Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

Compare Models

With Cisco ASA firewalls, you can integrate multiple enterprise-class, next-generation network security services without sacrificing performance. Cisco ASA combines the most deployed stateful inspection firewall in the industry with industry-leading Sourcefire threat and advanced malware protection in a single device.

This table shows the next-generation firewall performance and hardware specifications of the Cisco ASA with FirePOWER Services for the Cisco ASA 5500-X models.

Cisco ASA Model

ASA 5505 / Security Plus

ASA 5506-X / Security Plus

ASA 5506W-X / Security Plus

ASA 5506H-X / Security Plus

ASA 5508-X

ASA 5512-X / Security Plus

ASA 5515-X

ASA 5516-X

ASA 5525-X

ASA 5545-X

ASA 5555-X

Photo
Stateful inspection throughput (max1) Up to 150 Mbps 750 Mbps 750 Mbps 750 Mbps 1 Gbps 1 Gbps 1.2 Gbps 1.8 Gbps 2 Gbps 3 Gbps 4 Gbps
Stateful inspection throughput (multiprotocol2) - 300 Mbps 300 Mbps 300 Mbps 500 Mbps 500 Mbps 600 Mbps 900 Mbps 1 Gbps 1.5 Gbps 2 Gbps
Maximum application visibility and control (AVC) throughput - 250 Mbps 250 Mbps 250 Mbps 450 Mbps 300 Mbps 500 Mbps 850 Mbps 1,100 Mbps 1,500 Mbps 1,750 Mbps
Maximum AVC and NGIPS throughput - 125 Mbps 125 Mbps 125 Mbps 250 Mbps 150 Mbps 250 Mbps 600 Mbps 650 Mbps 1,000 Mbps 1,250 Mbps
Maximum concurrent sessions 10,000 / 25,000 20,000/50,000 20,000/50,000 50,000 100,000 100,000 250,000 250,000 500,000 750,000 1,000,000
Maximum new connections per second 5,000 5,000 5,000 5,000 10,000 10,000 15,000 20,000 20,000 30,000 50,000
Application control (AVC) or NGIPS sizing throughput [440 byte HTTP]3 - 90 Mbps 90 Mbps 90 Mbps 200 Mbps 100 Mbps 150 Mbps 500 Mbps 375 Mbps 575 Mbps 725 Mbps
Packets per second (64 byte) 85,000 246,900 246,900 246,900 694,000 450,000 500,000 750,000 700,000 900,000 1,100,000
Maximum 3DES/AES VPN throughput4 100 Mbps 100 Mbps 100 Mbps 100 Mbps 175 Mbps 200 Mbps 250 Mbps 250 Mbps 300 Mbps 400 Mbps 700 Mbps
Maximum site-to-site and IPsec IKEv1 client VPN user sessions4 10/25 10 / 50 10 / 50 50 100 250 250 300 750 2,500 5,000
Maximum Cisco AnyConnect IKEv2 remote access VPN or clientless VPN user sessions5 25 2 / 50 2 / 50 50 100 2 / 250 250 300 750 2,500 5,000
Cisco Cloud Web Security users 25 275 275 275 565 2,000 3,000 2,000 4000 5000 6000
VLANs 3 (trunking disabled) / 20 (trunking enabled) 5 / 30 5 / 30 30 50 50 / 100 100 100 200 300 500
High-availability support6 Stateless A/S only* A/S* A/S* A/S* A/A and A/S A/A* and A/S* A/A and A/S A/A and A/S A/A and A/S A/A and A/S A/A and A/S
Integrated I/O 8-port FE with 2 Power over Ethernet (PoE) ports 8 x 1 Gigabit Ethernet (GE) 8 x 1 GE 4 x 1 GE 8 x 1 GE 6-port 10/100/1000 6-port 10/100/1000 8 x 1 GE 8-port 10/100/1000 8-port 10/100/1000 8-port 10/100/1000
Expansion I/O Not available Not available Not available Not available Not available 6-port 10/100/1000 or 6-port GE (SFP) 6-port 10/100/1000 or 6-port GE (SFP) Not available 6-port 10/100/1000 or 6-port GE (SFP) 6-port 10/100/1000 or 6-port GE (SFP) 6-port 10/100/1000 or 6-port GE (SFP)
Dual power supplies Not available Not available Not available Not available Not available Not available Not available Not available - Yes Yes
Power AC/DC AC only AC only AC only AC only AC/DC AC/DC AC only AC/DC

1 Maximum throughput with UDP traffic measured under ideal test conditions
2 Multiprotocol = Traffic profile consisting primarily of TCP-based protocols or applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.
3Activating more features will change performance.
4 VPN throughput and maximum sessions depend on the ASA device configuration and VPN traffic patterns, including average packet size. These elements should be taken into consideration as part of your capacity planning. Throughput represents the maximum possible IPsec throughput. The maximum number of users may be limited by your throughput requirements.
5 Requires AnyConnect Plus or Apex license. An Apex license is required for clientless VPN. See the AnyConnect Ordering Guide for details. The maximum number of users may be limited by your throughput requirements.

Cisco ASA firewalls protect networks of all shapes and sizes, with consistent security across hybrid infrastructures — physical, virtual, and cloud. These solutions combine the most deployed firewall in the industry with a full complement of next-generation network security services. They protect corporate networks while providing employees with secure access to data — anytime, anywhere, using any device.

Read more about the Cisco ASA firewalls for large enterprises and data centers.

This table shows the next-generation firewall performance and hardware specifications of the Cisco ASA with FirePOWER Services for Cisco ASA 5585-X models with a Security Services Processor (SSP)

Cisco ASA Model

ASA 5585-X with SSP10

ASA 5585-X with SSP20

ASA 5585-X with SSP40

ASA 5585-X with SSP60

ASA Services Module

Photo
Stateful Inspection throughput (max1 4 Gbps 10 Gbps 20 Gbps 40 Gbps 20 Gbps
Stateful Inspection throughput (multiprotocol2) 2 Gbps 5 Gbps 10 Gbps 20 Gbps 16 Gbps
Maximum application visibility and control (AVC) throughput 4.5 Gbps 7 Gbps 10 Gbps 15 Gbps -
Maximum AVC and NGIPS throughput 2 Gbps 3.5 Gbps 6 Gbps 10 Gbps -
Maximum concurrent sessions 5,00,000 10,00,000 18,00,000 40,00,000 10,000,000
Maximum new connections per second 40,000 75,000 1,20,000 1,60,000 3,00,000
AVC or NGIPS sizing throughput (440-byte HTTP3) 1.2 Gbps 2 Gbps 3.5 Gbps 6 Gbps -
Packets per second (64 byte) 15,00,000 30,00,000 50,00,000 90,00,000 50,00,000
Maximum 3DES/AES VPN throughput4 1 GBPS 2 GBPS 3 Gbps 5 Gbps 2 Gbps
Maximum site-to-site and IPsec IKEv1 Client VPN user sessions4 (requires Security Plus license) 5,000 10,000 10,000 10,000 10,000
Maximum Cisco AnyConnect IKEv2 remote access VPN or clientless VPN user sessions5 5000 10,000 10,000 10,000 10,000
Cisco Cloud Web Security users 7,500
Integtrated I/O 8-port 10/100/1000 and 2-port 10 GE (SFP+)6 8-port 10/100/1000 and 2-port 10 GE (SFP+)7 6-port 10/100/1000 and 4-port 10 GE (SFP+) 6-port 10/100/1000 and 4-port 10 GE (SFP+) Provided by the switch or router
Expansion I/O (half-width modules) 8-port 10 GE(SFP/SFP+) or
4-port 10 GE(SFP/SFP+) or
20-port 1 GE (12-port 1 GE SFP and 8-port 10/100/1000)
Provided by the switch or router
Dual power supplies Yes Yes Yes Yes Yes. Provided by the switch or router
VLANs 1,024 1,024 1,024 1,024 1,000
High-availability support 1,024 1,024 1,024 1,024 1,000
Power AC AC AC AC AC/DC provided by the switch or router

1Maximum throughput with UDP traffic measured under ideal test conditions
2Multiprotocol = Traffic profile consisting primarily of TCP-based protocols/applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.
3Activating more features will change performance.
4VPN throughput and maximum sessions depend on the ASA device configuration and VPN traffic patterns, including average packet size. These elements should be taken into consideration as part of your capacity planning. Throughput represents the maximum possible IPsec throughput. The maximum number of users may be limited by your throughput requirements.
5Requires AnyConnect Plus/Apex license. Apex license required for clientless VPN. See the AnyConnect Ordering Guide for details. The maximum number of users may be limited by your throughput requirements.