Introduction to the Cisco Security Appliance Family
Security appliance licensing

PIX Security Appliance Licensing
Current PIX Security Appliance licensing is based on a feature-based license key system. The PIX license determines the level of service it provides, its functions in a network, and the maximum number of interfaces and memory it can support.

For the PIX Security Appliance family, the following licensing is available:

  • PIX 501 Security Appliance – Provided with a 10-user, 50-user, or unlimited user licenses in PIX Security Appliance Software Release 6.3. Each license allows up to a specified number of concurrent source IP addresses from the internal network to traverse the PIX. For instance, the 50-user license allows up to 50 concurrent source IP addresses from the internal network to traverse the PIX. If a PIX 501 Security Appliance requires more concurrent users, an upgrade license can be purchased.
  • PIX 506E Security Appliance – Provided in a single, unlimited-user license.
  • PIX 515E Security Appliance, 525, and 535 models – Available with the following basic license types :
    • Unrestricted (UR) – PIX platforms in an UR license mode allow installation and use of the maximum number of interfaces and RAM supported by the platform. The Unrestricted license supports failover.
    • Restricted (R) – PIX platforms in a restricted license mode limit the number of interfaces supported and the amount of RAM available within the system. A restricted licensed PIX does not support contexts or failover configurations.
    • Failover (FO) Active/Standby – Places the PIX in a failover mode for use alongside another PIX with an unrestricted license. Only one unit can be actively processing user traffic while the other unit acts as a hot standby.
    • Failover (FO) Active/Active – Places the PIX in a failover mode for use alongside another PIX with an unrestricted license, or two UR licenses. Both units can actively process firewall traffic while at the same time serving as a back up for their peer unit. Active/active failover is supported using security contexts.

Cisco supplies an activation key with each license. The activation key is based on the type of license and the serial number of the PIX. To enable the license features, enter the activation key into the PIX configuration. Starting with PIX Security Appliance software release 7.0, a PIX supports two kinds of license activation keys.

  • Existing 4-tuple license activation key for PIX Security Appliance Version 6.3
  • A new 5-tuple license activation key for PIX and ASA Security Appliance Version 7.0 only

Unlike the PIX Version 6.3 which always requires a valid license key to run, PIX and ASA Version 7.0 can run without a license key, but it runs in a default settings. When upgrading from PIX Version 6.3 to PIX and ASA Version 7.0, the existing license key for PIX Version 6.3 is preserved and is saved in a central location on the flash file system. When downgrading from PIX and ASA Version 7.0 to PIX Version 6.2 or 6.3, the existing license key for the original PIX Version 6.2 or 6.3 that was saved during the upgrade procedure is retrieved and saved to the PIX Version 6.2 or 6.3 image.

NOTE:

An activation key is tied to a specific PIX Security Appliance, such as PIX-serial number 12345678

PIX VPN Encryption License
In addition to upgrading the PIX Security Appliance license, administrators may wish to add data encryption services, or increase the level of data encryption that the PIX can provide. An online form at the PIX Security Appliance Software page on Cisco.com can be completed to obtain a free 56-bit DES key. There is a separate form to install or upgrade to 168-bit 3DES encryption. For failover configurations, the UR and FO security appliances each require their own unique corresponding DES or 3DES license for failover functionality .

Adding cryptographic services and upgrading a PIX Security Appliance license both require obtaining and installing an activation key. Current information on obtaining activation keys can be found at Cisco.com.

Security Contexts
A single UR licensed PIX 515E, 525, or 535 Security Appliance, as well as a single ASA Security Appliance can be partitioned into multiple virtual firewalls, known as security contexts. Each context is an independent firewall, with its own security policy, interfaces, and administrators. The number of contexts available in a PIX Security Appliance or Adaptive Security Appliance is dependent upon the model and context license. As the network grows, or requirements change, an upgrade context license to increase the number of available contexts can be purchased .

PIX Security Appliance Context Licensing
By default, two contexts are included in the UR PIX 515E, 525, or 535 Security Appliance license. A PIX 515E supports up to 5 contexts, a PIX 525 supports up to 50 contexts, while a PIX 535 supports up to 100 contexts.

The table in Figure compares the restricted and unrestricted licenses of the PIX 515E, 525, and 535 Security Appliance models.

ASA Security Appliance Licensing
ASA Security Appliance licensing is also based on a feature-based license key system. The ASA Security Appliance license determines the number of contexts, type of VPN encryption, and number of VPN peers an ASA Security Appliance can support. Figure shows the licensing options available for the ASA Security Appliance family.

By default, the ASA5520 and 5540 support two contexts. An ASA5520 Security Appliance supports up to 10 contexts and an ASA5540 Security Appliance supports up to 20 contexts.

The table in Figure compares the ASA Security Appliance license offerings. Across the top of the chart are the ASA Security Appliance features. Down the left side are the ASA5510, ASA5520 and ASA5540 licenses. Each ASA Security Appliance column compares the listed features available with each license.


Web Links