Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

Compare Models


With Cisco ASA firewalls, you can integrate multiple enterprise-class, next-generation network security services without sacrificing performance. Cisco ASA combines the most deployed stateful inspection firewall in the industry with next-generation firewall capabilities.

Read more about the ASA 5505 and ASA 5500-X Series for small and branch offices. This table shows the next-generation firewall capabilities and capacities of the Cisco ASA with FirePOWER Services for Cisco ASA 5506-X, 5512-X and 5515-X Models.

Cisco ASA Model ASA 5505 / Security Plus ASA 5506-X / Security Plus ASA 5512-X / Security Plus ASA 5515-X
Stateful Inspection throughput (max1) Up to 150 Mbps 750 Mbps 1 Gbps 1.2 Gbps
Stateful Inspection throughput (multiprotocol2) - 300 Mbps 500 Mbps 600 Mbps
Maximum application control (AVC) throughput - 250 Mbps 300 Mbps 500 Mbps
Maximum AVC and NGIPS throughput - 125 Mbps 150 Mbps 250 Mbps
Maximum Concurrent sessions 10,000 /25,000 20,000/50,000 100,000 250,000
Maximum new Connections per second 4,000 5,000 10,000 15,000
Application control (AVC)
or
NGIPS sizing throughput [440 byte HTTP]3
- 90 Mbps 100 Mbps 150 Mbps
Packets per second (64 byte) 85,000 246,900 450,000 500,000
Maximum 3DES/AES VPN throughput4 100 Mbps 100 Mbps 200 Mbps 250 Mbps
Maximum Site-to-site and IPsec IKEv1 client VPN user sessions4 (requires Security Plus license) 10/25 10 / 50 250 250
Maximum Cisco AnyConnect® or Clientless VPN User Sessions5 (AnyConnect/Apex license required) 25 2 / 50 250 250
Cisco Cloud Web Security users 25 275 2,000 3,000
VLANs 3 (trunking disabled) / 20 (trunking enabled) 5 / 50 50 / 100 100
High-availability support6 Stateless Active/Standby Only* A/S* Active/Active* and Active/Standby* A/A and A/S
Integrated I/O 8-port FE with 2 Power over Ethernet (PoE) ports 8 x 1 Gigabit Ethernet (GE) 6-port 10/100/1000 6-port 10/100/1000
Expansion I/O Not available Not available 6-port 10/100/1000 or 6-port GE (SFP) 6-port 10/100/1000 or 6-port GE (SFP)
Dual power supplies Not available Not available Not available Not available
Power AC/DC AC only AC/DC AC/DC

1 Maximum throughput with UDP traffic measured under ideal test conditions
2 Multiprotocol = Traffic profile consisting primarily of TCP-based protocols/applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS
3Activating more features will change performance
4 VPN throughput and maximum sessions depend on the ASA device configuration and VPN traffic patterns, including average packet size. These elements should be taken into consideration as part of your capacity planning. Throughput represents the maximum possible IPsec throughput. Maximum users may be further limited by your throughput requirements.
5 Requires AnyConnect Plus/Apex license. Apex license required for clientless VPN. See the AnyConnect Ordering Guide for details. Maximum users may be further limited by your throughput requirements.
6 A/A = Active/Active; A/S = Active/Standby
* requires security plus license

Cisco ASA next-generation firewalls are available in a wide range of sizes and performance levels to fit your network and budget. They also combine stateful inspection and next-generation firewall capabilities with a comprehensive suite of next-generation network security services. There's a solution to meet your evolving security needs — for security without compromise.

Read more about the ASA 5500 and ASA 5500-X Series for the Internet Edge.

This table shows the next-generation firewall performance and hardware specifications of the Cisco ASA with FirePOWER Services for the Cisco ASA 5525-X, 5545-X and 5555-X models.

Cisco ASA Model ASA 5525-X ASA 5545-X ASA 5555-X
Stateful Inspection throughput (max1) 2 Gbps 3 Gbps 4 Gbps
Stateful Inspection throughput (multiprotocol2) 1 Gbps 1.5 Gbps 2 Gbps
Maximum application visibility and control (AVC) throughput 1100 Mbps 1500 Mbps 1750 Mbps
Maximum AVC and NGIPS throughput 650 Mbps 1000 Mbps 1250 Mbps
Maximum concurrent sessions 500,000 750,000 1,000,000
Maximum new connections per second 20,000 30,000 50,000
AVC or NGIPS sizing throughput (440-byte HTTP3) 375 Mbps 575 Mbps 725 Mbps
Packets per second (64 byte) 700,000 900,000 1,100,000
Maximum 3DES/AES VPN throughput4 300 Mbps 400 Mbps 700 Mbps
Maximum site-to-site and IPsec IKEv1 client VPN user sessions4 (requires Security Plus license) 750 2,500 5,000
Maximum Cisco AnyConnect, IKEv2 remote access VPN, or clientless VPN user sessions5 750 2,500 5,000
Cisco Cloud Web Security users 4000 5000 6000
VLANs 200 300 500
High-availability support Active/active and active/standby
Integrated I/O 8-port 10/100/1000
Expansion I/O 6-port 10/100/1000 or 6-port GE (SFP)
Dual Power Supplies - Yes Yes
Power AC/DC

1 Maximum throughput with UDP traffic measured under ideal test conditions
2 Multiprotocol = Traffic profile consisting primarily of TCP-based protocols or applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.
3Activating more features will change performance.
4 VPN throughput and maximum sessions depend on the ASA device configuration and VPN traffic patterns, including average packet size. These elements should be taken into consideration as part of your capacity planning. Throughput represents the maximum possible IPsec throughput. The maximum number of users may be limited by your throughput requirements.
5 Requires AnyConnect Plus or Apex license. An Apex license is required for clientless VPN. See the AnyConnect Ordering Guide for details. The maximum number of users may be limited by your throughput requirements.

Cisco ASA firewalls protect networks of all shapes and sizes, with consistent security across hybrid infrastructures — physical, virtual, and cloud. These solutions combine the most deployed firewall in the industry with a full complement of next-generation network security services. They protect corporate networks while providing employees with secure access to data — anytime, anywhere, using any device.

Read more about the Cisco ASA firewalls for large enterprises and data centers.

This table shows the next-generation firewall performance and hardware specifications of the Cisco ASA with FirePOWER Services for Cisco ASA 5585-X models with a Security Services Processor (SSP)

Cisco ASA Model ASA 5585-X with SSP10 ASA 5585-X with SSP20 ASA 5585-X with SSP40 ASA 5585-X with SSP60 ASA Services Module
Stateful Inspection throughput (max1) 4 Gbps 10 Gbps 20 Gbps 40 Gbps 20 Gbps
Stateful Inspection throughput (multiprotocol2) 2 Gbps 5 Gbps 10 Gbps 20 Gbps 16 Gbps
Maximum application visibility and control (AVC) throughput 4.5 Gbps 7 Gbps 10 Gbps 15 Gbps -
Maximum AVC and NGIPS throughput 2 Gbps 3.5 Gbps 6 Gbps 10 Gbps -
Maximum concurrent sessions 500,000 1,000,000 1,800,000 4,000,000 10,000,000
Maximum new connections per second 40,000 75,000 120,000 160,000 300,000
AVC or NGIPS sizing throughput (440-byte HTTP3) 1.2 Gbps 2 Gbps 3.5 Gbps 6 Gbps -
Packets per second (64 byte) 1,500,000 3,000,000 5,000,000 9,000,000 5,000,000
Maximum 3DES/AES VPN throughput4 1 GBPS 2 GBPS 3 Gbps 5 Gbps 2 Gbps
Maximum site-to-site and IPsec IKEv1 Client VPN user sessions4 (requires Security Plus license) 5,000 10,000 10,000 10,000 10,000
Maximum Cisco AnyConnect IKEv2 remote access VPN or clientless VPN user sessions5 5000 10,000 10,000 10,000 10,000
Cisco Cloud Web Security users 7,500
Integtrated I/O 8-port 10/100/1000 and 2-port 10 GE (SFP+)6 8-port 10/100/1000 and 2-port 10 GE (SFP+)7 6-port 10/100/1000 and 4-port 10 GE (SFP+) 6-port 10/100/1000 and 4-port 10 GE (SFP+) Provided by the switch or router
Expansion I/O (half-width modules) 8-port 10 GE(SFP/SFP+) or
4-port 10 GE(SFP/SFP+) or
20-port 1 GE (12-port 1 GE SFP and 8-port 10/100/1000)
Provided by the switch or router
Dual power supplies Yes Yes Yes Yes Yes. Provided by the switch or router
VLANs 1,024 1,024 1,024 1,024 1,000
High-availability support 1,024 1,024 1,024 1,024 1,000
Power AC AC AC AC AC/DC provided by the switch or router

1 Maximum throughput with UDP traffic measured under ideal test conditions
2 Multiprotocol = Traffic profile consisting primarily of TCP-based protocols/applications like HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.
3Activating more features will change performance.
4 VPN throughput and maximum sessions depend on the ASA device configuration and VPN traffic patterns, including average packet size. These elements should be taken into consideration as part of your capacity planning. Throughput represents the maximum possible IPsec throughput. The maximum number of users may be limited by your throughput requirements.
5 Requires AnyConnect Plus/Apex license. Apex license required for clientless VPN. See the AnyConnect Ordering Guide for details. The maximum number of users may be limited by your throughput requirements.