Once the license is enabled for the software firewall, and additional support contract (smartnet) is required to update the IPS sensor with signatures.
In ASA 5500-X series firewalls the IPS module is entirely software based and requires an additional license to enable it. Primarily used for business to business federation between CUCM’s. Intercompany Media EngineĪllows support to offload communications from PSTN to IP-based SIP trunks through the ASA. This is a legacy license because CallManager 8.0+ does not support this feature any longer. This requires both a Server license and particpant license. The Shared SSL VPN license is a way to have a central ASA act as an An圜onnect premium peer license server and other participant ASA’s can ask for licenses (in blocks of 50 at a time) from the shared license server. This is used by ISPs who have 3G traffic going through their network. Botnetįor more information on the botnet license and capability see my blog post Understanding Botnet Licensing. Only supported on CallManager 8.0+ and IP Phone firmware 9.x. Either by downloading an update or guiding them on fixing a program.Īn圜onnect for Cisco VPN Phone is used for allowing VOIP phones that have built in VPN support to VPN into the ASA and then contact the Call Manager. When normally a host scan can detect when a VPN user is out of compliancy and not allowed conection into the network, the Advanced Endpoint Assessment can actually suggest to the user what they’ll need to do to fix it. An圜onnectįor more information regarding An圜onnect Premium and Essentials see my blog post Understanding An圜onnect Licensing.Īdvanced Endpoint Assessment is used to enhance the host scan. IPSec remote access IKEv2 requires An圜onnect Essentials or An圜onnect Premium. It is also used when using remote access VPN (Legacy Cisco VPN Client) using IKEv1. It is used for site to site IPSec tunnels using IKEv1 or IKEv2. The admin context is used to determine which interfaces are assigned to which contexts.
This is not supported in the 5505 and requires the Security Plus license for 55-X.Ī multi context firewall is one which runs multiple separate firewalls inside a single chassis. Security Contextsīy default the ASA has 2 contexts that can be ran simultaneously. EncryptionĮncryption-DES comes standard on all firewalls.Įncryption-3DES-AES is a $0 cost license that enables 3DES and AES encryption methods. If one firewall goes down, the remaining one becomes Active for both Contexts. This may be used when Primary firewall is the Active firewall for Context A, and the secondary fireall is the Active firewall for Context B. This failover usually occurs without dropping a packet because the connection table is actually replicated between the two units.Īn Active/Active scenario is generally used for multi context firewalls. So if the primary firewall goes down, the standby unit will kick over to active and even take over the active IP. The active firewall will keep the active IP. In an Active/Standby scenario, one firewall acts as the active one and accepts connections going through it. Failover is when two firewalls (which are matching models and hardware) are paired together for redundancy. This is not to be confused with “Clustering”. This specifically means the ASA will only build connections for 10 hosts within the network at a time. The 5505 comes with 10 hosts standard and can be upgraded to 50 or Unlimited number of hosts. This is “Unlimited” in all models except for the 5505. A sec plus license can be applied to remove this restriction. The DMZ interface is restricted to only be able to pass traffic to either the inside interface or outside but cannot pass traffic to both. Suppose these are “inside” and “outside”. Two VLANs can talk to each other without issues. The “DMZ Restricted” term indicates a further restriction. This is stating only 3 VLANs can be created which are then eligible to be applied to an interface. On the 5505 each interface is assigned a VLAN. On the Cisco ASA 5505 you may see a line stating: Now we will cover each of these items in detail. Intercompany Media Engine : Disabled perpetual An圜onnect Essentials : Disabled perpetualĪn圜onnect for Mobile : Disabled perpetualĪn圜onnect for Cisco VPN Phone : Disabled perpetualĪdvanced Endpoint Assessment : Disabled perpetualīotnet Traffic Filter : Disabled perpetual