Networks Training

  • About
  • My Books
  • SUGGESTED TRAINING
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / Cisco ASA General / Cisco ASA 5505, 5510 Base Vs Security Plus License Explained

Cisco ASA 5505, 5510 Base Vs Security Plus License Explained

Written By Harris Andrea
Cisco ASA 5505 Image Cisco ASA 5510 Image
CISCO ASA 5505 CISCO ASA 5510

The two smallest ASA Firewall models, the 5505 and the 5510, are the only ones that have two types of licenses.

They can be ordered either with a Base License or a Security Plus License. Many customers of mine are always asking me what the difference is between the two licenses (except from the price of course), so I thought it would be useful to summarize below the differences between the two license types:

Quick Comparison Table (Base Vs Security Plus)

Cisco ASA 5505

Base License

Security Plus License

10,000 Maximum Firewall Connections 25,000 Maximum Firewall Connections
10 Maximum VPN Sessions (site-to-site and remote access) 25 Maximum VPN Sessions (site-to-site and remote access)
10 or 50 Maximum Internal Hosts Unlimited Maximum Internal Hosts
3 Maximum VLANs (Trunking Disabled)(2 regular zones and 1 restricted zone that can only communicate with 1 other zone) 20 Maximum VLANs (Trunking enabled)(No restrictions of traffic flow between zones)
No High Availability (failover) supported Supports Stateless Active/Standby failover

Cisco ASA 5510

Base License

Security Plus License

50,000 Maximum Firewall Connections 130,000 Maximum Firewall Connections
5×10/100Integrated Network Interfaces 2×10/100/1000 and 3×10/100

Integrated Network Interfaces

50 Maximum VLANs 100 Maximum VLANs
No High Availability (failover) supported Supports Active/Active andActive/Standby failover
No Security Contexts (Virtual Firewalls) Supports 2 Virtual Firewalls (included) and 5 maximum.
No Support for VPN Clustering and VPN Load Balancing Supports VPN Clustering and VPN Load Balancing

Cisco ASA 5505 User License Explained

I get a lot of questions regarding the meaning of user license numbers for the Cisco ASA 5505. This model is offered in three User License options.

  • 10 users,
  • 50 users and
  • UL (unrestricted license).

The meaning of user license basically refers to concurrent IP addresses that can communicate between Internal (inside) network and Internet (outside) interface.

So, for 10 user license, only 10 concurrent internal hosts (IP addresses) can access the internet. The same applies for 50 users (only 50 concurrent IP addresses can access the Internet).

For UL license, there is no such restriction (the security plus is unrestricted in terms of internal hosts).

The user licensing has also an effect on the maximum number of IP addresses that can be assigned by the DHCP server of the ASA5505 to the internal hosts.

For a 10-user license, the max number of DHCP clients on the internal network is 32. For 50-user license, the max number of DHCP clients is 128.

The official explanation from Cisco regarding the Cisco ASA5505 user licensing is as follows:
“In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN).

Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit.

The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit.

In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view host limits. ”

The terms “Business” and “Home” VLANs above refer to the Internal and DMZ network zones.

Cisco ASA 5505 Firewall License Restriction for DMZ

The Cisco ASA 5505  is a great product for small businesses (5-10 employees) or even for home network use.

However, if you need to create a DMZ zone (in addition to your Inside and Outside zones) in order to install a publicly accessible server (e.g WEB server, MAIL server etc), then the default basic license won’t work for you.

The basic license does not allow more than 2 security zones. You will need to upgrade to “Security Plus” license which also enhances some other firewall parameters (more firewall connections, more remote access VPN sessions, trunking with 20 VLANs).

The Licensing for the ASA 5505 is as following:

Cisco ASA 5505 10 User Firewall Edition Bundle

Includes: 10 users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, Triple Data Encryption Standard/Advanced Encryption Standard (3DES/AES) license.

Cisco ASA 5505 50 User Firewall Edition Bundle

Includes: 50 users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license.

Cisco ASA 5505 Unlimited User Firewall Edition Bundle

Includes: Unlimited users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license.

Cisco ASA 5505 Security Plus Firewall Edition Bundle

Includes: Unlimited users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 25 IPsec VPN peers, 2 SSL VPN peers, DMZ support, Stateless Active/Standby high availability, Dual ISP support, 3DES/AES license.

Cisco ASA 5505 Vlans and Licensing

The eight physical network interfaces of the Cisco ASA 5505 firewall appliance can be divided into groups that function as separate security zone networks.

Each group is a Layer 2 Vlan. Devices in the same group (Vlan) can communicate directly between them without passing through the security control of the firewall.

On the other hand, devices between different Vlans can only communicate with each other by passing the traffic through the adaptive security appliance where relevant security policies are applied.

By default, there are two Vlans (VLAN1 and VLAN2) preconfigured on the firewall by default. Port Ethernet0/0 belongs to VLAN2 and ports Ethernet0/1 to 0/7 belong to VLAN1.

For example, when a switch port on VLAN1 is communicating with a switch port on VLAN2, the adaptive security appliance applies configured security policies to the traffic and routes or bridges the traffic between the two VLANs.

Usually Port Ethernet0/0 connects to the outside untrusted interface (Internet), and ports Ethernet0/1 to 0/7 connect to the inside trusted network zone.

 The license installed on the 5505 firewall determines the number of active VLANs allowed on the appliance as described below:

 Basic ASA 5505 License VLANs:

The basic license allows only 3 active VLANs which you can use as Inside, Outside and DMZ. However, there is a restriction here that many people do not know about: The DMZ VLAN can access ONLY the Outside VLAN but can not access the Inside VLAN. The other two VLANs (Inside and Outside) can access all the other VLANs with no problems.

 Security Plus ASA 5505 License VLANs:

The Security Plus license, removes all limitations and allows up to 20 active VLANs to be configured. Since there are only 8 physical ports, you can create several vlan subinterfaces on each physical port to segment your network into different security zones (e.g Inside, Outside, DMZ1, DMZ2, Sales, Engineering etc).

How to upgrade Cisco ASA 5500 Firewall License

To upgrade the current license of your cisco ASA firewall, you need to order a new license key from Cisco at www.cisco.com/go/license. You will receive a new license key in your email after a couple of hours. This license key is a five element hexadecimal string in the form 0xffd8624e (as an example).

To apply this new license key in your security appliance, configure the following:

ASA5500(config)#  activation-key 0xffd8624e
ASA5500(config)#exit
ASA5500#copy running startup
ASA5500#reload

Related Posts

  • What is Cisco ASA Firewall – All you need to Know
  • Traffic Rate and Bandwidth Limiting on Cisco ASA Firewall
  • Cisco ASA Firewall (5500 and 5500-X) Security Levels Explained
  • Cisco ASA 5505-5510-5520-5540-5550-5580 Performance Throughput and Specs
  • Password Recovery for the Cisco ASA 5500 Firewall (5505,5510,5520 etc)

Filed Under: Cisco ASA General

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. Joseph says

    November 8, 2010 at 5:30 am

    Hi,

    a 5510 with base license was already purchased, can i purchase a license and upgrade it to Sec Plus?

  2. BlogAdmin says

    November 8, 2010 at 7:23 am

    Joseph,

    Yes absolutely. When you purchase the new license, Cisco will send you a new license code which you can configure it in the ASA 5510 (with command line configuration) and it will enable you all Sec Plus features.

  3. Tiago Durante says

    November 11, 2010 at 12:23 pm

    Hi,

    Does the 5510 Security Plus have the same capabilities as the 5520 VPN Plus?

    How can I compare it?

    Thanks a lot!

  4. BlogAdmin says

    November 11, 2010 at 4:14 pm

    The security plus for 5510 and the VPN plus license are two different things. The VPN plus license on 5520 is to double the VPN capacity of the box to support up to 750 concurrent VPN connections

  5. julian says

    March 30, 2011 at 8:49 pm

    does base license support site-to-site vpn ? or vpn client only ?

  6. BlogAdmin says

    March 31, 2011 at 4:10 pm

    Site to site vpn is supported too (maximum 10 site to site vpn tunnels)

  7. Karen says

    March 8, 2013 at 6:40 pm

    Does ASA 5505 with Base Licens not support routing between VLANs?

  8. BlogAdmin says

    March 8, 2013 at 7:38 pm

    Karen,
    ASA5505 base license supports 3 vlans: inside, outside, and dmz. The dmz vlan can only initiate traffic to ONE of the other two vlans but not to both.

  9. Mansour says

    April 8, 2015 at 3:41 pm

    hi. how many site to site vpn supported on asa 5510 with security plus license ?

  10. BlogAdmin says

    April 8, 2015 at 3:52 pm

    I don’t remember exactly but I think is supports at least 20-30 site to site

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2023 | Privacy Policy | Terms and Conditions | Hire Me | Contact | Amazon Disclaimer | Delivery Policy

15 shares