Chapter 2. Cisco ASA Product and Solution Overview
The Cisco ASA 5500 Series Adaptive Security Appliances integrate firewall, IPS, and VPN capabilities, providing an all-in-one solution for your network. Incorporating all these solutions into Cisco ASA secures the network without the need for extra overlay equipment or network alterations. This is something that many Cisco customers and network professionals have requested in a security product.
There are several Cisco ASA 5500 Series models. These include
• Cisco ASA 5505
• Cisco ASA 5510
• Cisco ASA 5520
• Cisco ASA 5540
• Cisco ASA 5580-20
• Cisco ASA 5580-40
This chapter provides an overview of the Cisco ASA 5500 Series Adaptive Security Appliance hardware, including performance and technical specifications. It also provides an overview of the Adaptive Inspection and Prevention Security Services Module (AIP-SSM), which is required for IPS features. Additionally, it introduces the Content Security and Control Security Services Module (CSC-SSM), designed to provide antivirus, anti-spyware, file blocking, anti-spam, anti-phishing, URL blocking/filtering, and content filtering. This chapter also discusses the Cisco ASA 4-Port Gigabit Ethernet Security Services Module (4GE SSM) that extends the number of physical interfaces in an appliance.
Cisco ASA 5505 Model
The Cisco ASA 5505 Adaptive Security Appliance is designed for small business, branch office, and telecommuting environments. Despite its small size, it provides firewall, SSL and IPsec VPN, and numerous networking services expected on a bigger appliance. Figure 2-1 shows the front view of the Cisco ASA 5505.
Figure 2-1 Cisco ASA 5505 Front View
The front panel has the following components:
Step 1. USB Port—Reserved for future use.
Step 2. Speed and Link Activity LEDs—The Cisco ASA 5505 has a speed indicator LED and a separate link activity indicator LED for each of its eight ports. When the speed indicator LED is not lit it indicates that network traffic is flowing at 10 Megabits per second (Mbps). When the speed indicator LED is green it indicates that network traffic is flowing at 100 Mbps. When the link activity LED is solid green it indicates that the physical network link has been established; when flashing it indicates that there is network activity.
Step 3. Power LED—Solid green indicates that the appliance is powered on.
Step 4. Status LED—Flashing green indicates that the system is booting and power-up tests are running. Solid green indicates that the system tests passed and the system is operational. Amber solid indicates that the system tests failed.
Step 5. Active—Green indicates that this Cisco ASA is active when configured for failover.
Step 6. VPN—Solid green indicates that one or more VPN tunnels are active.
Step 7. Security Services Card (SSC) LED—Solid green indicates that an SSC card is present in the SSC slot. Reserved for future use.
The Cisco ASA 5505 features a flexible 8-port 10/100 Fast Ethernet switch, whose ports can be dynamically grouped to create up to three separate VLANs for home, business, and Internet traffic for improved network segmentation and security. The Cisco ASA 5505 provides two Power over Ethernet (PoE) ports, enabling simplified deployment of Cisco IP phones with zero-touch secure voice over IP (VoIP) capabilities, and deployment of external wireless access points for extended network mobility. Figure 2-2 illustrates the back panel of the ASA 5505.
Figure 2-2 Cisco ASA 5505 Back Panel
The real panel has the following components:
Step 1. Power connector.
Step 2. SSC slot—Reserved for future use.
Step 3. Serial console port—The RJ-45 console port enables you to physically connect to the appliance to access its command-line interface (CLI) for initial configuration.
Step 4. Lock device—Used to physically lock the Cisco ASA.
Step 5. Reset button—Reserved for future use.
Step 6. Two USB version 2.0 ports—Reserved for future use.
Step 7. Ethernet switch ports 0 thru 5—10/100 Fast Ethernet switch ports.
Step 8. Ethernet switch ports 6 and 7—10/100 Fast Ethernet switch ports with Power over Ethernet (PoE).
You can install a Security Plus upgrade license, enabling the Cisco ASA 5505 to scale to support a higher connection capacity and a higher number of IPsec VPN users, add full DMZ support, and integrate into switched network environments through VLAN trunking support. Furthermore, this upgrade license maximizes business continuity by enabling support for redundant ISP connections and stateless Active/Standby high-availability services. This makes the Cisco ASA 5505 a great solution for small businesses and branch offices. Figure 2-3 illustrates how a Cisco ASA 5505 is deployed at a small branch office.
Figure 2-3 Cisco ASA 5505 Small Branch Office Deployment
In the example illustrated in Figure 2-3, several workstations, a network printer, and IP phones are protected by the Cisco ASA 5505. The IP phones are connected to the Fast Ethernet switch ports 6 and 7 (which provide power to the phones).
Figure 2-4 shows how a Cisco ASA 5505 is deployed at a small business with two different protected network segments.
Figure 2-4 Cisco ASA 5505 Small Business Deployment with Separate Protected Networks
The inside network (vlan 10) has several workstations, the DMZ (vlan 20) has two web servers, and the outside interface faces towards the Internet.
Note
Configuration information on how to control network access and create different interfaces with separate security levels is covered in Chapter 4, “Controlling Network Access.”
Figure 2-5 shows how a Cisco ASA 5505 can be used by telecommuters and home users to connect to a centralized location via VPN.
Figure 2-5 Cisco ASA 5505 for Telecommuters
In Figure 2-5, telecommuters are protected by a Cisco ASA 5505 on each respective location. The Cisco ASA 5505s connect to the Corporate Headquarters via IPsec VPN tunnels.
Note
Configuration and troubleshooting of remote access VPN tunnels is covered in Chapter 17, “IPSec Remote Access VPNs.”
Cisco ASA 5510 Model
The Cisco ASA 5510 model is designed to deliver advanced security services for small- and medium-sized businesses and enterprise branch offices. This model provides advanced firewall and VPN capabilities and has optional Anti-X (Adaptive Threat Defense) and IPS services that use the Cisco AIP-SSM-10 module.
Figure 2-6 shows a front view of the Cisco ASA 5510 model.
Figure 2-6 Cisco ASA 5510 Front View
The front panel has the following five LEDs:
Step 1. Power—Solid green indicates that the appliance is powered on.
Step 2. Status—Flashing green indicates that the system is booting and power-up tests are running. Solid green indicates that the system tests passed and the system is operational. Amber solid indicates that the system tests failed.
Step 3. Active—Green indicates that this Cisco ASA is active when configured for failover.
Step 4. VPN—Solid green indicates that one or more VPN tunnels are active.
Step 5. Flash—Flashing green indicates that the Flash memory card is being accessed.
The Cisco ASA 5510, 5520, 5540, and 5550 offer a one-rack unit (1RU) design. They also have an expansion slot for security-services modules. Figure 2-7 shows a back view of the Cisco ASA 5510 model.
Figure 2-7 Cisco ASA 5510 Back View
The Power, Status, Active, VPN, and Flash LEDs are also present on the back of the Cisco ASA 5510. The Cisco ASA 5510 includes five integrated 10/100 Fast Ethernet network interfaces. Three of these five Fast Ethernet ports are enabled by default (0 to 2). The fifth interface is reserved for out-of-band (OOB) management. Starting with Cisco ASA software version 7.2(2) and 8.0(3) respectively, restriction on the OOB port is removed. Therefore, you can use all five Fast Ethernet interfaces for the through traffic and apply security services.
Note
The OOB Ethernet port restriction is removed since versions 7.2(2) and 8.0(3); however, it is highly recommended that you use this port solely for OOB management.
Each Fast Ethernet port has an activity LED and a link LED:
• The activity LED shows that data is passing on the network to which the port is attached.
• The link LED shows that the port is operational.
The Cisco ASA 5510 Security Plus license enables Cisco ASA 5510 to provide VLAN support on switched networks (up to 100 VLANs). The Security Plus upgrade license also upgrades two of the interfaces to Gigabit Ethernet, allows up to five virtual firewalls, and provides a greater number of concurrent virtual private network (VPN) connections for remote users and site-to-site connections.
Similar to the Cisco PIX firewalls, Cisco ASA requires a unique license key to enable certain features. This license key is a 40-digit hexadecimal number represented in five tuples (set of fixed-length data types). The security appliance allows an administrator to enter the license key by using the activation-key command.
The output of the show version command includes information about the license installed on the Cisco ASA. The following is an example of the output:
The highlighted lines show the license (features) enabled on the Cisco ASA version.
Alternatively, you can use the show activation-key command, as shown in the following example:
Note
Information on how to install the activation key and other system maintenance guidance is covered in Chapter 3, “Initial Setup and System Maintenance.”
The RJ-45 console port enables you to physically connect to the appliance to access its command-line interface (CLI) for initial configuration. The AUX (auxiliary) port enables you to connect an external modem for OOB management. The Flash card slot enables you to use an external Flash card to save system images and configuration files.
Two USB ports in the back of all Cisco ASA models are designed for future features. The Reset button is reserved for future use.
Table 2-1 lists the capabilities of the Cisco ASA 5510 appliance, as well as performance and connection limit numbers.
Table 2-1 Cisco ASA 5510 Model Capabilities
Note
Performance numbers vary depending on the packet size and other applications running on the appliance. For more detailed information, go to http://www.cisco.com/go/asa.
Cisco ASA 5520 Model
Cisco ASA 5520 provides security services for medium-sized enterprises. The Cisco ASA 5520 and 5540 models are similar to the Cisco ASA 5510 model. All three models are all 1RUs, and the external chassis layouts are similar with the exception of the interfaces. The Cisco ASA 5520 has four Gigabit Ethernet (10/100/1000) copper-based RJ-45 ports instead. They also include a Fast Ethernet port for OOB management.
Figure 2-8 illustrates the front view of the Cisco ASA 5520 model.
Figure 2-8 Cisco ASA 5520 Front View
The front panel of the Cisco ASA 5520 has the same five LEDs that are present in the Cisco ASA 5510.
The back view of ASA 5520 is identical to that of ASA 5510, except that the Cisco ASA 5520 has four Gigabit Ethernet (10/100/1000) ports, whereas the Cisco ASA 5510 has four Fast Ethernet ports.
With the installation of a VPN Plus upgrade license, Cisco ASA 5520 can terminate up to 750 IPsec or WebVPN tunnels. Beginning with Cisco ASA software version 7.1, SSL VPN (Web VPN) capability requires a license. The Cisco ASA supports 2 SSL VPN connections by default for evaluation and remote management purposes.
Table 2-2 lists the capabilities of the Cisco ASA 5520 appliance and its performance and connection limit numbers.
Table 2-2 Cisco ASA 5520 Model Capabilities
Note
Performance numbers vary depending on the packet size and other applications running on the appliance.
For more information about licensing, go to http://www.cisco.com/go/asa.
Cisco ASA 5540 Model
The Cisco ASA 5540 appliances provide security services to medium-sized enterprises. The Cisco ASA 5540 model supports a higher number of security contexts (50) to provide more flexibility and compartmentalized control of security policies. It also provides support for up to 10 appliances in a VPN cluster, supporting a maximum of 50,000 IPSec VPN peers per cluster (25,000 for WebVPN).
Cisco ASA 5540 is also a 1RU device. The external front and back layouts of the Cisco ASA 5540 appliance are identical to those of the Cisco ASA 5510 and 5520 appliances. Table 2-3 lists the capabilities of the Cisco ASA 5540 appliance and its performance and connection limit numbers.
Table 2-3 Cisco ASA 5540 Model Capabilities
Beginning with Cisco ASA software version 7.1, SSL VPN (Web VPN) capability requires a license. The Cisco ASA supports 2 SSL VPN connections by default for evaluation and remote management purposes.
Cisco ASA 5550 Model
The Cisco ASA 5550 appliances provide high-availability security services for large enterprise and service-provider networks in a 1RU form-factor. This model provides gigabit connectivity in the form of both Ethernet and fiber-based interfaces.
The external front layout of the Cisco ASA 5550 appliance is identical to that of the Cisco ASA 5510, 5520, and 5540 appliances. The Cisco ASA 5550 appliances have two internal buses providing copper Gigabit Ethernet and fiber Gigabit Ethernet connectivity:
• Slot 0 corresponds to B and has four embedded copper Gigabit Ethernet ports.
• Slot 1 corresponds to Bus 1 and has four embedded copper Gigabit Ethernet ports and four embedded Small Form-Factor Pluggable (SFP) interfaces that support fiber Gigabit Ethernet connectivity.
Tip
To maximize traffic throughput, configure the Cisco ASA 5550 so that traffic is distributed equally between the two buses in the device. In other words, configure and lay out the network interfaces so that all traffic connections flow through both Bus 0 (Slot 0) and Bus 1 (Slot 1), entering through one bus and exiting through the other.
Figure 2-9 illustrates the rear view of the Cisco ASA 5550.
Figure 2-9 Cisco ASA 5550 Rear View
Slot 1 has four copper Ethernet ports and four fiber Ethernet ports; however, you can use only four Slot 1 ports at a time. For instance, you could use two Slot 1 copper ports and two fiber ports, but you cannot use fiber ports if you are already using all four Slot 1 copper ports.
Table 2-4 lists the capabilities of the Cisco ASA 5550 and its performance and connection limit numbers.
Table 2-4 Cisco ASA 5550 Model Capabilities
Beginning with Cisco ASA software version 7.1, SSL VPN (Web VPN) capability requires a license. The Cisco ASA supports two SSL VPN connections by default for evaluation and remote management purposes.
Cisco ASA 5580-20 and 5580-40 Models
The Cisco ASA 5580 series adaptive security appliances are available in two models:
Because of their high performance, these models are typically deployed in the datacenters of large corporations or at the edge of very demanding networks. The Cisco ASA 5580 series adaptive security appliances introduce new capabilities such as highly scalable logging, system environmental monitoring, VPN remote access user limits, and 10-Gigabit Ethernet interfaces.
The ASA 5580-20 and the ASA 5580-40 supports 50 security contexts and up to 100 VLAN interfaces (250 VLAN interfaces will be supported in a future release) and 1 Gigabit of IPSec VPN 3DES performance. They support up to 24 Gigabit data ports or up to 12 10-Gigabit data ports, as well as two additional Gigabit ports for management. Optional redundant, hot-swappable power capabilities are available, as well as hot-swappable cooling fans in case of a fan failure.
Cisco ASA 5580-20
The Cisco ASA 5580-20 can scale to up to 5 Gigabits per second of TCP traffic (UDP performance is even greater). It delivers greater than 90,000 TCP connections per second and supports up to 1 million connections.
Figure 2-10 illustrates the front view of the Cisco ASA 5580 series. Both the Cisco ASA 5580-20 and the 5580-40 have the same physical design.
Figure 2-10 Cisco ASA 5580 Front View
The following are the components illustrated in Figure 2-10:
Step 1. Active LED—Indicates the active and standby failover status. When the system is active the LED is on. When the system is in standby status the LED is off.
Step 2. System LED—Shows internal system health. Green indicates that the system is powered on under normal operation. Flashing amber indicates that the system health is degraded. Flashing red indicates that the system health is critical.
Step 3. Power status LED—Shows power supply status. Green indicates that the power supply is on. Flashing amber indicates that the power supply health is degraded. Flashing red indicates that the power supply health is critical.
Step 4. Management 0/0 interface LED—Green indicates that the interface is connected to the network. Flashing green indicates that there is network activity. The LED is off when there is no network connection.
Step 5. Management 0/1 interface LED—Green indicates that the interface is connected to the network. Flashing green indicates that there is network activity. The LED is off when there is no network connection.
Step 6. Power switch and indicator—Turns power on and off. Amber means that the system has power and is in standby mode. Green indicates that the system has power and it is turned on.
Figure 2-11 illustrates the back view of the Cisco ASA 5580 series security appliances.
Figure 2-11 Cisco ASA 5580 Back View
Table 2-5 lists the capabilities of the Cisco ASA 5580-20 and its performance and connection limit numbers.
Table 2-5 Cisco ASA 5580-20 Model Capabilities
Note
Performance numbers vary depending on the packet size and other applications running on the appliance. For more detailed information go to www.cisco.com/go/asa.
Cisco ASA 5580-40
The Cisco ASA 5580-40 can scale to up to 10 Gigabits per second of TCP traffic and similar to ASA 5580-20 the UDP performance will be even greater. Additionally, it can process up to 150,000 TCP connections per second and up to 2 million connections in total.
Note
The Cisco ASA 5580-20 and the 5580-40 have the same physical design.
Table 2-6 lists the capabilities of the Cisco ASA 5580-40 and its performance and connection limit numbers.
Table 2-6 Cisco ASA 5580-40 Model Capabilities
Cisco ASA AIP-SSM Module
The following are the three Adaptive Inspection and Prevention Security Services Module (AIP-SSM) models, which provide support for IPS services delivered by Cisco IPS software:
• AIP-SSM-10—Supported only on the Cisco ASA 5510 and 5520 appliances.
• AIP-SSM-20—Supported only on the Cisco ASA 5510, 5520, and 5540 appliances.
• AIP-SSM-40—Supported only on the Cisco ASA 5520 and 5540 appliances.
All the Cisco AIP-SSM modules have the same physical characteristics. Figure 2-12 shows the Cisco AIP-SSM-20 module.
Figure 2-12 Cisco ASA AIP-SSM-20
Cisco ASA AIP-SSM-10
The Cisco ASA AIP-SSM-10 concurrent threat mitigation throughput can scale to up to 150 Mbps with the Cisco ASA 5510 and up to 225 Mbps with the Cisco ASA 5520. It comes with 1 Gigabyte (GB) of Random Access Memory (RAM) and 256 Megabyte (MB) of flash memory.
Cisco ASA AIP-SSM-20
The Cisco ASA AIP-SSM-20 concurrent threat mitigation throughput can scale to up to 300 Mbps with the Cisco ASA 5510, up to 375 Mbps with the Cisco ASA 5520, and up to 500 Mbps with the Cisco ASA 5540. It comes with 2 GB of RAM and 256 MB of flash memory.
Cisco ASA AIP-SSM-40
The Cisco ASA AIP-SSM-40 concurrent threat mitigation throughput can scale to up to 450 Mbps with the Cisco ASA 5520 and up to 650 Mbps with the Cisco ASA 5540. It comes with 4 GB of RAM and 2 GB of flash memory.
Note
Configuration and troubleshooting of the Cisco ASA AIP-SSM modules is covered in Chapter 12, “Configuring and Troubleshooting Intrusion Prevention System (IPS).”
Cisco ASA Gigabit Ethernet Modules
There are several Gigabit Ethernet expansion modules for the Cisco ASA appliances. The Cisco ASA 5510, 5520, 5540, and 5550 support the Cisco ASA 4-Port Gigabit Ethernet Security Services Module (4GE-SSM).
Note
The Cisco ASA 5550 is already equipped with this module.
The Cisco ASA 5580-20 and 5580-40 support the following modules:
• 4-Port Gigabit Ethernet Copper PCI Express Card
• 2-Port 10 Gigabit Ethernet Fiber PCI Express Card
• 4-Port Gigabit Ethernet Fiber PCI Express Card
Cisco ASA 4GE-SSM
The Cisco ASA 4GE-SSM has four 10/100/1000 RJ-45 ports and four Small Form-Factor Pluggable (SFP) ports to support both copper and optical connections. You can choose copper or fiber connectivity for each of the four ports, providing flexibility for data center, campus, or enterprise edge connectivity (with a maximum of four ports in service concurrently). It expands the Cisco ASA 5510 with a Security Plus license to three Fast Ethernet and six Gigabit Ethernet ports. Similarly, it expands the Cisco ASA 5520 and 5540 appliances to eight Gigabit Ethernet ports and one Fast Ethernet management port. Figure 2-13 illustrates the Cisco ASA 4GE-SSM.
Cisco ASA 5580 Expansion Cards
The Cisco ASA 5580 4-Port Gigabit Ethernet Copper PCI Express card provides four 10/100/1000BASE-T interfaces, which allow up to 24 total Gigabit Ethernet interfaces in a fully populated chassis. Figure 2-14 shows the 4-Port Gigabit Ethernet Copper PCI Express Card.
Figure 2-14 4-Port Gigabit Ethernet Copper PCI Express Card
The Cisco ASA 5580 4-Port Gigabit Ethernet Fiber PCI Express card provides four 1000BASE-SX (fiber) interfaces, expanding to up to 24 total Gigabit Ethernet fiber interfaces in a fully populated chassis.
Note
The 4-Port Gigabit Ethernet Fiber PCI Express card ports require a multi-mode fiber cable with an LC connector to connect to the SX interface of the chassis.
Figure 2-15 shows the 4-Port Gigabit Ethernet Fiber PCI Express card.
Figure 2-15 4-Port Gigabit Ethernet Fiber PCI Express Card
The Cisco ASA 5580 2-Port 10-Gigabit Ethernet Fiber PCI Express card provides two 1000BASE-SX (fiber) interfaces, expanding to up to 12 total 10-Gigabit Ethernet fiber interfaces in a fully populated chassis.
Note
The 2-Port 10-Gigabit Ethernet Fiber PCI Express card ports require a multi-mode fiber cable with an LC connector to connect to the SX interface of the chassis.
Figure 2-16 shows the 2-Port Gigabit Ethernet Fiber PCI Express card.
Figure 2-16 2-Port Gigabit Ethernet Fiber PCI Express Card
Cisco ASA CSC-SSM Module
The Cisco ASA CSC-SSM module provides an all-in-one content management solution for detection and stoppage of viruses, worms, Trojans, and other threats in SMTP, POP3, HTTP, and FTP network traffic. It runs Trend Micro InterScan software.
Note
The Cisco ASA CSC-SSM cannot scan traffic using the HTTPS protocol because this traffic is encrypted.
Additionally, the Cisco ASA CSC-SSM can block compressed or very large files that exceed specified parameters. There are two different licenses for this module: the base license and the security plus. If you have purchased the plus level of the CSC SSM license, in addition to the previously mentioned features you can also accomplish the following:
• Decrease the amount of spam in your email traffic.
• Protect against phishing fraud.
• Set up content filters to allow or prohibit email traffic containing key words or phrases.
• Block URLs according to predefined filters that you allow or disallow, such as adult or mature content, games, chat or instant messaging, gambling sites, or URLs that are known to have hidden or malicious purposes.
The Cisco ASA CSC-SSM provides virus protection, spyware blocking, spam detection, or content filtering in a single, easy-to-maintain solution.
The Cisco ASA CSC-SSM is available in two models:
• Cisco ASA CSC-SSM-10—Supported on the Cisco ASA 5510, 5520, and 5540.
• Cisco ASA CSC-SSM-20—Supported on the Cisco ASA 5510, 5520, and 5540.
Note
The main difference between the CSC-SSM-10 and CSC-SSM-20 is the amount of RAM memory and the processor speed.
The Cisco ASA CSC-SSM modules have the same physical characteristics as the Cisco ASA AIP-SSM modules (as previously illustrated in Figure 2-16).
Note
Configuration and troubleshooting of the Cisco ASA CSC-SSM modules is covered in Chapter 12.
Summary
This chapter provided a hardware overview of all Cisco ASA 5500 Series appliances and additional modules. It provided information about the broad range of firewall, VPN, application inspection, IPS, and Anti-X services they offer to small, medium, and large enterprises. In-depth technical information for each feature and capability is provided in subsequent chapters.