ASA 5585-X Licensing

Hi,
I was hoping to get some assistance from the community on 5585 part numbers/licensing.
We have recently purchased some 5585-X SSP-20's. The part number ordered was ASA5585-S20C20XK9 "ASA 5585-X Chas w/SSP20,CX SSP20,16GE,4 SFP+,2 AC,3DES/AES". We want to enable the 10GE ports on the SSP-20, do we just purchase an additional license? We are being guided by our reseller to swap the hardware for ASA5585-S20C20XK9 "ASA 5585-X Chas w/SSP20,CX SSP20,16GE,4 SFP+,2 AC,3DES/AES".
Thanks,
Colin

Based on the documentation you need the Security-Plus License to enable 10G for the 5585 with SSP10 or SSP20.

Similar Messages

ASA 5585-X CX20 Prime Security Manager

Hi Everyone
I'm trying to add our two 5585-X + CX20 units to Cisco Prime Security Manager. The ASAs seem to add correctly but the CX20s appear "undefined" for software version and model. Clicking on "Device Configuration" I get the error "Message From Server: SyntaxError: Unexpected token <"
I've tried removing and re-adding the devices but the same thing happens. Any ideas?
Thanks
James

Two contexts are included with the base licensing on the 5585-X. Up to 250 can be licensed.
The SKU (Stock Keeping Unit = part number) for 10 licenses would be ASA-5500-SC10.
FYI. here are all the SKUs for 5585 context licenses (click to enlarge):

How many default virtual context counts with ASA 5585 Series

Hi All:
I prepare replace FWSM to ASA 5585 Series,but I confuse the default virtual context counts on ASA 5585.
I used 3 virtual contexts on my old FWSM(1 admin context with 2 contexts).According the ASA configuration guide below.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/mode_contexts.html#wp1188797
It state the ASA 5585 have default 2 contexts,Does it state the ASA 5585 just have 2 contexts or 1 admin context plus "2" context (3 contexts available)
thks fot your reply

Hi,
To my understanding the ASA with the most default lisence lets you use 2 Security Contexts to your own purposes. Admin context will always be there on the ASA when running in multiple context mode. Its created when you change your ASA from its default mode (single) to "mode multiple".
In my original post the latter part was just to mention that to my understanding if you use 2 ASAs (almost any model) in failover with a software 8.3 and above the ASA will combine their lisences regarding some values. For example connecting 2 ASAs in Failover which have limit of 2 Security Contexts, they will get combined and the failover will have 4 Security Context limit.
Atleast that is what I see with the "show version" command and this is also what we have been told by a Cisco employee. Ive also been told that if I for example (running 8.3+ OS) buy a 5 Security Context license for the other unit, It will combine the others base license (2 SC) to the others units new license (5 SC) resulting in the combined Security Context limit of 7.
This is what Cisco documentation mentions about Active/Standby and Active/Active Failover Licensing at version 8.3 and above:
Or you have two ASA 5540 adaptive security appliances, one with 20 contexts and the other with 10 contexts; the combined license allows 30 contexts. For Active/Active failover, for example, one unit can use 18 contexts and the other unit can use 12 contexts, for a total of 30; the combined usage cannot exceed the failover cluster license.
I've have had 2 ASA5585-X ASAs combined in A/A Failover running 8.4(2) and they have atleast showed that they have the combined Security Context limit of 4 Security Contexts
Heres a partial output of the "show version" command on the ASAs in question when they were just out of the box combined in Failover with no other configurations other than running in multiple context mode and management configuration in admin context.
Licensed features for this platform:Maximum Physical Interfaces : Unlimited perpetualMaximum VLANs : 1024 perpetualInside Hosts : Unlimited perpetualFailover : Active/Active perpetualVPN-DES : Enabled perpetualVPN-3DES-AES : Enabled perpetualSecurity Contexts : 2 perpetualGTP/GPRS : Disabled perpetualAnyConnect Premium Peers : 2 perpetualAnyConnect Essentials : Disabled perpetualOther VPN Peers : 10000 perpetualTotal VPN Peers : 10000 perpetualShared License : Disabled perpetualAnyConnect for Mobile : Disabled perpetualAnyConnect for Cisco VPN Phone : Disabled perpetualAdvanced Endpoint Assessment : Disabled perpetualUC Phone Proxy Sessions : 2 perpetualTotal UC Proxy Sessions : 2 perpetualBotnet Traffic Filter : Disabled perpetualIntercompany Media Engine : Disabled perpetual10GE I/O : Disabled perpetualFailover cluster licensed features for this platform:Maximum Physical Interfaces : Unlimited perpetualMaximum VLANs : 1024 perpetualInside Hosts : Unlimited perpetualFailover : Active/Active perpetualVPN-DES : Enabled perpetualVPN-3DES-AES : Enabled perpetualSecurity Contexts : 4 perpetualGTP/GPRS : Disabled perpetualAnyConnect Premium Peers : 4 perpetualAnyConnect Essentials : Disabled perpetualOther VPN Peers : 10000 perpetualTotal VPN Peers : 10000 perpetualShared License : Disabled perpetualAnyConnect for Mobile : Disabled perpetualAnyConnect for Cisco VPN Phone : Disabled perpetualAdvanced Endpoint Assessment : Disabled perpetualUC Phone Proxy Sessions : 4 perpetualTotal UC Proxy Sessions : 4 perpetualBotnet Traffic Filter : Disabled perpetualIntercompany Media Engine : Disabled perpetual10GE I/O : Disabled perpetual
Though I still suggest confirming all these things from the people/company that youre acquiring the ASA(s) from so you get what youre asking for. Or someone from Cisco could confirm this on these forums.

Cisco ASA 5505 - Base License

Hello to everyone
I having this kind of config and in my network were workig flawless but in the site installed is giving me trouble.
First my conection to the site is working so i can access from the internet to the ASA, but I cant do inter-vlan routing in the ASA.
I have activated those commands and nothing i cant not ping to my vlan2 interface from my inside: I do not have a router making the L3 routing only the ASA but it could let me pass traffic because the ASA is a L3 device. alsa this licence has no trunk.
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Well I have do many things and nothing,
policy-map global_policy
class inspection_default
inspect icmp
not results, waiting for your comments.
Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : 10
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Botnet Traffic Filter          : Disabled
ASA Version 8.2(5)
hostname ASA5505
enable password XXXXXXXXXXXXXX encrypted
passwd XXXX.XXXXXXXX encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.174 255.255.255.248
ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 10.0.0.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username root password XXXXXXXXX encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0c8a226f7c4a8d5a03e6fcd821893898
: end

Cisco ASA 5505 Base License - not inter-vlan-routing no internet access from inside interface
here the output from my pings
ping
Interface: inside
Target IP address: 10.0.0.1
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA5505# ping
Interface: outside
Target IP address: 66.XX.XX.174
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 66.XX.XX.174, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA5505# ping
Interface: inside
Target IP address: 66.XX.XX.174
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 66.XX.XX.174, timeout is 2 seconds:
Success rate is 0 percent (0/5)
ASA5505# ping
Interface: outside
Target IP address: 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Success rate is 0 percent (0/5)
So inter-vlan routing is not wowrking after I have to use the followings commands to see if there any change but not results
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
policy-map global_policy
class inspection_default
inspect icmp
exit
exit
service-policy global_policy global
After all the thing i've done in CLI I logged into the ASDM and in the nat section i look that nat was not having destination.
global (outside) 10 interface
nat (inside) 10 10.0.0.0 255.255.255.0
so I decide to apply in this way
global (outside) 1 interface
nat (inside) 1 access-list inside_nat_outbound
and voila everything is working i was able to ping 4.2.2.2 to the outside, I think that the problem is with the public ip directly assigned to the ASA by iSP and not the private ip, because in my test enviorement was working perfectly and i was using 192.168.0.0 and 172.18.0.0 networks as the outside interface ip and everything was fine.
But thanks to all that help now have to start to apply security and acls configs.

ASA 5585 port-channels

I want to create a port-channel with 2 10Gbs interfaces on 2 ASA 5585 firewalls, and set them up in a failover pair.
In order to do this, do I simply put two 10Gbs interfaces into a channel and then configure the IP addressing and failover address on the logical port-channel interface? (aka interface po1).
Any limitations with this?

Yes, that is exactly what you do..
Create portchannel on switch and ASA
Trunk the vlan on switch side
Create logical interfaces on ASA

Vlan on asa-5585

Hi,
Is there any way to create vlans on cisco asa 5585 similar way we do for cisco switches.
The asa in this case is an interface for subsidary users to connect into this new network.
We require few vlans to be created for some servers on the firewall. the firewall should be the gateway for these servers.
eg. vlan 100 - 192.168.100.1/24 should be on the ASA firewall.
How do we achieve this?
Appreciate all help on this.

Hi,
You will have to configure atleast one physical interface as a Trunk interface if you want to bring the Vlan all the way to the ASA. Essentially the configuration follows the same lines as configuring a Cisco router to act as the gateway for multiple Vlans behind a switch.
The actual configuration format depends on how you have set up the ASA. Is it Single Context or Multiple Context?
In Single Context the configuration would be something like this
interface GigabitEthernet0/0
description TRUNK
interface GigabitEthernet0/0.100
vlan 100
nameif LAN
security-level 100
ip add 10.10.10.1 255.255.255.0
interface GigabitEthernet0/0.200
vlan 200
nameif DMZ
security-level 50
ip add 192.168.10.1 255.255.255.0
If you are running Multiple Context mode the configuration could be something like this
interface GigabitEthernet0/0
description TRUNK
interface GigabitEthernet0/0.100
description LAN
vlan 100
interface GigabitEthernet0/0.200
description DMZ
vlan 200
context EXAMPLE-CONTEXT
allocate-interface GigabitEthernet0/0.100
allocate-interface GigabitEthernet0/0.200
config-url disk0:/EXAMPLE-CONTEXT.cfg
Or something along these lines
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni

Business Continuity features available in ASA-5585-x

Hi,
in Data Center environment using only one ASA-5585-x, what kind of business continuity features, a single 5585-x offers or can be configured to keep the business running, in case the firewall got failed.
Thanks
Mike

Hi,
I am not sure if I understood the question completely.
I am not really sure how any configuration on the device can help you if the actual device fails completely.
With regards to the hardware I think only the high end model with SSP-60 comes by default with 2 PSUs while others come with 1 PSUs though you can install a second PSU to the units and in this way provide some redundancy in the event of power failure though that naturally depends on other factors than the ASA alone.
To my understanding it is also possible to set up the single ASA 5585-X unit with dual SSPs. I have not had to set up such an environment so I am not sure how it exactly works. I am not sure how they handle together. I can't seem to find the document I was once reading about this. But I would imagine that this could provide redudancy to the firewall setup.
Then there is also Clustering ASAs (not same as Failover pair) units but again this naturally requires additional hardware and is something I have not setup up myself.
Then there is naturally configuring 2 identical ASA 5585-X units in Failover pair (Active/Standby or Active/Active) to provide redudancy in case of hardware failure.
We have some less critical environments set up with single ASA5585-X units and we naturally dont guarantee the same availability for those services as with setup where we have 2x ASA5585-X units in Failover. We do have replacement units for these and can naturally get replacements otherwise also.
- Jouni

More Detailed Specifications for ASA 5585-X

Hi:
Does anyone know about a document in which is specified who may ACE rules are supported in an ASA5585-SSP-20?
I need to compare this an other several specification versus a FWSM. I found the information for the module, but not for the ASA 5585-X..
In the data sheet this information is not specified
Thank you very much

Hello Marco,
That is because the FWSM does have a limit, I have not seen any limit on the ASA, The asa does support way way way more than the FWSM, I have not seen any limit yet but I have heard that it will let you know as soon as is full of ACL's or you will start seeing a degradation of the performance. Anyway dude you have an 5585, that is a giant and amazing box You are more than safe.
Hope this helps
Julio

Visio stencil for ASA 5585-X?

Hello,
Can anybody help pointing me to where I can get a visio stencil for a asa-5585-x.
I really appreciate it.
Thanks,
John

Hi John,
The official Cisco Visio stencils can be found here:
http://www.cisco.com/en/US/partner/products/hw/prod_cat_visios.html
I don't see the 5585 there yet, but once it's available that set should be updated.
-Mike

ASA 5585-X Route-Map

Hi,
how can apply route-map rules to an interface ?
i set up some rules but i cannot apply these rules any interface.
Thanks a lot.

Thank you Kanwal.
in a cisco router you can apply your route-map by using command ip policy map ... İ didnt find any command like this. İ set up some match and set conditions but i do not apply any interface.
can i use route-map to manipulate routing table İn asa 5585-x.?
sincerely

ASA 5585-X TACACS+/RADIUS Server

All,
Can the ASA 5585-X's act as a AAA TACACS+ and/or RADIUS server for network infrastructure devices?
I've used Cisco Secure ACS for TACACS and RADIUS AAA..
My client has ordered a bunch of them. They don't have an AAA solution and were just told they will need to implement AAA on network infrastructure devices.
Thanks for any information.
Stephanie

Adding to Jan's correct answer.
The current Cisco RADIUS offerings are either the ACS product (RADIUS and TACACS+) or Identity Services Engine (ISE - RADIUS only). Both are offered in both appliance and VM formats.
Beside NPS on Windows server, there are also open source projects of both RADIUS and TACACS servers available.

Symantec PKI on Cisco ASA 5585

I am using a Cisco ASA 5585 in my network, the decision was made to use Symantec PKIs for the certificates. My question is, what the correct syntex would be to implement these PKIs on the ASA. I am trying to get this on the first go, as I want to limit down time.

Hi,
250 virtual contexts and 1024 VLAN’s are supported.
Don't forget to rate helpfull posts.
Sajid Ali Pathan.

ASA 5585 setting unchecked

i am seeing a strange issue on 2 of my Cisco ASA 5585s
randomly the "Enable inbound VPN sessions to bypass interface access list. Group...." setting is getting unchecked.
i have verified that no one is logging into the system
is this a bug in the firmware or the ASDM ?

Hi,
I have not run into this issue atleast.
First and only thing that comes to mind is that someone is using the ASDMs VPN Wizard to configure new VPN connections and during that changes this Global Setting that you mention.
On the CLI format the command is
sysopt connection permit-vpn
The above is the default setting and will mean that any traffic coming through a VPN connection will bypass the interface ACL of the interface where the VPN is connected to.
The below form of the command changes the behaviour of the ASA so that any connection will need to be allowed in the interface ACL of the interface where the VPN is connected to.
no sysopt connection permit-vpn
You can view the current setting (among all the other system option settings) with
show run all sysopt
- Jouni

Which routing protocols are supported on ASA 5585

Hi,
I am curious to know which routing protocol is well supported on Cisco ASA 5585. do someone on the forum has implemented routing on ASA?
I have ASA 5585 on context mode, as of now 4 contexts have been created. upstream device is Nexus.
I have ASA with Software Version 8.4(4)1 and Device Manager Version 6.4(9).
if someone can point me to good implemented example of routing protocol to their environment (like OSPF, BGP) that would be great.
Thanks

You're welcome.
Multiple contexts adds another twist - in ASA 8.4 dynamic routing protocols are not supported at all for multiple contexts. Reference.
ASA 9.0 added support for dynamic routing protocols in multiple context modes, including OSPF v2 (but not v3 for IPv6). Reference.
FYI ASA 9.1(2) is current as of this writing and is the recommended release in the 9.x train. (Mentioned near the end of the latest TAC Security podcast - episode #37 here.)

Cisco asa 5585 syslog options for ips?

We have CISCO ASA 5585 with a separate module for IPS, I want to know what are the options for configuring syslog? Its nearly impossible to find ; and there are some forums on the internet which says that cisco ips stores logs in native / proprietary format and cannot be exported.
Please elaborate
Thanks.

Some sensor-related events generate syslog messages. Those will be forwarded according to the parent ASA syslog settings.
Detailed IPS events (signature triggers actions etc.) are stored locally and must be retrieved using the SDEE protocol (tcp-based). That requires use of a management system like Cisco Security Manager (CSM), IPS Manager Express (IME) etc. There is a good document here that explains SDEE in more detail.

ASA 5585-X Licensing

Similar Messages

Maybe you are looking for