Cisco ASA Licensing Licensed Features on ASAThis chapter covers the following topics Licensed features on ASAManaging licenses with activation keys. Combined licenses in failover and clustering. Shared Premium Any. Connect VPN licensing. ASA offers a very comprehensive feature set that helps secure networks of all shapes and sizes. To deliver the desired functionality within the available budget while allowing for future scalability, you can unlock advanced security capabilities and increase certain system capacities on demand through a flexible system of feature licenses. Some characteristics of the hardware platform or expansion modules can enable certain feature licenses implicitly. You can also activate additional licenses permanently or for a certain duration of time. When multiple Cisco ASA devices participate in failover or clustering, some licensed capacities automatically aggregate up to the platform hardware limit to maximize your investment. Although this flexible system may seem complicated at first, it actually makes the task of customizing a Cisco ASA for your specific business needs quite easy. Every Cisco ASA platform comes with a certain number of implicitly activated features and capacities as a part of the Base License. Basic ASA Configuration. Before dealing with any specific configuration procedure for the Adaptive Security Appliance ASA, you need to understand a set of basic. In other words, these capabilities are fixed in the given software image for the particular hardware you cannot selectively disable them. One example of such a feature is ActiveActive failover, which is always available on all Cisco ASA 5. X appliances. Some platforms offer the optional Security Plus license, which may unlock additional features or capacities on top of the Base License. For example, you can increase the maximum concurrent firewall connection count on the Cisco ASA 5. Security Plus license. In addition to the Base and Security Plus licenses, you can activate other advanced security features individually Some capabilities operate in a simple binary switch fashion whereby the license for the feature type is either enabled or disabled once enabled, there are typically no direct restrictions on how much the feature can be used. For instance, the Botnet Traffic Filter license will allow you to protect all connections through a Cisco ASA up to the maximum limit for the platform. Other features may carry their own capacity limits that come in quantified tiers. An example of such a feature is the ability to configure security contexts on some Cisco ASA appliances. On the Cisco ASA 5. Base License allows creating up to two application contexts, while several premium licenses of different tiered counts allow extending this limit up to 2. Not all of the licensed features and capabilities are available on all hardware platforms. For instance, at the time of writing, the clustering feature is currently available only on Cisco ASA 5. X, ASA 5. 58. 0, and ASA 5. X appliances. Depending on specific markets and international export regulations, some Cisco ASA models may also ship with the permanent No Payload Encryption license this license ties to the particular hardware without the option of change or removal. The following licensed features and capacities are not available on any No Payload Encryption hardware models Any. Connect Premium Peers. Any. Connect Essentials. Other VPN Peers. Total VPN Peers. Shared License. Any. Shared Premium VPN Licensing. It may become cost prohibitive to obtain multiple separate AnyConnect Premium Peers licenses if you manage a large number of Cisco ASA. Its difficult to a get any documentation from Cisco that confirms the forwarding performance of the ASA firewall. However, once you have got a unit, the show. If they would tear your world apart, Would you intervene Music is a weapon Sounds like a threat. Let the bass terrorize Theres no turning back Myfirewallpriactconfig sh failover state State Last Failure Reason DateTime This host Primary Active None Other host. Connect for Mobile. Any. Connect for Cisco VPN Phone. Advanced Endpoint Assessment. UC Phone Proxy Sessions. Total UC Proxy Sessions. Intercompany Media Engine. As you identify the correct feature set to take the most advantage of Cisco ASA capabilities while fully protecting your network, it helps to organize the licensed features into the following logical categories Basic platform capabilities Typically are relevant to all Cisco ASA deployments. Advanced security features Can satisfy specific network design goals for a particular Cisco ASA installation. Tiered capacity features Depend on the size of a projected user base and allow for future growth. These categories are discussed in turn next. Basic Platform Capabilities. Basic licensed features define the foundation of the Cisco ASA capabilities that are common to all installations and designs, such as the following Dictating the elementary characteristics of how an ASA device connects to the network. Serial Number Spss 23 Software. Establishing the quantity and speed capabilities of physical and logical interfaces. Limiting the number of protected connections and inside hosts. Defining high availability options. Setting the baseline encryption algorithms that the system can use. The following licensed features fall under the category of basic platform capabilities Firewall Connections Cisco ASA Software limits the maximum concurrent count of all stateful connections depending on the hardware platform. This limit can only be increased with the Security Plus license on Cisco ASA 5. ASA 5. 51. 0, and ASA 5. X appliances. The system will deny only new attempted connections above the licensed limit there are no adverse effects for existing connections in this case. Maximum Physical Interfaces All Cisco ASA platforms always allow you to use all of the available physical interfaces, so this feature either shows the actual number of physical interfaces on the Cisco ASA 5. Unlimited on all other platforms. There are additional platform specific limitations on the total number of interfaces that can be configured in the system the total limit covers physical and redundant interfaces, VLAN subinterfaces, Ether. Channels, and bridge groups. Maximum VLANs Each platform has its own limit on the maximum number of configurable VLANs. This limit can be expanded on Cisco ASA 5. ASA 5. 51. 0, and ASA 5. X models by applying a Security Plus license. Keep in mind that you can create a larger number of subinterfaces on some ASA appliances, but this particular limit only kicks in when you actually assign the given number of subinterfaces to VLANs with the vlan interface command. VLAN Trunk Ports This feature is applicable only to Cisco ASA 5. Ethernet switch. With the Base License, you can configure the physical switch ports only in access mode with the Security Plus license, you gain the ability to carry multiple VLANs on any of the Cisco ASA 5. Dual ISPs This feature only applies to the Cisco ASA 5. Security Plus license enables it automatically. With the Base License, this platform only allows up to three configured logical interfaces, where the third interface can initiate traffic only to one of the other two with this limitation, you cannot create a backup interface to provide external connectivity when the primary outside interface fails. When you apply the Security Plus license, the number of available logical interfaces increases to 2. ISPs. 1. 0GE IO This feature is only applicable to Cisco ASA 5. X models. An SSP 1. Base License only allow you to configure the onboard fiber interfaces at 1 Gigabit Ethernet GE speed the Security Plus license enables configuring these interfaces at 1. GE speed. This capability is always enabled on SSP 4. GE interface modules. Although not directly related to this license, it should be noted that a Cisco ASA 5. Security Plus license to configure Ethernet. Ethernet. 01 interfaces at 1 GE speed. All other models not mentioned here allow you to configure any onboard or external physical Ethernet interfaces up to the maximum supported speed.