Saturday, February 22, 2014

Cisco ASA 5505: What Is The Difference Between A Base And Security Plus License?

I recently had to get an ASA 5505 ready for a remote site.  One of the requirements was to implement vlans on the ASA.  When I started the config, I noticed that the ASA had a Base license on it.  You can do 3 VLANs with a Base license, but routing between the two internal (or DMZ) VLANs is not possible.  Its going to take a Security Plus license for that, which the customer does not have.
So, what is the difference between a Base license and a Security Plus license?  Here is a screenshot of the differences, according to Cisco:


So, if you have a Base license, what do you have to do to get 3 VLANs working?  See below from the Cisco documentation.  This is exactly what I did:
From the Cisco documentation:
Step 2 (Optional) For the Base license, allow this interface to be the third VLAN by limiting it from initiating contact to one other VLAN using the following command:

  hostname(config-if)# no forward interface vlan number

 Where number specifies the VLAN ID to which this VLAN interface cannot initiate traffic.
With the Base license, you can only configure a third VLAN if you use this command to limit it.
For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside business network, and a third VLAN assigned to your home network. The home network does not need to access the business network, so you can use the no forward interface command on the home VLAN; the business network can access the home network, but the home network cannot access the business network.
If you already have two VLAN interfaces configured with a nameif command, be sure to enter the no forward interface command before the nameif command on the third interface; the adaptive security appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505 adaptive security appliance.
Posted by

2 comments:

  1. Javier SolisFebruary 25, 2014 at 8:27 PM

    Hi Shane,

    For those of us new to the asa, would you recommend that we learn the command line or GUI? What are the limitations of strictly using the GUI? One more question, if your using an asa for a medium sized business 150-200 users, should you spend the money for smartnet?

    Thanks,

    ReplyDelete
    Replies
    1. ShaneFebruary 25, 2014 at 11:15 PM

      Hi Javier, good questions! Here is what I would say, although this is personal opinion:
      1. When talking about the ASA, I always use CLI. If you learn the ASA in CLI, you will learn exactly WHAT you are doing and WHY you are doing it. When you do things in a GUI, it does the commands for you in the background, and you can learn HOW to do things without knowing WHY you did them. But, other people may be different than I am, that is just my thoughts on it. I do have a customer that prefers the GUI. He comes from strictly a Check Point background, so he is used to that. Nothing at all wrong with that. One size does not fit all.
      2. The only limitations that I can think of is that I have been told in the past that the GUI is about 90% of the CLI. I don't personally know this and have not verified this. Again, I never use it (except for packet captures) so I don't really have a dog in that fight.
      3. For smartnet, I personally think that the ASA is a device to have it on, but really only for the 5510 and above. Not the 5505. I don't feel this way about all products in the infrastructure, but the firewall I do. If it dies, then you get a replacement. Its just insurance, and I think that its worth it. Not only that, but you get access to Cisco TAC, which is second to none in tech support.

      Delete

Your comment will be reviewed for approval. Thank you for submitting your comments.

Subscribe to: Post Comments (Atom)