Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
Here is an example of the Security Plus License feature set:
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 25
WebVPN Peers : 2
Dual ISPs : Enabled
VLAN Trunk Ports : 8
This platform has an ASA 5505 Security Plus license.
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 25
WebVPN Peers : 2
Dual ISPs : Enabled
VLAN Trunk Ports : 8
This platform has an ASA 5505 Security Plus license.
A brief explanation of the items highlighted in red:
- Only 10 hosts from the DMZ and LAN combined may communicated with the Outside interface at any one time.
- Only 2 fully-functional VLANs (inside and outside usually) are permitted. The 3rd VLAN, typically a DMZ can only be activated with the "no forward vlan n" command which prevents it from initiating connections to one of the other VLANs, usually the inside.
interface Vlan3
description DMZ
no forward interface Vlan1
nameif dmz
security-level 50
ip address
Fortunately, it still permits replies from connections initiated from the inside to the DMZ. ***Use caution here and think it through*** This means that:
- You cannot host your DNS server (frequently also your Windows Domain Controller) on your inside vlan.
- Your backup strategy may fail. If your backup server is on the inside vlan, you won't be able to SSH (and by extension SCP, RSYNC, etc.) to it. You can still SSH from the inside to the DMZ of course...
- An SMTP server on the DMZ cannot initiate LDAP queries (or other methods of recipient verification) to an inside host.
Posts
