|CISCO ASA 5505||CISCO ASA 5510|
The two smallest ASA Firewall models, the 5505 and the 5510, are the only ones that have two types of licenses.
They can be ordered either with a Base License or a Security Plus License. Many customers of mine are always asking me what the difference is between the two licenses (except from the price of course), so I thought it would be useful to summarize below the differences between the two license types:
Quick Comparison Table (Base Vs Security Plus)
Cisco ASA 5505
Security Plus License
|10,000 Maximum Firewall Connections||25,000 Maximum Firewall Connections|
|10 Maximum VPN Sessions (site-to-site and remote access)||25 Maximum VPN Sessions (site-to-site and remote access)|
|10 or 50 Maximum Internal Hosts||Unlimited Maximum Internal Hosts|
|3 Maximum VLANs (Trunking Disabled)(2 regular zones and 1 restricted zone that can only communicate with 1 other zone)||20 Maximum VLANs (Trunking enabled)(No restrictions of traffic flow between zones)|
|No High Availability (failover) supported||Supports Stateless Active/Standby failover|
Cisco ASA 5510
Security Plus License
|50,000 Maximum Firewall Connections||130,000 Maximum Firewall Connections|
|5×10/100Integrated Network Interfaces||2×10/100/1000 and 3×10/100|
Integrated Network Interfaces
|50 Maximum VLANs||100 Maximum VLANs|
|No High Availability (failover) supported||Supports Active/Active andActive/Standby failover|
|No Security Contexts (Virtual Firewalls)||Supports 2 Virtual Firewalls (included) and 5 maximum.|
|No Support for VPN Clustering and VPN Load Balancing||Supports VPN Clustering and VPN Load Balancing|
Cisco ASA 5505 User License Explained
I get a lot of questions regarding the meaning of user license numbers for the Cisco ASA 5505. This model is offered in three User License options.
- 10 users,
- 50 users and
- UL (unrestricted license).
The meaning of user license basically refers to concurrent IP addresses that can communicate between Internal (inside) network and Internet (outside) interface.
So, for 10 user license, only 10 concurrent internal hosts (IP addresses) can access the internet. The same applies for 50 users (only 50 concurrent IP addresses can access the Internet).
For UL license, there is no such restriction (the security plus is unrestricted in terms of internal hosts).
The user licensing has also an effect on the maximum number of IP addresses that can be assigned by the DHCP server of the ASA5505 to the internal hosts.
For a 10-user license, the max number of DHCP clients on the internal network is 32. For 50-user license, the max number of DHCP clients is 128.
The official explanation from Cisco regarding the Cisco ASA5505 user licensing is as follows:
“In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view host limits. ”
The terms “Business” and “Home” VLANs above refer to the Internal and DMZ network zones.
Cisco ASA 5505 Firewall License Restriction for DMZ
The Cisco ASA 5505 is a great product for small businesses (5-10 employees) or even for home network use.
However, if you need to create a DMZ zone (in addition to your Inside and Outside zones) in order to install a publicly accessible server (e.g WEB server, MAIL server etc), then the default basic license won’t work for you.
The basic license does not allow more than 2 security zones. You will need to upgrade to “Security Plus” license which also enhances some other firewall parameters (more firewall connections, more remote access VPN sessions, trunking with 20 VLANs).
The Licensing for the ASA 5505 is as following:
Cisco ASA 5505 10 User Firewall Edition Bundle
Includes: 10 users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, Triple Data Encryption Standard/Advanced Encryption Standard (3DES/AES) license.
Cisco ASA 5505 50 User Firewall Edition Bundle
Includes: 50 users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license.
Cisco ASA 5505 Unlimited User Firewall Edition Bundle
Includes: Unlimited users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license.
Cisco ASA 5505 Security Plus Firewall Edition Bundle
Includes: Unlimited users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 25 IPsec VPN peers, 2 SSL VPN peers, DMZ support, Stateless Active/Standby high availability, Dual ISP support, 3DES/AES license.
How to upgrade Cisco ASA 5500 Firewall License
To upgrade the current license of your cisco ASA firewall, you need to order a new license key from Cisco at www.cisco.com/go/license. You will receive a new license key in your email after a couple of hours. This license key is a five element hexadecimal string in the form 0xffd8624e (as an example).
To apply this new license key in your security appliance, configure the following:
ASA5500(config)# activation-key 0xffd8624e
ASA5500#copy running startup
- Password Recovery for the Cisco ASA 5500 Firewall (5505,5510,5520 etc)
- Cisco ASA 5500-X Firewall Security Levels Explained
- How to Block HTTP DDoS Attack with Cisco ASA Firewall
- How to Block Access to Websites with a Cisco ASA Firewall (with FQDN)
- DNS Doctoring – Access Internal WebSite using its public URL