificate authorities

Cisco IOS software

Baltimore UniCERT

Entrust Authority

iPlanet CMS

Microsoft Certificate Services

RSA Keon

VeriSign OnSite

X.509 certificate enrollment methods

SCEP

PKCS #7 and #10