Post on 17-Jan-2018
description
Lesson 2b
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1
Cisco PIX Security Appliance and ASA Adaptive Security Appliance Families
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-2
Models and Features of Cisco PIX Firewall and Cisco ASA Adaptive Security Appliances
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-3
SMB
Pric
e
Functionality
Gigabit Ethernet
PIX Firewall Security Appliance Family
EnterpriseROBO
PIX Firewall 515E
PIX Firewall 525
PIX Firewall 535
SOHO
PIX Firewall 501
PIX Firewall 506E
SP
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-4
SMB
Pric
e
Functionality
Gigabit Ethernet
ASA Adaptive Security Appliance Family
EnterpriseROBOSOHO SP
ASA 5520
ASA 5540
ASA 5510
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-5
Cisco PIX Firewall 501 Security Appliance
• Designed for small offices and teleworkers
• 7500 concurrent connections
• 60-Mbps throughput
• Interface support
– Supports one 10/100BASE-T* Ethernet interface (outside)
– Has four-port 10/100 switch (inside)
• VPN throughput
– 3-Mbps 3DES
– 4.5-Mbps 128-bit AES
• Ten simultaneous VPN peers
*100BASE-T speed option is available in release 6.3.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-6
VPN TUNNEL
POWER
100 MBPS
LINK/ACT
PIX Firewall 501: Front Panel LEDs
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-7
PIX Firewall 501: Back Panel
Security Lock Slot
Power Connector
10/100BASE-T (RJ-45)
Console Port (RJ-45)
Four-Port 10/100 Switch (RJ-45)
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-8
PIX Firewall 506E Security Appliance
• Is designed for remote offices and small- to medium-sized businesses
• Provides 25,000 concurrent connections
• Provides 100-Mbps clear text throughput
• Supports Two interfaces
– 10/100BASE-T*
– Two VLANs*
• Provides VPN throughput
– 17-Mbps 3DES
– 30-Mbps 128-bit AES
• Provides 25 simultaneous VPN peers
*100BASE-T speed option is available in PIX Firewall Security Appliance Software v6.3 for 506E only. Two VLANs are supported in release 6.3(4).
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-9
PIX Firewall 506E: Front Panel LEDs
NETWORK
ACT
POWER LED
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-10
PIX Firewall 506E: Back Panel
LINKLED
Console Port (RJ-45)
Power Switch
ACT LED
10/100BASE-T(RJ-45)
10/100BASE-T(RJ-45)
ACT LED LINK
LED
USBPort
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-11
PIX Firewall 515E Security Appliance
• Is designed for small- to medium-sized businesses and enterprise networks
• Provides 130,000 concurrent connections
• Provides 190-Mbps clear text throughput
• Provides Interface support
– Up to six 10/100 Fast Ethernet interfaces
– Up to 25 VLANs
– Up to five contexts
• Supports failover
– Active/standby
– Active/active
• Supports VPNs (2,000 tunnels)
– Site to site
– Remote access
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-12
PIX Firewall 515E: Front Panel LEDs
NETWORKPOWER
ACT
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-13
PIX Firewall 515E: Back Panel
Expansion Slots Fixed Interfaces
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-14
PIX Firewall 515E: Fixed Interface Connectors
FailoverConnector
FDXLED
LinkLED
100 MbpsLED
FDXLED
CONSOLEPort (RJ-45)
10/100BASE-TETHERNET1
(RJ-45)
Power Switch
LINKLED
100 MbpsLED
10/100BASE-TXETHERNET0
(RJ-45)
Link LED
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-15
PIX Firewall 515E: Expansion Slot Option Cards
VAC VAC+4 FE - 66
Fast Ethernet VPN Accelerator
1FE
Expansion Slots
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-16
PIX Firewall 515E: Fast Ethernet Card Port Numbering
• PIX Firewall 515E Security Appliance option cards require the UR license.
Single-port
Card
Quad-port
Card
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-17
PIX Firewall 525 Security Appliance
• Is designed for enterprise networks
• Provides 280,000 concurrent connections
• Provides 330-Mbps clear text throughput
• Provides Interface support
– Up to ten 10/100 Fast Ethernet interfaces
– Up to 100 VLANs
– Up to 50 contexts
• Supports failover
– Active/standby
– Active/active
• Supports VPNs (2,000 tunnels)
– Site to site
– Remote access
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-18
PIX Firewall 525: Front Panel LEDs
POWER
ACT
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-19
PIX Firewall 525: Back Panel
Expansion SlotsFixed Interfaces
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-20
PIX Firewall 525: Fixed Interface Connectors
100 MbpsLED
ACT LEDACT LED
LINK LED
LINK LED
FAILOVERConnection
10/100BASE-TXETHERNET1
(RJ-45)
USBPort Console
Port (RJ-45)
10/100BASE-TXETHERNET0
(RJ-45)
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-21
PIX Firewall 525: Expansion Cards and VACs
VAC and VAC+ 1GE-66 Card 1FECard 4FE-66Card
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-22
PIX Firewall 535 Security Appliance
• Is designed for enterprise and service providers
• Provides 500,000 concurrent connections
• Provides 1.65-Gbps clear text throughput
• Provides Interface support
– Up to 14 Fast and Gigabit Ethernet interfaces
– Up to 150 VLANs
– Up to 50 contexts
• Supports failover
– Active/standby
– Active/active
• Supports VPNs (2,000 tunnels)
– Site to site
– Remote access
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-23
PIX 535: Front Panel LEDs
POWER ACTIVE
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-24
Bus 1 Bus 0(64-bit, 66-MHz)
Bus 2(32-bit, 33-MHz)
PIX 535: Back Panel
Slots3 2 1 0
Slots8 7 6 5 4
ConsoleRJ-45
USB port
DB-15Failover
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-25
PIX Firewall 535: Option Cards
VAC
VAC+
1GE1GE-66 4FE-66
Gigabit Ethernet Fast Ethernet
VPN Accelerator
1FE
4FE(EOS)
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-26
PIX 535: Back Panel
DB-15Failover
Slot 8
Slot 7
Slot 6
Slot 5
Slot 4
Slot 3
Slot 2 Slot 1
Slot 0ConsoleRJ-45
USB Port
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-27
ASA 5500 Adaptive Security Appliance Family
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-28
Cisco ASA 5510 Adaptive Security Appliance
• Delivers all-in-one enterprise, remote office, and small- to medium-sized business security and VPN gateway
• Provides 64,000 concurrent connections
• Provides 300-Mbps firewall throughput
• Provides interface support– Up to five 10/100 Fast Ethernet
interfaces– Up to ten VLANs
• Supports failover– Active/standby
• Supports VPNs– Site to site– Remote access– WebVPN
• Supports AIP-SSM-10 (optional)
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-29
Cisco ASA 5520 Adaptive Security Appliance
• Delivers all-in-one enterprise and small- to medium-sized business headend security and VPN gateway
• Provides 130,000 concurrent connections• Provides 450-Mbps firewall throughput• Provides Interface support
– Four 10/100/1000 Gigabit Ethernet interfaces
– One 10/100 Fast Ethernet interface– Up to 25 VLANs– Up to 10 contexts
• Supports failover– Active/standby– Active/active
• Supports VPNs– Site to site– Remote access– WebVPN
• Supports AIP-SSM-10 (optional)
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-30
Cisco ASA 5540 Adaptive Security Appliance
• Delivers all-in-one enterprise and small- to medium-sized business headend security and VPN Gateway
• Provides 280,000 concurrent connections
• Provides 400-Mbps firewall throughput• Provides Interface support
– Four 10/100/1000 Gigabit Ethernet interfaces
– One 10/100 Fast Ethernet interface– Up to 100 VLANs– Up to 50 contexts
• Supports failover– Active/standby– Active/active
• Supports VPNs– Site to site (5,000 peers)– Remote access – WebVPN
• Supports AIP-SSM-20 (optional)
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-31
ASA 5500 Series: Front Panel
POWERSTATUS
ACTIVEFLASH
VPN
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-32
Security ServicesModule
Fixed Interfaces
CompactFlash
ASA 5500 Series: Back Panel
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-33
Four 10/100/1000Gigabit Ethernet Ports*
10/100 Out-of-BandManagement Port
AUX Ports
CompactFlash
Two USB 2.0 Ports
Power Supply(AC or DC)
Console Port
*ASA 5510 supports 10/100 Fast Ethernet ports.
ASA 5500 Series: Connectors
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-34
Security Services Module
• High-performance module designed to provide additional security services
• Diskless (Flash-based) design for improved reliability
• Gigabit Ethernet port for out-of-band management
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-35
AIP-SSM
PWR STATUS
SPEED LINK/ACTAIP-SSM-10
• 2.0-GHz processor• 1.0 GB RAM
AIP-SSM-20• 2.4-GHz processor• 2.0 GB RAM
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-36
PIX Firewall Security Appliance Licensing
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-37
PIX License Types
• UR: Allows installation and use of the maximum number of interfaces and RAM supported by the platform.
• Restricted: Limits the number of interfaces supported and the amount of RAM available within the system (no contexts and no failover).
• Active/standby failure: Places one security appliance in a failover mode for use alongside a security appliance that has a UR license. Only one unit can be actively processing user traffic; the other unit acts as a hot standby.
• Active/active failover: Places a security appliance that has a UR license in a failover mode for use alongside another security appliance that has a UR license, or two UR licenses. Both units can actively process traffic while serving as a backup for each other.
Applies to PIX Firewall 515/515E, 525, and 535
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-38
VPN Encryption License
• DES license – Provides 56-bit DES
• 3DES/AES license– Provides 168-bit 3DES– Provides up to 256-bit AES
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-39
Dept/Cust 2Dept/Cust 1
PIX Firewall
Dept/Cust 2Dept/Cust 1 Dept/Cust 3 Dept/Cust N
PIX Firewall
Default Upgrade
PIX Firewall Security Context Licenses
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-40
PIX 515E, 525, and 535 Licensing
License TypePhysical
InterfacesVLANs Contexts Memory Failover
PIX Firewall 515ERestricted 3 10 N/A 64 No
UR 6 25 LicenseUp to five 128 Yes
PIX Firewall 525
Restricted 6 25 N/A 128 No
UR 10 100 LicenseUp to 50 256 Yes
PIX Firewall 535Restricted 8 50 N/A 512 No
UR 14 150 LicenseUp to 50 1024 Yes
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-41
ASA Adaptive Security Appliance Licensing
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-42
ASA Security Context Licenses
Default• Two contexts
Available Context Licenses• Five contexts• Ten contexts• 20 contexts• 50 contextsUpgrade Licenses• From Five to Ten contexts• From Ten to 20 contexts• From 20 to 50 contexts
Dept/Cust 2Dept/Cust 1
ASA
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-43
ASA 5510, 5520, and 5540 Licensing
Licenses InterfacesSecurityContexts
VLANsIPSec
VPN PeersFailover
A/S A/AGPRS GTP
ASA 5510Base 3 x 10/100 N/A 0 50 N/A N/A N/A
Security+ 5 x 10/100 N/A 10 150 Yes N/A N/A
ASA 5520
Base 4 x 10/100/1000,1 10/100
Default 2;up to 10 25 300 Yes Yes License
VPN+ 4 x 10/100/1000,1 10/100
Default 2;up to 10 25 750 Yes Yes License
ASA 5540
Base 4 x 10/100/1000,1 10/100
Default 2;up to 50 100 500 Yes Yes License
VPN+ 4 x 10/100/1000,1 10/100
Default 2;up to 50 100 2000 Yes Yes License
VPN Premium 4 x 10/100/1000,1 10/100
Default 2;up to 50 100 5000 Yes Yes License
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-44
Cisco Firewall Services Module
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-45
FWSM
• Designed for campus data center and service provider environments
• Runs in Cisco Catalyst 6500 Series Switches and 7600 Series Routers
• Up to 1 million concurrent connections
• Up to 5.5-Gbps throughput
• Supports 100 security contexts
– 256 interfaces per security context
• 1000 VLANs (maximum per FWSM)
• Supports active/standby failover
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-46
FWSM in Catalyst 6500 Switch and Cisco 7600 Internet Router
FWSMFWSM
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-47
Summary
• There are currently eight Cisco PIX Firewall and ASA Adaptive Security Appliance models. – In the Cisco 500 PIX Firewall Series: 501, 506E, 515E, 525,
and 535– In the Cisco ASA 5500 Series: 5510, 5520 and 5540
• Your security appliance license determines the level of service and available features of your security appliance, and the number of interfaces it supports.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-48
Summary (Cont.)
• Restricted, unrestricted, and failover licenses are available for PIX Firewall Security Appliance models 515E, 525, and 535.
• The Cisco Firewall Services Module for the Cisco Catalyst 6500 Switches and the Cisco 7600 Series Internet Routers provides an alternative to the security appliance.