Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

Cisco ASA 5500-X Series Next-Generation Firewalls (Updated) FAQ

  • Viewing Options

  • PDF (367.1 KB)
  • Feedback
Q. What are the Cisco ® ASA 5500-X Series Next-Generation Firewalls?
A. The Cisco ASA 5500-X Series combines the most widely deployed stateful inspection firewall in the industry with a comprehensive suite of next-generation network security services. Together, they provide comprehensive security without compromise. These firewalls deliver multiple security services, multigigabit performance, flexible interface options, and redundant power supplies, all in a compact 1RU form factor. They deliver next-generation network security services through an array of integrated cloud- and software-based services such as Cisco Application Visibility and Control (AVC), Cisco Web Security Essentials (WSE), and Intrusion Prevention System (IPS). Cisco ASA 5500-X Series Next-Generation Firewalls are built on the same proven security platform as the rest of the Cisco ASA family of security appliances and have been designed to deliver superior performance for exceptional operational efficiency.
Q. What are Cisco ASA Next-Generation Firewall Services?
A. Cisco ASA Next-Generation Firewall Services add next-generation capabilities, including Cisco AVC, IPS on NGFW and Cisco WSE, to the industry’s most proven stateful inspection firewall. The result is end-to-end network intelligence and streamlined security operations, so organizations can reap the productivity benefits of new applications and devices without compromising security.
Cisco ASA Next-Generation Firewall Services provide:

End-to-end network intelligence

Precise application control

Proactive, intelligent threat protection

Control over which devices can access the network

For more information, please visit the Cisco ASA Next-Generation Firewall Services webpage.
Q. Why is Cisco introducing these products?
A. With the rise of Web 2.0 technologies and bring-your-own-device (BYOD) policies, and the demand for increased Internet connection bandwidth, businesses of all sizes are facing challenges to provide effective security while maintaining high levels of performance. The Cisco ASA 5500-X Series Next-Generation Firewalls address this need while enabling administrators to implement additional network security. These next-generation firewalls are designed to run multiple simultaneous services without sacrificing performance.
Q. What models are included in the Cisco ASA 5500-X Series?
A. Cisco is introducing five next-generation firewalls to the ASA 5500-X Series portfolio: the ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X.
Q. How do these appliances compare with the Cisco ASA 5510 through 5550 appliances?
A. The biggest difference between the new ASA 5500-X Series and the previous hardware is that the new models support Cisco ASA Next-Generation Firewall Services, whereas the existing ASA 5510 through 5550 appliances do not. Also, the Cisco ASA 5500-X Series provides four times the firewall throughput as the previous hardware, plus better scaling, more Ethernet ports (up to 14 Gigabit Ethernet ports), a dedicated intrusion prevention system (IPS) acceleration hardware, and, for the 5545-X and 5555-X appliances, redundant power supplies. Moreover, network security services like intrusion prevention can now be enabled without requiring additional hardware modules, providing additional deployment flexibility.
Q. When will Cisco discontinue the currently available Cisco ASA 5510 through 5550?
A. The end-of-sale announcement for the Cisco ASA 5510, 5520, 5540 and 5550 platforms was published on March18, 2013.
Q. How do I migrate from the existing Cisco ASA 5500 Series to the newer Cisco ASA 5500-X Series?
A. Migration is fast and easy. You can find more information on this in the Migration Guide.
Q. What are the available incentives and promotions for migration?
A. For information on incentives and promotions, please visit the internal Cisco ASA webpage. You will need an account to access these details.
Q. What are the benefits of the Cisco ASA 5500-X Series Next-Generation Firewalls?
A. The benefits of the Cisco ASA 5500-X Series Next-Generation Firewalls include:

Leading-edge, next-generation firewall with multigigabit throughput to help manage service-level agreements (SLAs) and prevent performance bottlenecks.

Broad and deep network security through an array of next-generation firewall services, including:

- Cisco Application Visibility and Control (AVC), which recognizes more than 1000 applications and more than 150,000 microapplications, enabling administrators to enforce individual- and group-based access to specific components of an application while disabling others. Specific behaviors within allowed microapplications can also be controlled.

- Cisco WSE, which enables reputation-based web application security policies. In addition, Cisco WSE enables robust content-based URL filtering with differentiated access policies based on user, group, device, and role.

- IPS on NGFW, which provides critical threat protection from Internet-edge-related attacks on personal-use computing systems.

- ASA IPS, the only solution that combines passive operating system fingerprinting and reputation for better threat mitigation.

- Cisco Cloud Web Security (CWS), which provides exceptional threat protection and control for organizations of all sizes, delivered through the cloud.

- Cisco ASA Botnet Traffic Filter, which monitors network ports across all ports and protocols for rogue activity, and detects infected internal endpoints, sending command-and-control traffic back to a host on the Internet.

WSE, IPS on NGFW, and CWS use threat intelligence feeds from Cisco Security Intelligence Operations (SIO) for advanced web reputation analysis and near-real-time protection from zero-day threats. For more information on how SIO helps the Cisco IPS control threats in real-life production environments, visit: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps12156/white_paper_c11-715386.html.

Redundant power supplies (5545-X and 5555-X only) to support high availability.

These security services can be enabled quickly and easily, without requiring additional hardware modules, in response to changing needs. In addition, the Cisco Prime Security Manager can now be used to centrally manage core Cisco ASA-X features along with next-generation services such as Cisco AVC, Cisco Web Security, and IPS on NGFW on the ASA firewalls.

Q. What does the “-X” suffix in the product name indicate?
A. The “-X” suffix indicates the ability of the appliances to run next-generation security services, including Cisco AVC, IPS, WSE.
Q. What is the new IPS Service?
A. IPS Service is the module that provides intrusion prevention within the Cisco ASA-X Next-Generation Firewalls. The firewalls have multiple security services operating within them. The IPS on NGFW uses the firewalls’ other services, such as application visibility, identity, and off-device reputation to make inspection and enforcement decisions.
Q. What is the technology overlap of the new Cisco 5500-X Series with the IPS on NGFW Service and the ASA IPS?
A. The IPS on the Cisco 5500-X Series Next-Generation Firewalls was created with some new technologies and with some technologies that were modified from the ASA IPS. Some inspection capabilities are very close to those in operation, while other structural considerations, such as updates, are new. Customer interaction is the most divergent attribute between the two offerings.
Q. What kinds of deployments were the Cisco 5500-X Series Next-Generation Firewalls with IPS designed for?
A. The new series and its security services (IPS on NGFW, AVC, and WSE) primarily provide protection for end users and the computing environments under their direct control, such as desktops, laptops, and personal communication devices. It is ideal for Internet edge deployments.
Q. How do the models in the Cisco ASA 5500-X Series compare?
A. Please refer to Table 1.

Table 1. Cisco ASA 5512-X through ASA 5555-X

ASA

5512-X

ASA

5515-X

ASA

5525-X

ASA

5545-X

ASA

5555-X

Stateful inspection throughput (maximum)1

1 Gbps

1.2 Gbps

2 Gbps

3 Gbps

4 Gbps

Stateful inspection throughput (multiprotocol)2

500 Mbps

600 Mbps

1 Gbps

1.5 Gbps

2 Gbps

IPS throughput3

250 Mbps

400 Mbps

600 Mbps

900 Mbps

1.3 Gbps

Next-Generation firewall throughput4 (multiprotocol)

200 Mbps

350 Mbps

650 Mbps

1 Gbps

1.4 Gbps

Next-Generation firewall throughput with IPS

66 Mbps

90 Mbps

300 Mbps

450 Mbps

600 Mbps

Connections per second

9,000

10,000

20,000

30,000

50,000

Concurrent connections

100,000

250,000

500,000

750,000

1,000,000

3DES/AES VPN throughput (maximum)

200 Mbps

250 Mbps

300 Mbps

400 Mbps

700 Mbps

Integrated GE copper I/O ports

6

6

8

8

8

Expansion I/O

6 GE copper or 6 GE SFP

6 GE copper or 6 GE SFP

8-port 10/100/1000

8-port 10/100/1000

8-port 10/100/1000

VLANs

50

100

200

300

500

Security contexts

(included/maximum)

0/0

2/5

2/20

2/50

2/100

ASA OS

64-bit

64-bit

64-bit

64-bit

64-bit

1 Maximum throughput with UDP traffic measured under ideal test conditions.
2 Multiprotocol = Traffic profile consisting primarily of TCP-based protocols/applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.
3 Throughput was measured on Cisco ASA CXContext-Aware Software Release 9.1.1 with multiprotocol traffic profile with both AVC and WSE. Traffic logging was enabled as well. Also, these services require an external SSD.
4 Firewall traffic that does not go through the IPS SSP module can have higher throughput.
Q. Does running the ASA IPS require additional hardware modules?
A. No. The Cisco ASA 5500-X Series will run ASA IPS and an array of other next-generation firewall services as integrated cloud- and software-based security services, with no need for additional hardware modules.

Hardware

Q. What are the hardware specifications for the Cisco ASA 5500-X Series?
A. Table 2 highlights the specifications for each model in the Cisco ASA 5500-X Series.

Table 2. Hardware Specifications for Cisco ASA 5500-X Series Next-Generation Firewalls

Interface Cards

ASA 5512-X

ASA 5515-X

ASA 5525-X

ASA 5545-X

ASA 5555-X

Form factor

1RU, 19-in. rack-mountable

1RU, 19-in. rack-mountable

1RU, 19-in. rack-mountable

1RU, 19-in. rack-mountable

1RU, 19-in. rack-mountable

Rack-mounting options

Brackets included

(slide rails optional)

Brackets included

(slide rails optional)

Brackets included

(slide rails optional)

Slide rails included

Slide rails included

Dimensions
(H x W x D)

1.67 x 16.7 x 15.6 in. (4.24 x 42.9 x 39.5 cm)

1.67 x 16.7 x 15.6 in. (4.24 x 42.9 x 39.5 cm)

1.67 x 16.7 x 15.6 in. (4.24 x 42.9 x 39.5 cm)

1.67 x 16.7 x 19.1 in. (4.24 x 42.9 x 48.4 cm)

1.67 x 16.7 x 19.1 in. (4.24 x 42.9 x 48.4 cm)

Weight

13.39 lb

(6.07 kg)

13.39 lb

(6.07 kg)

14.92 lb

(6.77 kg)

16.82 lb

(7.63 kg) with single power supply

16.82 lb

(7.63 kg) with single power supply

CPU

Multicore, enterprise-class

Multicore, enterprise-class

Multicore, enterprise-class

Multicore, enterprise-class

Multicore, enterprise-class

Memory (RAM)

4 GB

8 GB

8 GB

12 GB

16 GB

Flash

4 GB

8 GB

8 GB

8 GB

8 GB

Integrated network ports (GE)

6

6

8

8

8

Dedicated management port (GE)

Yes

Yes

Yes

Yes

Yes

Expansion I/O slot

1

1

1

1

1

Maximum network ports

12

12

14

14

14

Interface card options

6-port GE Cu or

6-port GE SFP

6-port GE Cu or

6-port GE SFP

6-port GE Cu or

6-port GE SFP

6-port GE Cu or

6-port GE SFP

6-port GE Cu or

6-port GE SFP

USB 2.0 ports

2

2

2

2

2

Serial console

1

1

1

1

1

Power supply

AC/DC

AC/DC

AC/DC

AC/DC

AC/DC

Redundant power

No

No

No

Yes

Yes

Power supply

400W

400W

400W

450W

450W

SSD (Solid State Drive5)

1 slot, 120 GB MLC SED SSD

1 slot, 120 GB MLC SED SSD

1 slot, 120 GB MLC SED SSD

2 slot, RAID 1, 120 GB MLC SED SSD

2 slot, RAID 1, 120 GB MLC SED SSD

5 An external SSD is required to run Cisco AVC and WSE.
Q. Is a DC power supply supported on the Cisco ASA 5500-X Series?
A. Yes. A DC power supply option is available on the Cisco ASA 5500-X Series.
Q. Is a redundant power supply configuration supported on the Cisco ASA 5500-X Series?
A. Yes, on certain models. A redundant power supply option is available on the ASA 5545-X and 5555-X.
Q. Is there an expansion slot on the Cisco ASA 5500-X Series? What is it used for?
A. Yes. There is one expansion slot on each appliance, which is used exclusively for I/O expansion modules.
Q. What I/O module options are available on the Cisco ASA 5500-X Series?
A. Table 3 lists the available options.

Table 3. I/O Module Options for Cisco ASA 5500-X Series Next-Generation Firewalls

Part number

Description

Platforms Supported

ASA-IC-6GE-CU-A

6-port 10/100/1000 RJ-45 interface card

ASA 5512-X

ASA 5515-X

ASA-IC-6GE-SFP-A

6-port GE SFP (SX, LH, LX) interface card

ASA 5512-X

ASA 5515-X

ASA-IC-6GE-CU-B

6-port 10/100/1000 RJ-45 interface card

ASA 5525-X

ASA-IC-6GE-SFP-B

6-port GE SFP (SX, LH, LX) interface card

ASA 5525-X

ASA-IC-6GE-CU-C

6-port 10/100/1000 RJ-45 interface card

ASA 5545-X

ASA 5555-X

ASA-IC-6GE-SFP-C

6-port GE SFP (SX, LH, LX) interface card

ASA 5545-X

ASA 5555-X

Q. What do the “-A,” “-B,” and “-C” suffixes in the I/O part numbers indicate?
A. The suffixes indicate custom-built I/O modules (including different form factors) for the Cisco ASA 5500-X Series.
Q. What hardware firewall environments does ASA IPS operate on?
A. ASA IPS Service operates on all platforms supported by the Cisco ASA CX Context-Aware Next-Generation Firewalls. As of 2013 it operates on the following Cisco ASA models: 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, 5585-X SSP-10, 5585-X SSP-20, 5585-X SSP-40, and 5585-X SSP-60.
Q. What small form-factor pluggable (SFP) transceiver/module options are supported on the Cisco ASA 5500-X Series?
A. The following transceivers are currently supported on the Cisco ASA 5500-X Series:

GLC-SX-MM (1000BASE-SX SFP transceiver module for MMF, 850-nm wavelength)

GLGLC-SX-MMD (1000BASE-SX SFP transceiver module for MMF, 850-nm wavelength, DOM)

GLC-LH-SM (1000BASE-LX/LH SFP transceiver module for MMF and SMF, 1300-nm wavelength)

GLC-LH-SMD (1000BASE-LX/LH SFP transceiver module for MMF and SMF, 1300-nm wavelength, DOM

Q. Can I/O modules from other Cisco ASA appliances be used in the Cisco ASA 5500-X Series?
A. No. Only the I/O modules listed in Table 3 are supported on the Cisco ASA 5500-X Series.
Q. Does the Cisco ASA 5500-X Series support 10 Gigabit Ethernet interfaces?
A. No. At this time, 10 Gigabit Ethernet interface options are not available on the Cisco ASA 5500-X Series. There are no current or near-term plans to offer 10 GE interfaces on these appliances.
Q. Does the Cisco ASA 5500-X Series support field-upgradable memory?
A. No. The Cisco ASA 5500-X Series comes preinstalled with high memory configurations and does not support field-upgradable memory.
Q. What is the purpose of the solid state drive (SSD)?
A. The SSD is required in order to run the Cisco AVC and WSE next-generation firewall services on the Cisco ASA 5500-X Series. The SSD stores logs and any reports for traffic that is processed by these services, in addition to application signatures and a web security database that are part of these subscriptions.

Software

Q. What software is supported on the Cisco ASA 5500-X Series Next-Generation Firewalls?
A. The Cisco ASA 5500-X Series supports Cisco ASA Software Release 8.6.1 and later. Cisco CWS requires Cisco ASA Software Release 9.0.1 or later. The ASA IPS Service on the Cisco ASA 5500-X Series requires Cisco IPS Sensor Software Release 7.1.4 or later. Cisco AVC and WSE require Cisco ASA CX Context-Aware Software Release 9.1.1 (Cisco ASA Software Release must be 9.1.1).
Q. How do I download software for the Cisco ASA 5500-X Series?
A. The software can be downloaded from the Cisco Download Software page (registered customers only).
Q. What software features are available in Cisco ASA Software Release 9.1.1?
A. Cisco ASA Software Release 9.1.1 includes all features provided in Release 8.6.1, along with support for Cisco ASA Next-Generation Firewall Services.
Q. Does ASA Software Release 8.6.1 and later include 64-bit support?
A. Yes.
Q. Does Cisco IPS Sensor Software Release 7.1.4 and later include 64-bit support?
A. Yes.
Q. Does ASA CX Context-Aware Software Release 9.1.1 include 64-bit support?
A. Yes.
Q. What version of Cisco ASA CX Context-Aware Software do Next-Generation Firewalls with IPS operate on?
A. Cisco ASA CX Context-Aware Software Release 9.2 is the first version that supports IPS on Cisco ASA 5500-X Series Next-Generation Firewalls. This service is not supported on prior versions of the Cisco ASA CX Context-Aware Software.

Remote Access

Q. We have a Cisco ASA 5550 Series appliance today. Can we add a Cisco ASA 5555-X Series Next-Generation Firewall for load balancing?
A. Yes. However, Cisco recommends that you add an appliance of a similar size to the one you have today. If you add a smaller or larger appliance, you can load-balance to the capacity of the smaller one.
Q. Can we add the Cisco ASA 5545-X to our existing shared licensing pool?
A. Yes. The Cisco ASA 5545-X can be used either as a shared license server or as a participant in an existing ASA pool.
Q. Does the Cisco ASA 5525-X offer a separate hardware cryptographic module like some other offerings in the market?
A. No. Hardware cryptographic acceleration is already built into the Cisco ASA 5525-X, so there is no need for an optional hardware cryptographic module.
Q. Can the Cisco ASA 5545-X be used simultaneously as a firewall and a remote access appliance?
A. Yes. The Cisco ASA 5500-X Series has been designed to run multiple simultaneous services without sacrificing performance.

Management

Q. How do I manage Cisco ASA 5500-X Series Next-Generation Firewalls?
A. You have several options for managing the Cisco ASA 5500-X Series:

Cisco Security Manager 4.3, an off-device GUI management application for managing most of your physical network security infrastructure. The upgrade path from Cisco Security Manager 3.x to Cisco Security Manager 4.3 is mentioned here

Command-line interface (CLI)

Cisco Adaptive Security Device Manager (ASDM), the Cisco ASA on-device management application

Cisco Prime Security Manager, the Cisco ASA-X Next-Generation Firewall management application for both on- and off-box deployments

For more information on Cisco ASDM, visit: http://www.cisco.com/go/asdm.
For more information on Cisco Security Manager, visit: http://www.cisco.com/en/US/products/ps6498/index.html.
For more information on Cisco Prime Security Manager, visit http://www.cisco.com/en/US/products/ps12635/index.html.
Q. What version of Cisco ASDM is used to manage the Cisco ASA 5500-X Series?
A. The Cisco ASA 5500-X Series can be managed using Cisco ASDM Version 6.6.1 or later. Previous versions of ASDM are not supported.
Q. What version of Cisco Security Manager is used to manage the Cisco ASA 5500-X Series?
A. The Cisco ASA 5500-X Series can be managed using Cisco Security Manager Version 4.3. Previous versions of Cisco Security Manager do not support the Cisco ASA 5500-X Series.
Q. How do I manage ASA IPS on the Cisco ASA 5500-X Series?
A. There are several options, depending on your specific configuration. Cisco Security Manager is an off-device GUI management solution that provides enterprise-class policy control and visibility for managing the entire feature set (including IPS) of the Cisco ASA 5500-X Series. Cisco IPS Manager Express is an off-device GUI management application that provides policy, configuration, reporting, and event management for fewer than 10 appliances running Cisco IPS. Cisco IPS Device Manager (IDM) is the on-device GUI management application for Cisco IPS.
For more information on Cisco IPS Manager Express, visit http://www.cisco.com/go/ime.
For more information on Cisco Security Manager, visit http://www.cisco.com/en/US/products/ps6498/index.html.
Q. How do I manage AVC, IPS and WSE on the Cisco ASA 5500-X Series?
A. AVC, IPS on NGFW and WSE are managed using Cisco Prime Security Manager, which can be used either in an on-device or off-device mode.
Q. What version of Cisco IPS Manager Express is used to manage the Cisco ASA 5500-X Series?
A. The Cisco ASA 5500-X Series can be managed using Cisco IPS Manager Express Version 7.2.1. Previous versions of Cisco IPS Manager Express do not support these next-generation firewalls.

Ordering

Q. Is the Cisco ASA 5500-X Series currently orderable?
A. Yes. Use the Cisco Ordering Tool to place your order.
Q. Where can I get pricing information?
A. Check the current Cisco Product Price List (requires a Cisco.com username and password), or contact your Cisco account representative.
Q. How do I build and verify a Cisco ASA 5500-X Series configuration?
A. Use the dynamic configuration tool ( DCT) and enter the respective part number(s).
Q. What product service and support options are available?
A. Please visit Cisco Service Finder for available support options.