Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

Compare Models


With Cisco ASA firewalls, you can integrate multiple enterprise-class, next-generation network security services without sacrificing performance. Cisco ASA combines the most deployed stateful inspection firewall in the industry with next-generation firewall capabilities.

Read more about the ASA 5505 and ASA 5500-X Series for small and branch offices.

Cisco ASA Model ASA 5505 / Security Plus ASA 5512-X / Security Plus ASA 5515-X
Stateful Inspection throughput (max1) Up to 150 Mbps 1 Gbps 1.2 Gbps
Stateful Inspection throughput (multiprotocol2) - 500 Mbps 600 Mbps
Next-Generation throughput3 (multiprotocol) - 200 Mbps 350 Mbps
ASA IPS Throughput4 Up to 75 Mbps with AIP SSC-5 250 Mbps
(Extra hardware module not required)
400 Mbps
(Extra hardware module not required)
Concurrent sessions 10,000 /25,000 100,000 250,000
Connections per second 4,000 10,000 15,000
Packets per second (64 byte) 85,000 450,000 500,000
3DES/AES VPN throughput5 100 Mbps 200 Mbps 250 Mbps
Site-to-site and IPsec IKEv1 client VPN user sessions 10/25 250 250
Cisco AnyConnect or Clientless VPN User Sessions6 (AnyConnect license required) 25 250 250
Cisco Cloud Web Security users 25 2,000 3,000
VLANs 3 (trunking disabled) / 20 (trunking enabled) 50 / 100 100
High-availability support7 Stateless Active/Standby Only* Active/Active* and Active/Standby* A/A and A/S
Integrated I/O 8-port FE with 2 Power over Ethernet (PoE) ports 6-port 10/100/1000 6-port 10/100/1000
Expansion I/O Not available 6-port 10/100/1000 or 6-port GE (SFP) 6-port 10/100/1000 or 6-port GE (SFP)
Dual power supplies Not available Not available Not available
Power AC/DC AC/DC AC/DC

1 Maximum throughput with UDP traffic measured under ideal test conditions
2 Multiprotocol = Traffic profile consisting primarily of TCP-based protocols/applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS
3Throughput was measured using ASA CX Software Release 9.1.1 with multi-protocol traffic profile with both Application Visibility Control (AVC) and Web Security Essentials (WSE). Traffic logging was enabled as well.
4 Firewall traffic that does not go through IPS service can have higher throughput.
5 VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning. Maximum throughput numbers are based on IPsec IKEv1 Remote Access VPN Connectivity.
6 2 AnyConnect Premium User Licenses are included by default
7 A/A = Active/Active; A/S = Active/Standby
* Requires security plus license

Cisco ASA next-generation firewalls are available in a wide range of sizes and performance levels to fit your network and budget. They also combine stateful inspection and next-generation firewall capabilities with a comprehensive suite of next-generation network security services. There's a solution to meet your evolving security needs — for security without compromise.

Read more about the ASA 5500 and ASA 5500-X Series for the Internet Edge.

Cisco ASA Model ASA 5525-X ASA 5545-X ASA 5555-X
Stateful Inspection throughput (max1) 2 Gbps 3 Gbps 4 Gbps
Stateful Inspection throughput (multiprotocol2) 1 Gbps 1.5 Gbps 2 Gbps
Next-Generation throughput3 (multiprotocol) 650 Mbps 1 Gbps 1.4 Gbps
ASA IPS throughput4 600 Mbps
(Extra hardware module not required)
900 Mbps
(Extra hardware module not required)
1.3 Gbps
(Extra hardware module not required)
Concurrent sessions 500,000 750,000 1,000,000
Connections per second 20,000 30,000 50,000
Packets per second (64 byte) 700,000 900,000 1,100,000
3DES/AES VPN throughput5 300 Mbps 400 Mbps 700 Mbps
Site-to-site and IPsec IKEv1 client VPN user sessions 750 2,500 5,000
AnyConnect or clientless VPN user sessions6 (AnyConnect license required) 750 2,500 5,000
Cisco Cloud Web Security users 4,000 5,000 6,000
VLANs 200 300 500
High-availability support7 A/A and A/S A/A and A/S A/A and A/S
Integrated I/O 8-port 10/100/1000 8-port 10/100/1000 8-port 10/100/1000
Expansion I/O 6-port 10/100/1000 or 6-port GE (SFP) 6-port 10/100/1000 or 6-port GE (SFP) 6-port 10/100/1000 or 6-port GE (SFP)
Dual Power Supplies Not available Yes Yes
Power AC/DC AC/DC AC/DC

1 Maximum throughput with UDP traffic measured under ideal test conditions
2 Multiprotocol = Traffic profile consisting primarily of TCP-based protocols or applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.
3Throughput was measured using ASA CX Software Release 9.1.1 with multi-protocol traffic profile with both Application Visibility Control (AVC) and Web Security Essentials (WSE). Traffic logging was enabled as well.
4 Firewall traffic that does not go through IPS service can have higher throughput.
5 VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning. Maximum throughput numbers are based on IPsec IKEv1 Remote Access VPN Connectivity
6 2 AnyConnect Premium User Licenses are included by default
7 A/A = Active/Active; A/S = Active/Standby

Cisco ASA firewalls protect networks of all shapes and sizes, with consistent security across hybrid infrastructures — physical, virtual, and cloud. These solutions combine the most deployed firewall in the industry with a full complement of next-generation network security services. They protect corporate networks while providing employees with secure access to data — anytime, anywhere, using any device.

Read more about the Cisco ASA firewalls for large enterprises and data centers.

Cisco ASA Model ASA 5585-X with SSP10 ASA 5585-X with SSP20 ASA 5585-X with SSP40 ASA 5585-X with SSP60 ASA Services Module
Stateful Inspection throughput (max1) 4 Gbps 10 Gbps 20 Gbps 40 Gbps 20 Gbps
Stateful Inspection throughput (multiprotocol2) 2 Gbps 5 Gbps 10 Gbps 20 Gbps 16 Gbps
Next-Generation throughput3 (multiprotocol) 2 Gbps
(with ASA CX SSP-10)
5 Gbps
(with ASA CX SSP-20)
9 Gbps
(with ASA CX SSP-40)
13 Gbps
(with ASA CX SSP-60)
Not available
IPS throughput4 (multiprotocol) 2 Gbps
(with IPS SSP-10)
3 Gbps
(with IPS SSP-20)
5 Gbps
(with IPS SSP-40)
10 Gbps
(with IPS SSP-60)
Not available
Concurrent sessions 1,000,000 2,000,000 4,000,000 10,000,000 10,000,000
Connections per second 50,000 125,000 200,000 350,000 300,000
Packets per second (64 byte) 1,500,000 3,000,000 5,000,000 9,000,000 5,000,000
3DES/AES VPN throughput5 1 Gbps 2 Gbps 3 Gbps 5 Gbps 2 Gbps
AnyConnect or clientless VPN user sessions6(AnyConnect license required) 5,000 10,000 10,000 10,000 10,000
AnyConnect or clientless VPN user sessions 5,000 10,000 10,000 10,000 10,000
Cisco Cloud Web Security users 7,500 7,500 7,500 7,500 7,500
Integtrated I/O 8-port 10/100/1000 and 2-port 10 GE (SFP+)6 8-port 10/100/1000 and 2-port 10 GE (SFP+)7 6-port 10/100/1000 and 4-port 10 GE (SFP+) 6-port 10/100/1000 and 4-port 10 GE (SFP+) Provided by the switch or router
Expansion I/O8 8-port 10 GE(SFP/SFP+) or
4-port 10 GE(SFP/SFP+) or
20-port 1 GE (12-port 1 GE SFP and 8-port 10/100/1000)
Provided by the switch or router
Dual power supplies Yes Yes Yes Yes Yes. Provided by the switch or router
VLANs 1,024 1,024 1,024 1,024 1,000
High-availability support9 A/A and A/S A/A and A/S A/A and A/S A/A and A/S A/A and A/S
Power AC AC AC AC AC/DC provided by the switch or router

1 Maximum throughput with UDP traffic measured under ideal test conditions
2 Multiprotocol = Traffic profile consisting primarily of TCP-based protocols/applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.
3Throughput was measured using ASA CX Software Release 9.1.1 with multi-protocol traffic profile with both Application Visibility Control (AVC) and Web Security Essentials (WSE). Traffic logging was enabled as well.
4 Firewall traffic that does not go through IPS SSP module can have higher throughput.
5 VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning. Maximum throughput numbers are based on IPsec IKEv1 Remote Access VPN Connectivity.
6 2 AnyConnect Premium User Licenses are included by default
7 Requires a separate license
8 Half-width modules
9 A/A = Active/Active; A/S = Active/Standby