PIX Security Appliance Licensing
Current PIX Security Appliance
licensing is based on a feature-based license key system. The PIX license
determines the level of service it provides, its functions in a network, and
the maximum number of interfaces and memory it can support.
For the PIX
Security Appliance family, the following licensing is available:
- PIX 501 Security Appliance – Provided with a 10-user, 50-user, or unlimited
user licenses in PIX Security Appliance Software Release 6.3. Each license
allows up to a specified number of concurrent source IP addresses from the
internal network to traverse the PIX. For instance, the 50-user license allows
up to 50 concurrent source IP addresses from the internal network to traverse
the PIX. If a PIX 501 Security Appliance requires more concurrent users, an
upgrade license can be purchased.
- PIX 506E Security Appliance – Provided in a single, unlimited-user
license.
- PIX 515E Security Appliance, 525, and 535 models – Available with the
following basic license types
:
- Unrestricted (UR) – PIX platforms in an UR license mode allow installation
and use of the maximum number of interfaces and RAM supported by the platform.
The Unrestricted license supports failover.
- Restricted (R) – PIX platforms in a restricted license mode limit the
number of interfaces supported and the amount of RAM available within the
system. A restricted licensed PIX does not support contexts or failover
configurations.
- Failover (FO) Active/Standby – Places the PIX in a failover mode for use
alongside another PIX with an unrestricted license. Only one unit can be
actively processing user traffic while the other unit acts as a hot
standby.
- Failover (FO) Active/Active – Places the PIX in a failover mode for use
alongside another PIX with an unrestricted license, or two UR licenses. Both
units can actively process firewall traffic while at the same time serving as a
back up for their peer unit. Active/active failover is supported using security
contexts.
Cisco supplies an activation key with each license. The activation key
is based on the type of license and the serial number of the PIX. To enable the
license features, enter the activation key into the PIX configuration. Starting
with PIX Security Appliance software release 7.0, a PIX supports two kinds of
license activation keys.
- Existing 4-tuple license activation key for PIX Security Appliance Version
6.3
- A new 5-tuple license activation key for PIX and ASA Security Appliance
Version 7.0 only
Unlike the PIX Version 6.3 which always requires a valid license key to
run, PIX and ASA Version 7.0 can run without a license key, but it runs in a
default settings. When upgrading from PIX Version 6.3 to PIX and ASA Version
7.0, the existing license key for PIX Version 6.3 is preserved and is saved in
a central location on the flash file system. When downgrading from PIX and ASA
Version 7.0 to PIX Version 6.2 or 6.3, the existing license key for the
original PIX Version 6.2 or 6.3 that was saved during the upgrade procedure is
retrieved and saved to the PIX Version 6.2 or 6.3 image.
 |
NOTE:
An activation key is tied to a specific PIX Security Appliance, such
as PIX-serial number 12345678
|
PIX VPN Encryption License
In addition to upgrading the
PIX Security Appliance license, administrators may wish to add data encryption
services, or increase the level of data encryption that the PIX can provide. An
online form at the PIX Security Appliance Software page on Cisco.com can be
completed to obtain a free 56-bit DES key. There is a separate form to install
or upgrade to 168-bit 3DES encryption. For failover configurations, the UR and
FO security appliances each require their own unique corresponding DES or 3DES
license for failover functionality
.
Adding cryptographic services and upgrading a PIX Security Appliance license
both require obtaining and installing an activation key. Current information on
obtaining activation keys can be found at Cisco.com.
Security
Contexts
A single UR licensed PIX 515E, 525, or 535 Security Appliance,
as well as a single ASA Security Appliance can be partitioned into multiple
virtual firewalls, known as security contexts. Each context is an independent
firewall, with its own security policy, interfaces, and administrators. The
number of contexts available in a PIX Security Appliance or Adaptive Security
Appliance is dependent upon the model and context license. As the network
grows, or requirements change, an upgrade context license to increase the
number of available contexts can be purchased
.
PIX Security Appliance Context Licensing
By default, two contexts
are included in the UR PIX 515E, 525, or 535 Security Appliance license. A PIX
515E supports up to 5 contexts, a PIX 525 supports up to 50 contexts, while a
PIX 535 supports up to 100 contexts.
The table in Figure
compares the
restricted and unrestricted licenses of the PIX 515E, 525, and 535 Security
Appliance models.
ASA Security Appliance Licensing
ASA
Security Appliance licensing is also based on a feature-based license key
system. The ASA Security Appliance license determines the number of contexts,
type of VPN encryption, and number of VPN peers an ASA Security Appliance can
support. Figure
shows the
licensing options available for the ASA Security Appliance family.
By
default, the ASA5520 and 5540 support two contexts. An ASA5520 Security
Appliance supports up to 10 contexts and an ASA5540 Security Appliance supports
up to 20 contexts.
The table in Figure
compares the ASA
Security Appliance license offerings. Across the top of the chart are the ASA
Security Appliance features. Down the left side are the ASA5510, ASA5520 and
ASA5540 licenses. Each ASA Security Appliance column compares the listed
features available with each license.