Table Of Contents
Feature Licenses and Specifications
Supported Platforms
Platform Feature Licenses
Security Services Module Support
VPN Specifications
Cisco VPN Client Support
Site-to-Site VPN Compatibility
Cryptographic Standards
Feature Licenses and Specifications
This appendix describes the feature licenses and specifications. This appendix includes the following sections:
•
Supported Platforms
•Platform Feature Licenses
•Security Services Module Support
•VPN Specifications
Supported Platforms
This software version supports the following platforms:
•ASA 5510
•ASA 5520
•ASA 5540
•PIX 515/515E
•PIX 525
•PIX 535
Platform Feature Licenses
The following tables list the feature support for each platform license.
Note Items that are in italics are separate, optional licenses that you can add on to a base license. You can mix and match licenses, for example, the 10 security context license plus the Strong Encryption license; or the VPN Plus license plus the GTP/GPRS license; or all four licenses together.
Table A-1 ASA 5500 Series Adaptive Security Appliance License Features
Platforms and Features
|
Licenses
|
ASA 5510
|
Base License
|
Security Plus
|
Security Contexts
|
No support
|
No support
|
VPN Peers
|
50 IPSec
50 WebVPN
|
150 IPSec
150 WebVPN
|
Failover
|
None
|
Active/Standby
|
GTP/GPRS
|
Not supported
|
Not supported
|
Maximum VLANs
|
0
|
10
|
Concurrent Connections*
|
32 K
|
64 K
|
Max. Physical Interfaces
|
3 at 10/100 plus the Management interface for management traffic only (to-the-security-appliance)
|
Unlimited
|
Encryption
|
Base (DES)
|
Add-on license:
Strong (3DES/AES)
|
Base (DES)
|
Add-on license:
Strong (3DES/AES)
|
Minimum RAM
|
256 MB
|
256 MB
|
Note The ASA 5510 does not support VPN load balancing.
|
ASA 5520
|
Base License
|
N/A
|
Security Contexts
|
2
|
Add-on Licenses:
|
|
5
|
10
|
VPN Peers
|
300 IPSec
300 WebVPN
|
Add-on license:
VPN Plus
750 IPSec
750 WebVPN
|
Failover
|
Active/Standby
Active/Active
|
GTP/GPRS
|
None
|
Add-on license: Enabled
|
Maximum VLANs
|
25
|
Concurrent Connections*
|
130 K
|
Max. Physical Interfaces
|
Unlimited
|
Encryption
|
Base (DES)
|
Add-on license:
Strong (3DES/AES)
|
Minimum RAM
|
512 MB
|
ASA 5540
|
Base License
|
N/A
|
Security Contexts
|
2
|
Add-on licenses:
|
|
5
|
10
|
20
|
50
|
VPN Peers
|
500 IPSec
500 WebVPN
|
Add-on license:
VPN Plus
2000 IPSec
1250 WebVPN
|
Add-on license:
VPN Premium
5000 IPSec
2500 WebVPN
|
Failover
|
Active/Standby
Active/Active
|
GTP/GPRS
|
None
|
Add-on license: Enabled
|
Maximum VLANs
|
100
|
Concurrent Connections*
|
280 K
|
Max. Physical Interfaces
|
Unlimited
|
Encryption
|
Base (DES)
|
Add-on license:
Strong (3DES/AES)
|
Minimum RAM
|
1024 MB
|
* The concurrent connections are based on a traffic mix of 80% TCP and 20% UDP, with one host and one dynamic translation for every four connections.
Table A-2 PIX 500 Series Security Appliance License Features
Platforms and Features
|
Licenses
|
PIX 515/515E*
|
R (Restricted)
|
UR (Unrestricted)
|
FO (Failover)**
|
FO-AA (Failover Active/Active)***
|
Security Contexts
|
No support
|
2
|
Add-on license:
|
2
|
Add-on license:
|
2
|
Add-on license:
|
5
|
5
|
5
|
VPN Peers
|
2000 IPSec
|
2000 IPSec
|
2000 IPSec
|
2000 IPSec
|
Failover
|
No support
|
Active/Standby
Active/Active
|
Active/Standby
|
Active/Standby
Active/Active
|
GTP/GPRS
|
None
|
Add-on license:
Enabled
|
None
|
Add-on license:
Enabled
|
None
|
Add-on license:
Enabled
|
None
|
Add-on license:
Enabled
|
Maximum VLANs
|
10
|
25
|
25
|
25
|
Concurrent Connections
|
48 K
|
130 K
|
130 K
|
130 K
|
Max. Physical Interfaces
|
3
|
6
|
6
|
6
|
Encryption
|
None
|
Add-on license:
Base (DES)
|
Add-on license:
Strong (3DES/AES)
|
None
|
Add-on license:
Base (DES)
|
Add-on license:
Strong (3DES/AES)
|
None
|
Add-on license:
Base (DES)
|
Add-on license:
Strong (3DES/AES)
|
None
|
Add-on license:
Base (DES)
|
Add-on license:
Strong (3DES/
AES)
|
Minimum RAM
|
64 MB
|
128 MB
|
128 MB
|
128 MB
|
PIX 525*
|
R (Restricted)
|
UR (Unrestricted)
|
FO (Failover)**
|
FO-AA (Failover Active/Active)
|
Security Contexts
|
No support
|
2
|
Add-on licenses:
|
2
|
Add-on licenses:
|
2
|
Add-on licenses:
|
5
|
10
|
20
|
50
|
5
|
10
|
20
|
50
|
5
|
10
|
20
|
50
|
VPN Peers
|
2000 IPSec
|
2000 IPSec
|
2000 IPSec
|
2000 IPSec
|
Failover
|
No support
|
Active/Standby
Active/Active
|
Active/Standby
|
Active/Standby
Active/Active
|
GTP/GPRS
|
None
|
Add-on license:
Enabled
|
None
|
Add-on license:
Enabled
|
None
|
Add-on license:
Enabled
|
None
|
Add-on license:
Enabled
|
Maximum VLANs
|
25
|
100
|
100
|
100
|
Concurrent Connections
|
140 K
|
280 K
|
280 K
|
280 K
|
Max. Physical Interfaces
|
6
|
10
|
10
|
10
|
Encryption
|
None
|
Add-on license:
Base (DES)
|
Add-on license:
Strong (3DES/AES)
|
None
|
Add-on license:
Base (DES)
|
Add-on license:
Strong (3DES/AES)
|
None
|
Add-on license:
Base (DES)
|
Add-on license:
Strong (3DES/AES)
|
None
|
Add-on license:
Base (DES)
|
Add-on license:
Strong (3DES/
AES)
|
Minimum RAM
|
128 MB
|
256 MB
|
256 MB
|
256 MB
|
PIX 535*
|
R (Restricted)
|
UR (Unrestricted)
|
FO (Failover)**
|
FO-AA (Failover Active/Active)
|
Security Contexts
|
No support
|
2
|
Add-on licenses:
|
2
|
Add-on licenses:
|
2
|
Add-on licenses:
|
5
|
10
|
20
|
50
|
5
|
10
|
20
|
50
|
5
|
10
|
20
|
50
|
VPN Peers
|
2000 IPSec
|
2000 IPSec
|
2000 IPSec
|
2000 IPSec
|
Failover
|
No support
|
Active/Standby
Active/Active
|
Active/Standby
|
Active/Standby
Active/Active
|
GTP/GPRS
|
None
|
Add-on license:
Enabled
|
None
|
Add-on license:
Enabled
|
None
|
Add-on license:
Enabled
|
None
|
Add-on license:
Enabled
|
Max. VLANs
|
50
|
150
|
150
|
150
|
Concurrent Connections
|
250 K
|
500 K
|
500 K
|
500 K
|
Max. Physical Interfaces
|
8
|
14
|
14
|
14
|
Encryption
|
None
|
Add-on license:
Base (DES)
|
Add-on license:
Strong (3DES/AES)
|
None
|
Add-on license:
Base (DES)
|
Add-on license:
Strong (3DES/AES)
|
None
|
Add-on license:
Base (DES)
|
Add-on license:
Strong (3DES/AES)
|
None
|
Add-on license:
Base (DES)
|
Add-on license:
Strong (3DES/
AES)
|
Minimum RAM
|
512 MB
|
1024 MB
|
1024 MB
|
1024 MB
|
* The PIX 500 series security appliance does not support WebVPN.
** This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model.
*** The concurrent connections are based on a traffic mix of 80% TCP and 20% UDP, with one host and one dynamic translation for every four connections.
Security Services Module Support
Table A-3 shows the SSMs supported by each platform:
Table A-3 SSM Support
Platform
|
SSM Models
|
ASA 5510
|
AIP SSM 10
4GE SSM
|
ASA 5520
|
AIP SSM 10
AIP SSM 20
4GE SSM
|
ASA 5540
|
AIP SSM 10
AIP SSM 20
4GE SSM
|
PIX 515/515E
|
No support
|
PIX 525
|
No support
|
PIX 535
|
No support
|
VPN Specifications
This section describes the VPN specifications for the security appliance. This section includes the following topics:
•Cisco VPN Client Support
•Site-to-Site VPN Compatibility
•Cryptographic Standards
Cisco VPN Client Support
The security appliance supports a wide variety of software and hardware-based Cisco VPN clients, as shown in Table A-4.
Table A-4 Cisco VPN Client Support
Client Type
|
Client Versions
|
Software IPSec VPN clients
|
Cisco VPN client for Windows, Version 3.6 or higher
Cisco VPN client for Linux, Version 3.6 or higher
Cisco VPN client for Solaris, Version 3.6 or higher
Cisco VPN client for Mac OS X, Version 3.6 or higher
|
Hardware IPSec VPN clients (Cisco Easy VPN remote)
|
Cisco VPN 3002 hardware client, Version 3.0 or higher
Cisco IOS Software Easy VPN remote, Release 12.2(8)YJ
Cisco PIX 500 series security appliance, Version 6.2 or higher
Cisco ASA 5500 series adaptive security appliance, Version 7.0 or higher
|
Site-to-Site VPN Compatibility
In addition to providing interoperability for many third-party VPN products, the security appliance interoperates with the Cisco VPN products for site-to-site VPN connectivity shown in Table A-5.
Table A-5 Site-to-Site VPN Compatibility
Platforms
|
Software Versions
|
Cisco ASA 5500 series adaptive security appliances
|
Version 7.0 or higher
|
Cisco IOS routers
|
Release 12.1(6)T or higher
|
Cisco PIX 500 series security appliances
|
Version 5.1(1) or higher
|
Cisco VPN 3000 series concentrators
|
Version 2.5.2 or higher
|
Cryptographic Standards
The security appliance supports numerous cryptographic standards and related third-party products and services, including those shown in Table A-6.
Table A-6 Cryptographic Standards
Type
|
Description
|
Asymmetric (public key) encryption algorithms
|
RSA public/private key pairs, 512 bits to 4096 bits
DSA public/private key pairs, 512 bits to 1024 bits
|
Symmetric encryption algorithms
|
AES—128, 192, and 256 bits
DES—56 bits
3DES—168 bits
RC4—40, 56, 64, and 128 bits
|
Perfect forward secrecy (Diffie-Hellman key negotiation)
|
Group 1— 768 bits
Group 2—1024 bits
Group 5— 1536 bits
Group 7—163 bits (Elliptic Curve Diffie-Hellman)
|
Hash algorithms
|
MD5—128 bits
SHA-1—160 bits
|
X.509 certificate authorities
|
Cisco IOS software
Baltimore UniCERT
Entrust Authority
iPlanet/Netscape CMS
Microsoft Certificate Services
RSA Keon
VeriSign OnSite
|
X.509 certificate enrollment methods
|
SCEP
PKCS #7 and #10
|
Feedback
