lesson 2b cisco pix security appliance and asa adaptive security appliance families © 2005 cisco...

Lesson 2b

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1

Cisco PIX Security Appliance and ASA Adaptive Security Appliance Families


Models and Features of Cisco PIX Firewall and Cisco ASA Adaptive Security Appliances


SMB

Pric

e

Functionality

Gigabit Ethernet

PIX Firewall Security Appliance Family

EnterpriseROBO

PIX Firewall 515E

PIX Firewall 525

PIX Firewall 535

SOHO

PIX Firewall 501

PIX Firewall 506E

SP


SMB

Pric

e

Functionality

Gigabit Ethernet

ASA Adaptive Security Appliance Family

EnterpriseROBOSOHO SP

ASA 5520

ASA 5540

ASA 5510


Cisco PIX Firewall 501 Security Appliance

• Designed for small offices and teleworkers

• 7500 concurrent connections

• 60-Mbps throughput

• Interface support

– Supports one 10/100BASE-T* Ethernet interface (outside)

– Has four-port 10/100 switch (inside)

• VPN throughput

– 3-Mbps 3DES

– 4.5-Mbps 128-bit AES

• Ten simultaneous VPN peers

*100BASE-T speed option is available in release 6.3.


VPN TUNNEL

POWER

100 MBPS

LINK/ACT

PIX Firewall 501: Front Panel LEDs


PIX Firewall 501: Back Panel

Security Lock Slot

Power Connector

10/100BASE-T (RJ-45)

Console Port (RJ-45)

Four-Port 10/100 Switch (RJ-45)


PIX Firewall 506E Security Appliance

• Is designed for remote offices and small- to medium-sized businesses

• Provides 25,000 concurrent connections

• Provides 100-Mbps clear text throughput

• Supports Two interfaces

– 10/100BASE-T*

– Two VLANs*

• Provides VPN throughput

– 17-Mbps 3DES

– 30-Mbps 128-bit AES

• Provides 25 simultaneous VPN peers

*100BASE-T speed option is available in PIX Firewall Security Appliance Software v6.3 for 506E only. Two VLANs are supported in release 6.3(4).


PIX Firewall 506E: Front Panel LEDs

NETWORK

ACT

POWER LED


PIX Firewall 506E: Back Panel

LINKLED

Console Port (RJ-45)

Power Switch

ACT LED

10/100BASE-T(RJ-45)

10/100BASE-T(RJ-45)

ACT LED LINK

LED

USBPort


PIX Firewall 515E Security Appliance

• Is designed for small- to medium-sized businesses and enterprise networks



• Provides Interface support

– Up to six 10/100 Fast Ethernet interfaces

– Up to 25 VLANs

– Up to five contexts

• Supports failover

– Active/standby

– Active/active

• Supports VPNs (2,000 tunnels)

– Site to site

– Remote access


PIX Firewall 515E: Front Panel LEDs

NETWORKPOWER

ACT


PIX Firewall 515E: Back Panel

Expansion Slots Fixed Interfaces


PIX Firewall 515E: Fixed Interface Connectors

FailoverConnector

FDXLED

LinkLED

100 MbpsLED

FDXLED

CONSOLEPort (RJ-45)

10/100BASE-TETHERNET1

(RJ-45)

Power Switch

LINKLED

100 MbpsLED

10/100BASE-TXETHERNET0

(RJ-45)

Link LED


PIX Firewall 515E: Expansion Slot Option Cards

VAC VAC+4 FE - 66

Fast Ethernet VPN Accelerator

1FE

Expansion Slots


PIX Firewall 515E: Fast Ethernet Card Port Numbering

• PIX Firewall 515E Security Appliance option cards require the UR license.

Single-port

Card

Quad-port

Card


PIX Firewall 525 Security Appliance

• Is designed for enterprise networks




– Up to ten 10/100 Fast Ethernet interfaces

– Up to 100 VLANs

– Up to 50 contexts


– Active/standby

– Active/active


– Site to site

– Remote access


PIX Firewall 525: Front Panel LEDs

POWER

ACT


PIX Firewall 525: Back Panel

Expansion SlotsFixed Interfaces


PIX Firewall 525: Fixed Interface Connectors

100 MbpsLED

ACT LEDACT LED

LINK LED

LINK LED

FAILOVERConnection


(RJ-45)

USBPort Console

Port (RJ-45)


(RJ-45)


PIX Firewall 525: Expansion Cards and VACs

VAC and VAC+ 1GE-66 Card 1FECard 4FE-66Card


PIX Firewall 535 Security Appliance

• Is designed for enterprise and service providers


• Provides 1.65-Gbps clear text throughput


– Up to 14 Fast and Gigabit Ethernet interfaces

– Up to 150 VLANs

– Up to 50 contexts


– Active/standby

– Active/active


– Site to site

– Remote access


PIX 535: Front Panel LEDs

POWER ACTIVE


Bus 1 Bus 0(64-bit, 66-MHz)

Bus 2(32-bit, 33-MHz)

PIX 535: Back Panel

Slots3 2 1 0

Slots8 7 6 5 4

ConsoleRJ-45

USB port

DB-15Failover


PIX Firewall 535: Option Cards

VAC

VAC+

1GE1GE-66 4FE-66

Gigabit Ethernet Fast Ethernet

VPN Accelerator

1FE

4FE(EOS)


PIX 535: Back Panel

DB-15Failover

Slot 8

Slot 7

Slot 6

Slot 5

Slot 4

Slot 3

Slot 2 Slot 1

Slot 0ConsoleRJ-45

USB Port


ASA 5500 Adaptive Security Appliance Family


Cisco ASA 5510 Adaptive Security Appliance

• Delivers all-in-one enterprise, remote office, and small- to medium-sized business security and VPN gateway


• Provides 300-Mbps firewall throughput

• Provides interface support– Up to five 10/100 Fast Ethernet

interfaces– Up to ten VLANs

• Supports failover– Active/standby

• Supports VPNs– Site to site– Remote access– WebVPN

• Supports AIP-SSM-10 (optional)



• Delivers all-in-one enterprise and small- to medium-sized business headend security and VPN gateway

• Provides 130,000 concurrent connections• Provides 450-Mbps firewall throughput• Provides Interface support

– Four 10/100/1000 Gigabit Ethernet interfaces

– One 10/100 Fast Ethernet interface– Up to 25 VLANs– Up to 10 contexts

• Supports failover– Active/standby– Active/active

• Supports VPNs– Site to site– Remote access– WebVPN




• Delivers all-in-one enterprise and small- to medium-sized business headend security and VPN Gateway


• Provides 400-Mbps firewall throughput• Provides Interface support

– Four 10/100/1000 Gigabit Ethernet interfaces

– One 10/100 Fast Ethernet interface– Up to 100 VLANs– Up to 50 contexts

• Supports failover– Active/standby– Active/active

• Supports VPNs– Site to site (5,000 peers)– Remote access – WebVPN



ASA 5500 Series: Front Panel

POWERSTATUS

ACTIVEFLASH

VPN


Security ServicesModule

Fixed Interfaces

CompactFlash

ASA 5500 Series: Back Panel


Four 10/100/1000Gigabit Ethernet Ports*

10/100 Out-of-BandManagement Port

AUX Ports

CompactFlash

Two USB 2.0 Ports

Power Supply(AC or DC)

Console Port

*ASA 5510 supports 10/100 Fast Ethernet ports.

ASA 5500 Series: Connectors


Security Services Module

• High-performance module designed to provide additional security services

• Diskless (Flash-based) design for improved reliability

• Gigabit Ethernet port for out-of-band management


AIP-SSM

PWR STATUS

SPEED LINK/ACTAIP-SSM-10

• 2.0-GHz processor• 1.0 GB RAM

AIP-SSM-20• 2.4-GHz processor• 2.0 GB RAM


PIX Firewall Security Appliance Licensing


PIX License Types

• UR: Allows installation and use of the maximum number of interfaces and RAM supported by the platform.

• Restricted: Limits the number of interfaces supported and the amount of RAM available within the system (no contexts and no failover).

• Active/standby failure: Places one security appliance in a failover mode for use alongside a security appliance that has a UR license. Only one unit can be actively processing user traffic; the other unit acts as a hot standby.

• Active/active failover: Places a security appliance that has a UR license in a failover mode for use alongside another security appliance that has a UR license, or two UR licenses. Both units can actively process traffic while serving as a backup for each other.

Applies to PIX Firewall 515/515E, 525, and 535


VPN Encryption License

• DES license – Provides 56-bit DES

• 3DES/AES license– Provides 168-bit 3DES– Provides up to 256-bit AES


Dept/Cust 2Dept/Cust 1

PIX Firewall

Dept/Cust 2Dept/Cust 1 Dept/Cust 3 Dept/Cust N

PIX Firewall

Default Upgrade

PIX Firewall Security Context Licenses


PIX 515E, 525, and 535 Licensing

License TypePhysical

InterfacesVLANs Contexts Memory Failover

PIX Firewall 515ERestricted 3 10 N/A 64 No

UR 6 25 LicenseUp to five 128 Yes

PIX Firewall 525

Restricted 6 25 N/A 128 No

UR 10 100 LicenseUp to 50 256 Yes

PIX Firewall 535Restricted 8 50 N/A 512 No

UR 14 150 LicenseUp to 50 1024 Yes


ASA Adaptive Security Appliance Licensing


ASA Security Context Licenses

Default• Two contexts

Available Context Licenses• Five contexts• Ten contexts• 20 contexts• 50 contextsUpgrade Licenses• From Five to Ten contexts• From Ten to 20 contexts• From 20 to 50 contexts

Dept/Cust 2Dept/Cust 1

ASA


ASA 5510, 5520, and 5540 Licensing

Licenses InterfacesSecurityContexts

VLANsIPSec

VPN PeersFailover

A/S A/AGPRS GTP

ASA 5510Base 3 x 10/100 N/A 0 50 N/A N/A N/A

Security+ 5 x 10/100 N/A 10 150 Yes N/A N/A

ASA 5520

Base 4 x 10/100/1000,1 10/100

Default 2;up to 10 25 300 Yes Yes License

VPN+ 4 x 10/100/1000,1 10/100


ASA 5540

Base 4 x 10/100/1000,1 10/100


VPN+ 4 x 10/100/1000,1 10/100


VPN Premium 4 x 10/100/1000,1 10/100



Cisco Firewall Services Module


FWSM

• Designed for campus data center and service provider environments

• Runs in Cisco Catalyst 6500 Series Switches and 7600 Series Routers

• Up to 1 million concurrent connections

• Up to 5.5-Gbps throughput

• Supports 100 security contexts

– 256 interfaces per security context

• 1000 VLANs (maximum per FWSM)

• Supports active/standby failover


FWSM in Catalyst 6500 Switch and Cisco 7600 Internet Router

FWSMFWSM


Summary

• There are currently eight Cisco PIX Firewall and ASA Adaptive Security Appliance models. – In the Cisco 500 PIX Firewall Series: 501, 506E, 515E, 525,

and 535– In the Cisco ASA 5500 Series: 5510, 5520 and 5540

• Your security appliance license determines the level of service and available features of your security appliance, and the number of interfaces it supports.


Summary (Cont.)

• Restricted, unrestricted, and failover licenses are available for PIX Firewall Security Appliance models 515E, 525, and 535.

• The Cisco Firewall Services Module for the Cisco Catalyst 6500 Switches and the Cisco 7600 Series Internet Routers provides an alternative to the security appliance.

lesson 2b cisco pix security appliance and asa adaptive security appliance families © 2005 cisco...

Documents