Tuesday, May 5th, 2009 at
Cisco ASA 5540 Features
Next in the line is the Cisco ASA 5540 Firewall appliance. This device is geared towards large enterprises which need firewall throughput of 650Mbps. The ASA 5540 is the highest model that supports a Security Services Module (SSM) in order to offer Content Inspection or Intrusion Prevention IPS services to the network. The SSM module can host also a four-port Gigabit Ethernet card, in addition to the Content Inspection or IPS modules. The higher-end models 5550 and 5580 DO NOT support the SSM module. Note also the greatly enhanced number of supported VPN sessions (5000 or 2500 for SSL VPN) compared with smaller models. This enhancement makes the 5540 ideal for replacing the older VPN 3000 Concentrator device.
Let’s see the features of the ASA 5540 in more detail below: Read the rest of this entry
Thursday, April 30th, 2009 at
Cisco ASA 5520 Features
Continuing our series of posts about the hardware and software features of ASA firewalls, this article focuses on the Cisco ASA 5520 model. This model is suitable as Internet Edge device for medium size enterprises but can be used also for internal LAN segmentation. From this model and up there are no Base License or Security Plus License options, like the 5505 and 5510 models. Also, the four integrated Network Interfaces by default support gigabit 10/100/1000 speed. There is an additional Management Interface which supports Fast Ethernet speed (10/100 Mbps). This Interface can be used as normal firewall interface by issuing the “no management-only” interface configuration command. So there are essentially five network interfaces integrated on the appliance.
In more detail, the Cisco ASA 5520 firewall features are the following: Read the rest of this entry
Friday, April 24th, 2009 at
Cisco ASA 5510 Features
Continuing our series of posts about the hardware and software features of ASA firewalls, this article focuses on the Cisco ASA 5510 model which is a very popular appliance for small to medium enterprises. Unlike the ASA 5505, this is a rack-mountable model (1U size) which supports also an add-on module (SSM – Security Services Module). Similarly with the 5505, the ASA 5510 comes also with two types of software licenses: Base License and Security Plus License, with the later offering advanced hardware and performance features.
In more detail, the Cisco ASA 5510 firewall features are the following: Read the rest of this entry
Sunday, April 19th, 2009 at
Cisco ASA 5505 Features
In this post I’ll describe the software and hardware features of the Cisco ASA 5505 model. The ASA 5505 is the smallest model in the 5500 series and is suitable for small businesses or small branch offices and teleworkers. As it is a smaller size compared with the other models, it is not rack-mountable. It is the only model also that comes with an 8-port switch (with 2 power over Ethernet ports). The Cisco ASA 5505 ports are Layer 2 ports and not normal Layer 3 ports like the other models. To configure its Layer 2 ports you need to create VLANs and assign each port to a certain VLAN number. All interface parameters are configured under the “Interface VLAN [number]” command.
The Cisco ASA 5505 features depend on which software license is installed. There are two license options available: Base License and Security Plus License. The Security Plus license enables the Cisco ASA 5505 Appliance to support higher connection capacity and a higher number of IPsec VPN users, add full DMZ support, and integrate into switched network environments through VLAN trunking support. Moreover, the upgrade security plus license enables redundant ISP connections and stateless Active/Standby high-availability services.
In more detail, the Cisco ASA 5505 features are the following: Read the rest of this entry
Tuesday, March 10th, 2009 at
In addition to device-level failover, you can also configure interface redundancy on the same chassis of a Cisco ASA firewall. Basically you create a logical interface pair bundle (called “interface redundant“) in which you include two physical interfaces. If one of the interfaces fail, the second one in the redundancy pair takes over and starts passing traffic. You can configure up to 8 redundant interface pairs. After you configure the redundant interface pair, all security appliance configuration refers to this logical redundant pair instead of the member physical interfaces.
The following guidelines should be followed for redundant interface and its members:
- You must first remove the name of the physical interface (using the no nameif command) before adding it to the logical redundant interface.
- Both member interfaces must be of the same physical type. That is they must be both GigabitEthernet or both Ethernet.
- The only configuration available to physical interfaces that are part of a redundant interface pair are physical parameters (i.e the shutdown command and the description command).
ASA(config)# interface redundant 1
ASA(config-if)# member-interface gigabitethernet 0/0
ASA(config-if)# member-interface gigabitethernet 0/1
From now on, all interface related commands must refer to “interface redundant 1“.