Content Security Licensing on Cisco ASA
Hi Guys,
Need help on licensing of content security on Cisco ASAs. Hope someone would be able to help.
Our customer has a ASA5520-CSC20-K9 (default 500 users) appliance. When the appliance was first bought, they upgraded it to 750 user license and PLUS feature license. They want to renew these licenses. Kindly advise the following:
1. In order to do so, is it right that the customer has to purchase both the following (to cater to the 750 users and PLUS features)?
• L-ASACSC20-500UP1Y ASA 5500 CSC-SSM-20 500-User w/ Plus Lic. Renewal (1-year)
• L-ASACSC20-250UP1Y ASA 5500 CSC-SSM-20 250-User w/ Plus Lic. Renewal (1-year)
2. Do the renewal licenses above include BASE features (Anti-Virus, Anti-Spyware, File-Blocking)?
Thanks!
Citra
That unfortunate. It seems like with the VPN licensing they realized if you were in an active/standby configuration then you should only have to pay for one license, thus the license change in 8.3+ only requires you to purchase one license. I thought this would have carried over into IPS.
Beings we haven't failed over to the standby unit in 2 years, would it be possible to install the IPS module in both the active and standby appliances, but just license the one in the active mode? I don't care if we are running without IPS on the standby if we did have to failover for some amount of time. Or does having it licensed on one and not the other mess with being in active/standby failover mode?
Similar Messages
-
Security License for Cisco 3900 Series
Hi,
I am having Security License (SL-39-SEC-K9) for Cisco 3900 Series router, Can somebody help me to provide sample config to configure 3945 router to act as firewall. Is there any difference with the native IOS based firewall config..
Regards,
MukeshHere is a detailed instruction on ISR G2 licensing (including downloading, installing, rehosting license, etc.).
Usually, you just need to go to cisco.com/go/license, enter PAK and follow detailed instructions.
HTH
Alexandr -
Security License for Cisco 3925
Hi,
I have got cisco 3925 without security license. Now I have got the L-SL-39-SEC-K9 license and need to install it. What is the process of installing this license.
Thanks in advance
Regards,
MeroHere is a detailed instruction on ISR G2 licensing (including downloading, installing, rehosting license, etc.).
Usually, you just need to go to cisco.com/go/license, enter PAK and follow detailed instructions.
HTH
Alexandr -
Cisco ASA 5510 Content Security bundle
Hello,
please help me to understand if i buy the Cisco ASA 5510 Content Security bundle for my network found there is 1 yr subscription for the content
security features. what are services included in it. Does URL blocking and filtering includ in this subscription or its a seperate features.
Thanks,
Saroj PradhanHere is the license for CSC module and it lists what is included in Basic and Plus CSC license:
http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc1.html#wp1045405
One year subscription is providing you the ability to upgrade the virus scan engine, spyware pattern file, anti spam, etc -
Firewall Cisco ASA 5505 new interface license problem
Hi
I have one ASA 5505 with a Base License
The problem is when i want to use a new named interface the system says "With current License maximum number of named interfaces allowed is 3. Name cannot be set for this interface"
And the question is if with this base license the interface cannot be used or only cannot be named?
here the output of my firewall:
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is e02f.6de6.7843, irq 11
1: Ext: Ethernet0/0 : address is e02f.6de6.783b, irq 255
2: Ext: Ethernet0/1 : address is e02f.6de6.783c, irq 255
3: Ext: Ethernet0/2 : address is e02f.6de6.783d, irq 255
4: Ext: Ethernet0/3 : address is e02f.6de6.783e, irq 255
5: Ext: Ethernet0/4 : address is e02f.6de6.783f, irq 255
6: Ext: Ethernet0/5 : address is e02f.6de6.7840, irq 255
7: Ext: Ethernet0/6 : address is e02f.6de6.7841, irq 255
8: Ext: Ethernet0/7 : address is e02f.6de6.7842, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : DisabledHi,
The ASA5505 has with Base License the limitation of 3 Vlan interface of which 1 is also limited in access (shown by the above output mentioning DMZ Restricted)
For an interface on the ASA to operate it must have a name with the command "nameif"
If you already have 3 Vlan interfaces in use then with this license you wont be able to configure 4th Vlan interface without getting a license that supports more interfaces. I guess that would be the Security Plus license.
I know that this has come as a surprise to several users that have posted here on the forums. I too think that its a needles "feature" in the ASA to limit the use of the device in such a way.
- Jouni -
Cisco ASA 5505 - 2 questions - VPN Licensing; Routing
Hi,
I have a client that has a Cisco ASA 5505 security appliance. Currently it is setup as a "proof of concept" for clientless browser-based SSL VPN. The device came with 2 licenses for this service, and we need to increase that somewhere between 10-25 users. 25 users is the max on this device I believe.
I have searched Cisco.com and tried Googling the ASA 5505 for licensing but I can't find the correct license that I need for this.
The second question I have is routing capability. We have a WAN connection to another branch of the computer from this location where the ASA 5505 is located. A Cisco 2851 is used for this connection. We are wanting to bring in a high speed Internet connection for the VPN access and Internet access. What I need to know is can we put the WAN and Internet connections behind the ASA 5505 and have that route appropriately to the branch WAN for that traffic and all other traffic to the Internet?
Thanks!
--KentHi Kent,
Thank you for your question. This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product. Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main (http://forums.cisco.com/eforum/servlet/NetProf?page=main) This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
Regards,
David Dunlap
SBSC Engineer -
Numbers of users for ASA Content Security module
Hi,
Can someone tell me how the ASA Content Security module recognize the maxi number of users ?
eg. : ASA-SSM-CSC-20-K9= is for 500 users. What will happen if I exceed to 560 users ? Does the module recognize that there are more users than expected ?
Best regardsYou will get similar message
License violation has been detected on the InterScan for CSC SSM. There are currently 560 active nodes while you only have 500 seats of license. 60 more seats of license is required.
Please upgrade your license to resolve the violation. -
VLAN problems with SG200-8P and Cisco ASA 5505 (Sec Plus license)
Hi, I've been pulling my hair out trying to get simple vlan trunking working between these devices.
Basically, no clients on VLAN 99 (guest) will receive DHCP ip addresses when plugged into the SG200. I have the SG200<>ASA VLAN trunk configured correctly, as I know it, and I've tried numerous variations (set trunk as general tag/untagged, etc., set the ap port to general tag/untag, etc). Both AP's work properly when connected to the ASA e0/3 port but either will only pull the "inside" VLAN dhcp address when connected to the SG200 switch
VLAN 1 - inside (has separate dhcp scope assigned by ASA)
VLAN 99 - guest (has separate dhcp scope assigned by ASA)
SG200
purpose
ASA 5505 (Sec Plus license)
purpose
g2
Trunk 1UP,99T
Ubiquiti AP (VLAN 1 works, VLAN 99 does not
g3
Access port 99T
vlan 99 does not work
g8
Trunk 1UP, 99T
< Trunk between switch and ASA >
Int e0/2
switchport trunk allowed vlan 1,99
switchport trunk native vlan 1
switchport mode trunk
Int e0/3
switchport trunk allowed vlan 1,99
switchport trunk native vlan 1
switchport mode trunk
Second ubiquiti AP
Both VLAN 1 and VLAN 99 clients work properlyFrustrated - yes. Confused - maybe not as much, but I could have put some more effort into the overall picture.
There are two VLANs (1 - native) and (99 - guest). There is a trunk port between the SG200 and the ASA configured as 1-untagged 99 - tagged.
No clients connected to the SG200 on VLAN 99 are able to access the ASA VLAN 99 using either a static VLAN IP address or DHCP. The problem occurs whether I configure the SG200 with an access port 99-tagged or Trunk port 1UP, 99T or general port 1U, 99UP or any combination thereof.
Anything connected to the SG200 on the native VLAN works properly.
Anything connected to the ASA VLANs (1 or 99) works properly
I have not yet tried to see what the switch is doing with the VLAN tags but I suspect I have some mismatch with the Linksys/Cisco SG200 way of setting up a VLAN and how traditional Cisco switches work.
I was hoping someone with a working SG200 - Cisco ASA setup could share their port/trunk/VLAN settings or perhaps point me in the right direction.
SG200 g2 - trunk port (1UP, 99T) -- Access Point
SG200 g2 - access port (99U)
SG200 g8 - trunk port (1UP, 99T) connected to ASA5505 e0/3
ASA5505 e0/3 (switchport trunk allowed vlan 1,99, switchport trunk native vlan 1, switchport mode trunk)
Thanks, -
CIsco ASA 5505 and VPN licenses
Hi,
Cisco ASA 5505 comes with 10 VPN licenses in a standard configuration.
How those licenses are counted? Will I need a license per one IPSec SA?
If I have two site connected with LAN-to-LAN VPN with 10 subnets at one site, how many licenses will be taken? 10 - one per IPSec SA or just 1 - one per point-to-point VPN?
Thank you.
Regards,
AlexAlex,
In an ASA 5505, it should say something like this...when you do sh ver.
VPN Peers : 25
It means that you can have so many peers connecting to the ASA. Its not per IPSec SA.
Its a per tunnel license.
Rate this, if it helps!
Gilbert -
Cisco ASA ( Adaptiv Security Algorithm )?
Hello,
Im french so sorry for my english , i will do my best to explain my question.
Im actually working on Cisco PIX 501 ( for school ).
I have to do some test on it , search what is able to do and how to proove it...
My question is about Cisco ASA ( Adaptiv Security Algorithm ) , what is it doing? i mean it just simply stop every information coming from outside to inside(security 0 to 100) or is it doing more? is it searching wrong/good packets or just stop everything?and if it's doing that , how it's done?
My question could be : what cisco ASA doing more than ACL?
I hope im clear enough in my questions,i search a lot on internet but didnt find an answer.
Thank you!
Amauryif i understand good what you mean , ASA/algorithm is a part of different processes which are part of stateful inspection
not really, I would say that stateful inspection is part of the adaptive security algorithm. The algroithm goes through processes such as ACL check, NAT..etc. and based on these check makes entries in the state table.
( by the way stateful inspection = stateful firewalling , right?)
Kind of. Stateful inspection is what the stateful firewall does and not what it is if you can understand that. A stateful firewall performs stateful inspection. So stateful inspection is not a firewall.
when you said "showing tcp connections and NAT xlate table entries at the firewall CLI before and after" , iam ok with that but what are the command to check table entries? i cant find it.
show conn protocol tcp will show you the TCP connections through the firewall and show xlate will show you the NAT translation that are currently active.
Aswell i will need the commands to configure ( if possible ) stateful inspection and traffic inspection , but i will try search by myself because i didnt start yet
Again, stateful inspection is not something you configure but is what the ASA does based on configured rules. so all you need to do is configure ACLs and NAT rules and routing and the ASA does all the stateful inspection stuff on its own.
Please remember to rate and select a correct answer -
Hi All
I have just started working on Cisco ASAs and working on following scenario:
3 Depts having 3 separate Networks given following names
Finance
Accounts
HR
Communication Between them should be restricted and allowed on specfic host and services. My approach is that I have assigned security level of "0"
to each of them and also enabled "same-security-traffic permit inter-interface", so that they can communicate with each other. Now what I have observed is that as soon as I enable same-security-traffic permit inter-interface traffic starts flowing among them without the need for any access-list. But as soon as I create an access list for some specific host , traffic stops flowing for all other hosts except for the one which was granted access in access-list.
Is my approach right? Please do advise, and also Is this a default behaviour of ASA to implicitly deny traffic for all host as soon as I place a acl after enabling same-security-traffic permit inter-interface.
Thanks and RegardsHello,
If all of the networks zone have the same security level for your company then you can use the same one on them.
Remember that all the ACL's have an implicit deny at the bottom, so the behavior is expected.
Same security level interfaces with the same-security-traffic command will be allow to exchange traffic without the need on an ACL but as soon as you place one on any of those interfaces you will need to specify the traffic you will need to allow.
Regards,
Rate all the helpful pots
Julio
Security Engineer -
Cisco asa security context active/active failover
Hi,
I have two Cisco ASA 5515-X appliance running OS version 8.6. I want to configure these two appliance in multiple context mode mode.
Each ASA appliance will have two security context named "ctx1" & "ctx2".
I have to configure failover on these two ASA appliance such that "ctx1" will be active in one ASA box and "ctx2" will be active and process the traffic on second box to achieve this i will configure two failover group 1 & 2. And assign "ctx1" interfaces in failover group 1 and "ctx2" interface to group 2.
I am a reading a book on failover configuration in active/active in that below note is mentioned.
If an interface is used as the shared interface between multiple contexts, then all of those contexts need to be in the same failover redundancy group.
What this means? can someone please explain because i also want to use a shared interface which will be used by "ctx1" & "ctx2". In this case shared interface can be used in failover group 1 & 2 ?
Regards,
NickYout will have to contact [email protected] or open a TAC case in order to have a new activation key generated. They can do that once they confirm your eligibility.
-
Hi, I'm a network administrator and I wanted to get the security license price for our cisco1941K9. How could I have the cost ?
Cdlt,
GKFyou would need to contact your local Cisco partner for this information or perhaps contact an Online partner. Follow the links on the following page for more information and ordering.
http://www.cisco.com/web/ordering/or13/order_customer_help_high_level_listing.html
Please remember to select a correct answer and rate -
Security monitoring tool for Cisco ASA
Please suggest a checp and best security monitoring tool for Cisco ASA devices.
You can use ossec, open source tool installed on linux:
http://www.ossec.net/ -
What´s the price for any Cisco ASA security parts?
Hello everybody,
Please, I need to know the prices for the items:
ASA5500X-SSD120=
FS-VMW-2-SW-K9
L-ASA5525-TAM=
I need to implement Cisco IPS with 2 Cisco ASA 5525X.
Thank you.Your local Cisco partner can provide pricing for your area.
The Cisco Support Community is not the place to request price quotes.
Please go to www.cisco.com and refer to the top menu pick "How to Buy" to find an authorized partner / reseller serving your area.
Maybe you are looking for
-
Unable to capture the value of vbrk-vbeln value from VF02
Hi All, am printing form from VF02 ,,,once i execute the VF02 , and select Billing Document -> Issue Output to option .., my printi program gets triggered ,......, but in my print program am unable to capture the value of VBRK-VBELN which i have ent
-
I can't install adobe flash player update on my macbook pro. Goes to " Device" lather then download
I can't install adobe flash player update to my macbook pro. Download to " device" lather then " download" When I click device for Adobe flash player, it won't finish installing. I am so done with this update. When I watch youtube, keep popping up "
-
Buenas tardes, Mi problema es el siguiente: Cuando intento abrir una imágen cualquiera (jpg,png), no abre nada, es decir, sigo viendo la pantalla gris como si no hubiera hecho nada. Tengo windows 8 64 bits, por lo que instalé la versión para 64bits,
-
Use of Integration Engine on Application System
I would like to know - the use of Integration Engine on Application System. Any links or docs are appreciated reg
-
Cleaning up audio causes "wind tunnel" effect - how to fix?
I typically use Soundbooth to clean up any problems in audio, like hiss or buzz/hum noise. I just use the default "Clean Up Audio" tool on the left side when I open the program. It seems, though, when I adjust the levels to anything decent to get t