One of my customer is in process of purchasing one unit of Cisco ASA 5500 series Adaptive Security Appliance for their office, where they are not in need of Anti-X edition but require IPS, VPN with minimum of 4 Ethernet interface.
As looking into ASA 5500 series with IPS bundle (ASA5510-AIP10-K9 ), it does only have 3 Ethernet Interface, higher than this will be of ASA 5520 (ASA5520-AIP10-K9) which is very expensive in compare to ASA 5510 IPS bundle.
So I decided to go with product:
ASA 5510 Security Plus Appliance with SW, HA, 5FE, 3DES/AES (ASA5510-SEC-BUN-K9) with addition of Module ASA 5500 AIP Security Services Module-10 (ASA-SSM-AIP-10-K9).
Now my question is:
1. Does these 5 Ethernet Interface on ASA5510-SEC-BUN-K9 will be used for different network segment with DMZs or to have different network segment witj DMZs do we need to have Cisco ASA 4-Port Gigabit Ethernet Module (SSM-4GE)?
2. Does the propose Security Appliance (ASA5510-SEC-BUN-K9) support additional Module of ASA 5500 AIP Security Services Module-10 (ASA-SSM-AIP-10-K9)?
3. If it does support then do we need to have any additional license besides the one comes in the proposed Security Appliance (ASA5510-SEC-BUN-K9) if we incorporate additional Module of ASA 5500 AIP Security Services Module-10 (ASA-SSM-AIP-10-K9)?
4. If the customer does not in need of Anti-X feature into require Security Appliance, do we nee to use Module ASA Content Security SSM-10 w/ 50 Usr AV/Spy, 1YR Subscript (ASA-SSM-CSC-10-K9=)?
Hope someone will help me with answer of all my above queries.
1. The 5 interfaces can be used for inside, outside, and 3 dmz interfaces. All will be different subnets. The ASA-5510 bundle comes with 5 interfaces all set up for you to use, you don't need anything else.
3. You'll need a licence for the AIP-SSM itself, because it is just like a standalone IPs device. It needs a licence to allow you to update the signature version of it. Basically if you put it under SmartNet then you can get a license for it, just make sure you put both the ASA-5510 AND the AIP-SSM under maintenance, cause they have separate serial numbers, and the AIP-SSM licence is based on the AIP-SSM serial number, not the ASA-5510 serial number.
4. All the ASA's only have one slot for an additional module, so if you're already using an AIP-SSM then you can't use an CSC-SSM, even if you wanted to, simply because there's nowhere to put it. The CSC-SSM provides anti-X protection, so if your customer doesn't want that then of course, they don't have to have it.
Thanks for this response. Not so clear on point no. 3. Do you know any Part number for this Smartnet service of AIP-SSM, as I do have cisco GlobalPrice list. If you can provide with part number I can look into price list for the price of the same to quote.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :