Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

The Cisco ASA 5585-X Adaptive Security Appliance FAQ

  • Viewing Options

  • PDF (311.5 KB)
  • Feedback
Q.   What is the Cisco ® ASA 5585-X?
A.    The Cisco ASA 5585-X Adaptive Security Appliance is the latest addition to the Cisco ASA 5500 Series.
Q.   What are the benefits of the Cisco ASA 5585-X?
A.    Designed for mission-critical data centers that require exceptional flexibility and security, the Cisco ASA 5585-X delivers superior performance that spans multiple platforms, technologies, and deployment scenarios. The ASA 5585-X supports the highest VPN session counts and twice as many connections per second as competitive firewalls to meet the growing needs of today’s most dynamic organizations - all in a compact 2-rack-unit footprint. Unlike most security providers that force you to choose between a high-quality firewall and an effective intrusion prevention system (IPS), Cisco combines the world’s most proven firewall with the industry’s most comprehensive IPS, making the ASA 5585-X a powerful, effective security solution.
Q.   How many slots does the Cisco ASA 5585-X have?
A.    The Cisco ASA 5585-X is a 2-slot chassis. The bottom slot holds the firewall/VPN Security Services Processor (SSP), and the top slot holds the IPS Security Services Processor (IPS SSP).
Q.   How many SSPs and IP SSPs are there and how are they different?
A.    There are four different SSPs and four different IPS SSPs. The following table summarizes the different performance points delivered by the different SSPs with ASA software version 8.4 and IPS software version 7.1:

 

ASA 5585-X with SSP-10

ASA 5585-X with SSP-20

ASA 5585-X with SSP-40

ASA 5585-X with SSP-60

Firewall throughput (max[1])

4 Gbps

10 Gbps

20 Gbps

40 Gbps

Firewall throughput (multi-protocol)

2 Gbps

5 Gbps

10 Gbps

20 Gbps

Maximum connections per second

50,000

125,000

200,000

350,000

Maximum concurrent connections

1,000,000

2,000,000

4,000,000

10,000,000

Maximum VPN throughput[2]

1 Gbps

2 Gbps

3 Gbps

5 Gbps

Concurrent firewall and IPS Throughput

2 Gbps (with IPS SSP-10)

3 Gbps (with IPS SSP-20)

5 Gbps (with IPS SSP-40)

10 Gbps (with IPS SSP-60)

Q.   Is the firewall/VPN Security Services Processor required to run the IPS Security Services Processor?
A.    Yes. You must have the firewall/VPN Security Services Processor to run the IPS Security Services Processor.
Q.   Is a redundant power supply configuration supported on the ASA 5585-X?
A.    Yes, it is supported.
Q.   Is the SSP memory field upgradeable?
A.    No. Memory is not field upgradeable.
Q.   Can I run two firewall/VPN Security Services Processors in a single Cisco ASA 5585-X chassis?
A.    No. You can run only one firewall/VPN Security Services Processor in a single ASA 5585-X chassis at this time.
Q.   Can I run the firewall/VPN Security Service Processor in the top slot (slot-1) of the Cisco ASA 5585-X chassis?
A.    The firewall/VPN SSP needs to be present in the bottom slot (slot-0) of the Cisco ASA 5585-X chassis.
Q.   Can traffic ports located on the IPS SSP be used as additional firewall interfaces?
A.    Yes, all traffic ports on the IPS SSP are managed by the firewall SSP.
Q.   Which 1G SFP and 10G SFP+ optics does the Cisco ASA 5585-X support?
A.    The Cisco ASA 5585-X supports 1G SX optic modules and 10G SR SFP+ optic modules.
Q.   Does the ASA 5585-X chassis support mismatched firewall/VPN SSP’s and IPS SSP’s? Is the firewall/VPN SSP-20 with the IPS SSP-40 a supported configuration?
A.    No. Matched SSP’s is the only supported configuration.
Q.   What happens if the IPS Security Services Processor fails?
A.    The firewall/VPN SSP can be configured to allow or deny uninspected traffic in case of an IPS SSP failure. The Cisco ASA 5585-X has support for inter-chassis failover for the firewall/VPN SSP and the IPS SSP.
Q.   What software versions does the Cisco ASA 5585-X currently support?
A.    The Cisco ASA 5585-X currently supports Cisco ASA Software Release 8.2.3 or higher, and Cisco IPS Sensor Software Release 7.1.
Q.   What type of ASA software image runs on the Cisco ASA 5585-X?
A.    All firewall/VPN SSP’s will run SMP (symmetric multi-processor) enabled ASA 8.2.3 or higher images.
Q.   How many virtual contexts and VLAN’s are supported on the Cisco ASA 5585-X?
A.    250 virtual contexts and 1024 VLAN’s are supported.
Q.   How do I manage the firewall/VPN running in a single Cisco ASA 5585-X chassis?
A.    The Cisco ASA 5585-X can be managed by either embedded device manager ASA Device Manager ASDM version 6.3.3 or enterprise-class management application Cisco Security Manager (CSM) version 4.0.1. or higher
Q.   How is the Cisco ASA 5585-X IPS Security Services Processor managed?
A.    In addition to ASDM and CSM, the Cisco ASA 5585-X IPS SSP can also be managed via the IPS Device Manager (IDM) version 7.0.1(E4) or the Cisco IPS Manager Express (IME) version 7.1.1(E4).

 

 

 

 



[1] Maximum firewall throughput achieved under ideal test conditions.
[2] VPN throughput and session counts depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning.