Re: Maxed out asa 5505?

murray.daniel · ‎06-18-2012

Looking at upgrading an ASA 5505 I've inherited.
Wondering what type of license(s) I need to get (or if I should look at a different solution) to "max it out"

So.. there are 8 switch ports. I know I can create vlans, and assign vlans to individual switchports. But can I fully use ALL 8 ports? and have 8 security segments? If I wanted to 'max out' the available subnets, would the following arrangement be feasible?

Port Level VLAN Name (Function)
E0/0 o 1 outside (ISP)
E0/1 100 100 inside (corp)
E0/2 20 20 sec_logs (security management/logging)
E0/3 30 30 dmz_prod (PRODUCTION DMZ)
E0/4 40 40 guestaccess (Internet access for guests)
E0/5 50 50 labnet_1 (test lab subnet)
E0/6 60 60 labnet_2 (test lab subnet)
E0/7 70 70 labnet_3 (test lab subnet)

Finally, I'd really like (not NEED) to have this config with GigE ports vs FastE ports. Any ideas? Money is not unlimited, but I do need to stay as low as possible (and still stay Cisco)..

I'd love to see some maxed (or nearly so) sample configs (sanitized, of course) if anyone is willing to share...

Karsten Iwen · ‎06-18-2012

Hi,

yes, you can use up to 20 VLANs on the 5505, but you need the SecurityPlus-License. Be aware of the fact, that the SecurityPlus-License does not give you unlimited users. If you have the Base 10 User License and you upgrade to SecurityPlus, then you get the Security-Plus-Features like more VLANs, but you still only have 10 Users. These have to be upgraded individually.

For your Gigabit-Needs: There you should look at the new 5500-X-Models.

HTH, Karsten

Sent from Cisco Technical Support iPad App

murray.daniel · ‎06-19-2012

hmm... do you have a link for the new ASAs? is there a 5505-X? or will I have to go to a MUCH higher priced device?

Karsten Iwen · ‎06-19-2012

Here are the new models:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf

The smallest one is the 5512-X which is a little bit more than the double price of the 5505-SecPlus. The problem with the 5512-X is that there is no failover (I really don't understand why Cisco is restricting that). For Failover you need at least the 5515-X.

murray.daniel · ‎06-19-2012

thanks I found them.. seems as they ship with a base license. Looking for a part no and price to kick it up to sec plus, unlimited user. sure would be nice if there was a 5512-x-sec-k9-bun. I don't see any security bundle part numbers...

Karsten Iwen · ‎06-19-2012

The SecPlus License is ASA5512-SEC-PL, but the 5512-X (3995 List) with the SecPlus (1000 List) license is exactly the price of the 5515-X (4995 List). So you really should go for the 5515-X then.

tahequivoice · ‎11-29-2012

Are you sure about the no failover? According to the licensing guide for 8.6, the 5512x does failover with the sec plus license. Document is from June 5 2012.

http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license_86.pdf

Dug a little more, it is supported, same licensing configuration as the 5510.

ASA 5510, ASA 5512-X

Security Plus License.

Karsten Iwen · ‎11-29-2012

Did you read the other posts? It's about the cost that you shouldn't by a 5512-X if you want to run failover. For the *same* price you get the 5515-X.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

tahequivoice · ‎11-29-2012

Really should edit the post though, people may stop reading after that thinking it cant do failover. Irregardless of the cost, the 5512X can do failover. If a customer purchased a 5512 base, and down the road wants to add failover, they can without having to purchase all new equipment.

However I do agree, for failover the 5515 (or 5520) are better options.

Marvin Rhoads · ‎06-19-2012

There's no direct replacement for the 5505 in the X series at this point.

Karsten's advice re the 5515-X is solid. I have seen many posts here over the years of people frustrated when they push up against the limitations of the 5505. The X series with it's multicore processor 64-bit software and increased memory will serve you better for many years to come.