Solved: License Cost for AIP

Mero Cisco · ‎11-28-2011

Hi,

I have got ASA 5520. I am planning to install Cisco ASA AIP SSM-20 and Cisco ASA Content Security and Control (CSC) Security Services Module on ASA 5520..

However I am also thinking of adding AIP only as I can do the function of content filtering with proxy server. Relating this issue I would like to ask -

1. What would be the benefit of adding CSC ?

2. Do I have to pay the license cost every year for both of these SSM? What would be the cost ?

3. Upto how many SSM can I add into ASA 55020 ?

With regards,

- Mero

flokki123 · ‎11-30-2011

you can also check out this site, as here are a lot of configuration examples. maybe you find there what you need.

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

View solution in original post

flokki123 · ‎11-29-2011

hi mero,

it looks like you can add only one ssm to the asa5520.

with the csc ssm you would have the benefit of having Content Security (Anti-virus, Anti-Spyware, File Blocking).

iam not sure if you need a license for the csc feature but i dont think so.

check out this link, might be helpful:

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range

regards,

florian

Mero Cisco · ‎11-29-2011

Dear Florian,

Thanks a lot for your response.

I want to give access to 2-3 server of my office through internet and want to give access to surf the net from the same link to the whole office. My ISP have given me a pool of address. Which SSM do you suggest me to install for this requirement.

Waiting for your response,

- Mero

flokki123 · ‎11-29-2011

hi mero,

as far as i know you need the AIP SSM only for IPS(intrusion prevention system).

what you want to do sounds like a normal scenario for a firewall. you should put the server in a DMZ, so they are accessable from outside, but still seperate from you internal lan.

and if you got an ip address range from your isp you should do nat, if you have enough addresses 1-to-1 nat and otherwise dynamic nat or pat, so the clients from the lan are able to access the internet.

i dont know if the asa5520 supports a DMZ.

but iam not an expert in this matter. are you the system administrator for your company or have you ever done this before?

regards,

florian

Mero Cisco · ‎11-29-2011

Dear Florian,

Yes, I am the system administrator but new one.

I have the PIX as a firewall. I want to upgrade it to ASA.

The ASA 5520 supports DMZ. In PIX I already separated my LAN and WAN. I do have 1 to 1 nat for 3 servers from outside to my servers and I have also done dynamic PAT from internal network to outside (internet) in pix right now.

Now, I want to upgrade, but before upgrading to ASA I am in confusion that what should I keep, prevention system or content filtering.

I will be able to open the required port for my three internal servers, so in this case do I need to have IPS. I want to focus on the net sufring. So, I guess content filtering will be the best for me. What do you suggest for me ?

Regards,

Mero

flokki123 · ‎11-30-2011

hi mero,

as far as i know ips is just another security feature and is not necessary for the normal use of the asa.

so you dont need the ips feature its just additional. if you want to filter the internal traffic according to rules then you need the content filtering option.

if you want to concentrate on the internet traffic, respectively take care that users are only able to access certain sites, then i would go with the concent filtering feature.

but please read the specific documentation for the features and devices so you can be sure.

regards,

florian

flokki123 · ‎11-30-2011

you can also check out this site, as here are a lot of configuration examples. maybe you find there what you need.

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html