Cisco ASA 5585-X Hardware Installation Guide
Introducing the Cisco ASA 5585-X
Downloads: This chapterpdf (PDF - 647.0KB) The complete bookPDF (PDF - 7.91MB) | Feedback

Table of Contents

Introducing the Cisco ASA 5585-X With Cisco MultiScale™

Product Overview

Chassis Features

Specifications

Memory Configurations

Power Supply Module Requirements

SFP/SFP+ Modules

Introducing the Cisco ASA 5585-X With
Cisco MultiScale™

This chapter describes the Cisco ASA 5585-X with Cisco MultiScale™ and includes the following sections:


Note Read through the entire guide before beginning any of the installation procedures.



Warning Only trained and qualified personnel should install, replace, or service this equipment. Statement 49



Caution Read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco ASA 5585-X Adaptive Security Appliance document and follow proper safety procedures when performing the steps in this guide.

Product Overview

The ASA 5585-X adaptive security appliance featuring MultiScale is a 2RU, two-slot chassis. Supporting one of the highest performance density firewalls in the market, the design of the ASA 5585-X provides high scalability not only in throughput, but also high connection speed as well as maximum connections. Connection speed and maximum connection requirements are growing much faster than throughput in most customer data center networks. The capabilities of the ASA 5585-X help you simultaneously meet scalability challenges in throughput, connection capacity, and connection speed in the data center.

Each ASA 5585-X chassis accommodates up to two AC power supply modules, which contain integrated fans; you can alternatively install a fan module in the second bay. The Security Services Processor (SSP) resides in slot 0 (the bottom slot) and in slot 1 (the top slot) you can install an additional SSP, an optional Intrusion Prevention System Security Services Processor (IPS SSP), an optional Cisco ASA 5585-X CX Security Services Processor (ASA CX SSP), or up to two network modules. All port numbers are numbered from right to left beginning with 0.


Note Dual firewall mode is only supported in certain versions of ASA software. For more information, refer to the Cisco ASA Compatibility document found at this URL:
http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html


The ASA 5585-X series comes in four models:

  • ASA 5585-X with Security Services Processor-10
  • ASA 5585-X with Security Services Processor-20
  • ASA 5585-X with Security Services Processor-40
  • ASA 5585-X with Security Services Processor-60

In addition to world-class performance, the ASA 5585-X deploys encrypted traffic inspection, port density (up to 20 interfaces depending on the model), and feature performance matching, that is, performance parity between firewall and IPS functions. All ASA 5585-X series adaptive security appliances ship with a core SSP; the additional SSP, IPS SSP, ASA CX SSP, or network module is optional. You must have the core SSP to run the other modules.

Optional redundant, hot-swappable power supply modules are available as well as hot-swappable fan modules in case of a fan failure.


Note Online insertion and removal (OIR) of the SSP, IPS SSP, ASA CX SSP, and network module is not supported at this time. SFP/SFP+, power supply module, and fan module OIR is supported.


ASDM

Additionally, the adaptive security appliance software supports Cisco Adaptive Security Device Manager (ASDM). ASDM delivers world-class security management and monitoring through an intuitive, easy-to-use web-based management interface. Bundled with the adaptive security appliance, ASDM accelerates adaptive security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services that complement the advanced integrated security and networking features offered by the market-leading suite of the adaptive security appliance. Its secure, web-based design enables anytime, anywhere access to adaptive security appliances.

The SSP provides environmental monitoring, which tracks the operational status of the fan and power supply modules. In addition, it tracks the temperatures of the CPUs and the ambient temperature of the system.

IDM

The IPS SSP supports the Intrusion Prevention System Device Manager (IDM) 7.1. IDM delivers security management and monitoring through an intuitive, easy-to-use web-based management interface. IDM is a Java Web Start application that enables you to configure and manage your IPS SSP. IDM is bundled with IPS 7.1. You can access it through Internet Explorer or Firefox web browsers.

IME

The Intrusion Prevention System Manager Express (IME) 7.1 also supports the IPS SSP. IME is a network management application that provides system health, events, and collaboration monitoring in addition to reporting and configuration for up to ten sensors. IME monitors sensor health using customizable dashboards and provides security alerts through RSS feed integration from the Cisco Security Intelligence Operations site. It monitors global correlation data, which you can view in events and reports. It monitors events and lets you sort views by filtering, grouping, and colorization. IME also supports tools such, as ping, trace route, DNS lookup, and whois lookup for selected events. It contains a flexible reporting network. It embeds the IDM configuration component to allow for a seamless integration between the monitoring and configuration of IPS devices. Within IME you can set up your sensors, configure policies, monitor IPS events, and generate reports. IME works in single application mode—the entire application is installed on one system and you manage everything from that system.

PRSM

The Cisco Prime Security Manager (PRSM) lets you manage one ASA CX SSP (PRSM Single Device mode) or multiple ASA CX SSPs (PRSM Multiple Device mode). By adding your ASA CX SSPs to the PRSM inventory, you can apply consistent policies among your devices. All configuration is done through PRSM and then deployed to the managed devices, and all events generated by managed devices are shown in PRSM.

ASA 5585-X SSP-10

The ASA 5585-X SSP-10 provides firewall, VPN support, and 10 interfaces (2 SFP/SFP+ and 8 copper Gigabit Ethernet). The SSP-10 has one power supply module and one fan module. You can replace the fan module with another power supply module for a redundant power supply configuration. The SSP-10 has one CPU, three DIMM modules, one embedded crypto accelerator, and one dual-port 10-GB uplink for the SFP/SFP+ interfaces.

You can also order it with the IPS SSP-10, which adds intrusion prevention system protection, and an additional 10 interfaces, or the ASA CX SSP-10, which adds context-aware firewall protection and an additional 10 interfaces.

ASA 5585-X SSP-20

The ASA 5585-X SSP-20 provides firewall, VPN support, and 10 interfaces (2 SFP/SFP+ and 8 copper Gigabit Ethernet). The SSP-20 has one power supply module and one fan module. You can replace the fan module with another power supply module for a redundant power supply configuration. The SSP-20 has one CPU, 6 DIMM modules, two embedded crypto accelerators, and one dual-port 10-GB uplink for the SFP/SFP+ interfaces.

You can also order it with the IPS SSP-20, which adds intrusion prevention system protection, and an additional 10 interfaces, or the ASA CX SSP-20, which adds context-aware firewall protection and an additional 10 interfaces.

ASA 5585-X SSP-40

The ASA 5585-X SSP-40 provides firewall, VPN support, and 10 interfaces (4 SFP/SFP+ and 6 copper Gigabit Ethernet). The SSP-40 has one power supply module and one fan module. You can replace the fan module with another power supply module for a redundant power supply configuration. The SSP-40 has two CPUs, 6 DIMM modules, three embedded crypto accelerators, and two dual-port 10-GB uplinks for the SFP/SFP+ interfaces.

You can also order it with another SSP-40 or the IPS SSP-40, which adds intrusion prevention system protection, and an additional 10 interfaces.

ASA 5585-X SSP-60

The ASA 5585-X SSP-60 provides firewall, VPN support, and 10 interfaces (4 SFP/SFP+ and 6 copper Gigabit Ethernet). The SSP-60 ships with two power supply modules; however, the SSP-60 can function with only one power supply module. Although the SSP-60 with IPS SSP-60 can also operate with only one power supply module, we recommend that you install two power supply modules for extended reliability since the power supply modules operate in load-sharing mode. If one fails in this configuration, the other power supply module can still handle the full load until the failed power supply module is replaced. The SSP-60 has two CPUs, 12 DIMM modules, four embedded crypto accelerators, and two dual-port 10-GB uplinks for the SFP/SFP+ interfaces.

You can also order it with another SSP-60 or the IPS SSP-60, which adds intrusion prevention system protection, and an additional 10 interfaces.


Caution If you remove a power supply or fan module, replace it immediately to prevent disruption of service.

Chassis Features

This section describes the ASA 5585-X chassis features and indicators.

Figure 1-1 shows the grounding lug on the left side of the chassis (when facing the front of the chassis).

Figure 1-1 ASA 5585-X Side Chassis View

 

1

Grounding lug

 

Figure 1-2 shows the front view of the ASA 5585-X SSP-10 with IPS SSP-10 in the top slot. The illustration shows ASA 5585-X SSP-10 with IPS SSP-10, but it also applies to the ASA 5585-X SSP-10 with ASA CX SSP-10 in the top slot, and the ASA 5585-X SSP-20 with either the IPS SSP-20 or ASA CX SSP-20 in the top slot.

Figure 1-2 ASA 5585-X SSP-10 With IPS SSP-10 Front Panel View

 

 

1

IPS SSP, ASA CX SSP, or network module (slot 1)

2

Core SSP (slot 0)

3

SSP/IPS SSP/ASA CX SSP removal screws

4

Reserved hard disk drive bays in bottom slot
ASA CX SSP hard disk drives in top slot1

5

TenGigabitEthernet 0/9 (SSP in slot 0)
TenGigabitEthernet 1/9 (IPS SSP or ASA CX SSP in Slot 1)
(10-Gb fiber, SFP, or SFP+)

6

TenGigabitEthernet 0/8 (SSP in slot 0)
TenGigabitEthernet 1/8 (IPS SSP or ASA CX SSP in slot 1)
(10-Gb fiber, SFP, or SFP+)

7

GigabitEthernet 0/0 through 0/7(SSP in slot 0)
GigabitEthernet 1/0 through 1/7 (IPS SSP or ASA CX SSP in slot 1)
(from right to left, 1-Gb copper, RJ45)

8

Management 0/1 (SSP in slot 0)
Management 1/1 (IPS SSP or ASA CX SSP in slot 1)
(GigabitEthernet RJ45)

9

Management 0/0 (SSP in slot 0)
Management 1/0 (IPS SSP or ASA CX SSP in slot 1)
(GigabitEthernet RJ45)

10

USB port

11

USB port

12

Front panel indicators

13

Auxiliary port (RJ45)2

14

Console port (RJ45)

15

Eject3

1.Hard disk drives are currently only supported for the ASA CX SSP, which resides in the top slot.

2.The RJ-45 Auxiliary port (labeled AUX on the chassis) is reserved for internal use at Cisco. The port is not functional in shipping versions of the chassis; therefore, customers cannot connect to this port to run the adaptive security appliance CLI.

3.Reserved for future use for OIR.

Figure 1-3 shows the front view of ASA 5585-X SSP-40 with IPS SSP-40. The illustration shows ASA 5585-X SSP-40 with IPS SSP-40 in the top slot, but it also applies to the ASA 5585-X SSP-40 with an SSP-40 in the top slot, or the ASA 5585-X SSP-60 with an SSP-60 or IPS SSP-60 in the top slot.

Figure 1-3 ASA 5585-X SSP-40 With IPS SSP-40 Front Panel View

 

 

1

IPS SSP, additional SSP, or network module (slot 1)

2

Core SSP (slot 0)

3

SSP/IPS SSP removal screws

4

Reserved bays for hard disk drives4

5

TenGigabitEthernet 0/9 (SSP in slot 0)
TenGigabitEthernet 1/9 (IPS SSP in slot 1)
(10-Gb fiber, SFP, or SFP+)

6

TenGigabitEthernet 0/8 (SSP in slot 0)
TenGigabitEthernet 1/8 (IPS SSP in slot 1)
(10-Gb fiber, SFP, or SFP+)

7

TenGigabitEthernet 0/7 (SSP in slot 0)
TenGigabitEthernet 1/7 (IPS SSP in slot 1)
(10-Gb fiber, SFP, or SFP+)

8

TenGigabitEthernet 0/6 (SSP in slot 0)
TenGigabitEthernet 1/6 (IPS SSP in slot 1)
(10-Gb fiber, SFP, or SFP+)

9

GigabitEthernet 0/0 through 0/5 (SSP in slot 0)
GigabitEthernet 1/0 through 1/5 (IPS SSP in slot 1)
(from right to left, 1-Gb copper, RJ45)5

10

Management 0/1 (SSP in slot 0)
Management 1/1 (IPS SSP in slot 1)
(GigabitEthernet RJ45)

11

Management 0/0 (SSP in slot 0)
Management 1/0 (IPS SSP in slot 1)
(GigabitEthernet RJ45)

12

USB port

13

USB port

14

Front panel indicators

15

Auxiliary port (RJ45)6

16

Console port (RJ45)

17

Eject7

4.Hard disk drives are not supported at this time. The hard disk drive bays are empty.

5.The IPS ports are GigabitEthernet1/0 through 1/5.

6.The RJ-45 Auxiliary port (labeled AUX on the chassis) is reserved for internal use at Cisco. The port is not functional in shipping versions of the chassis; therefore, customers cannot connect to this port to run the adaptive security appliance CLI.

7.Reserved for future use for OIR.

Figure 1-4 shows the front panel indicators.

Figure 1-4 ASA 5585-X Front Panel Indicators

 

 

1

PWR

2

BOOT

3

ALARM

4

ACT

5

VPN

6

PS1

7

PS0

8

HDD1

9

HDD2

Table 1-1 describes the front panel indicators on the ASA 5585-X.

 

Table 1-1 ASA 5585-X Front Panel Indicators

Indicator
Description

PWR

Indicates whether the system is off or on:

  • Off—No power.
  • Green—System has power.

BOOT

Indicates how the power-up diagnostics are proceeding:

  • Flashing green—Power-up diagnostics are running or the system is booting.
  • Green—System has passed power-up diagnostics.
  • Amber—Power-up diagnostics failed.

ALARM

Indicates whether a component has failed:

  • Off—No alarm.
  • Flashing yellow—Critical alarm.

Major failure of hardware component or software module, temperature over the limit, power out of tolerance, or OIR is ready to remove the module.8

ACT

Indicates the status of an HA pair:

  • Green—Status of a unit that is part of a failover pair that is in active mode.
  • Amber—Status of a unit that is part of a failover pair that is in standby mode.

VPN

Indicates whether a VPN tunnel has been established:

  • Green—VPN tunnel is established.

PS1

Indicates the state of the power supply module installed on the right when facing the back panel:

  • Off—No power supply module present or no AC input.
  • Green—Power supply module present, on, and good.
  • Amber—Power or fan module off or failed.

PS0

Indicates the state of the power module installed on the left when facing the back panel:

  • Off—No power supply module present or no AC input.
  • Green—Power supply module present, on, and good.
  • Amber—Power or fan module off or failed.

HDD1

Indicates activity on the hard disk drive:9

  • Off—No hard disk drive present.
  • Flashing green—hard disk drive activity.
  • Amber—hard disk drive failure.

HDD2

Indicates activity on the hard disk drive: 2

  • Off—No hard disk drive present.
  • Flashing green—hard disk drive activity.
  • Amber—hard disk drive failure.

8.OIR is not available at this time.

9.The hard disk drives are only supported on the ASA CX SSP.

Figure 1-5 shows the back panel features.

Figure 1-5 ASA 5585-X Back Panel Features

 

 

1

Power supply module (corresponds to PS1 indicator)

2

Power supply module/fan module removal screws

3

Power supply module plug

4

Toggle On/Off switch for power supply module

5

Power supply module indicators

6

Power supply module or fan module handle

7

Fan module

8

Fan module indicator

Figure 1-6 shows the power supply module indicators.

Figure 1-6 ASA 5585-X Power Supply Module Indicators

 

 

1

IN OK

2

FAN OK

3

OUT FAIL

Table 1-2 describes the power supply module and fan module indicators.

 

Table 1-2 Power Supply Module and Fan Module Indicators

Indicator
Description

IN OK

Indicates status of power supply module:

  • Off—No AC power cord connected or AC power switch off.
  • Green—AC power cord connected and AC power switch on.

FAN OK

Indicates status of fan module

  • Off—Fan module failure or AC power switch off.
  • Green—AC power cord connected, AC power switch on, and internal fan is running.

OUT FAIL

  • Red—Output voltage failure10

10.The power supply module has three output voltages—3.3V, 12V, and 50V.

Table 1-3 describes the Ethernet port indicators.

 

Table 1-3 Ethernet Port Indicators

Indicator
Description

Gigabit Ethernet (RJ45)

  • Left side:

Green—Physical activity

Flashing green—Network activity

  • Right side:

Not lit—10 Mbps

Green—100 Mbps

Amber—1000 Mbps

10-Gigabit Ethernet Fiber (SFP+)/1-Gigabit Ethernet Fiber (SFP)

  • Left side:

Off—No 10-Gigabit Ethernet physical link

Green—10-Gigabit Ethernet physical link

Flashing green11—Network activity

  • Right side:

Off—No 1-Gigabit Ethernet physical link

Green—1-Gigabit Ethernet physical link

Flashing green 1 —Network activity

Management port

  • Left side:

Green—Physical activity

Flashing green—Network activity

  • Right side:

Not lit—10 Mbps

Green—100 Mbps

Amber—1000 Mbps

11.Flashing is in proportion to the percentage of number of packets or bytes received.

Specifications

Table 1-4 lists the specifications for the ASA 5585-X.

 

Table 1-4 ASA-5585-X Specifications

Dimensions and Weight

Height

3.47 in (8.8 cm)

Width

19 in (48.3 cm)

Depth

26.5 in (67.3 cm)

Weight

50 lb (22.7 kg) with 1 SSP and 1 power supply module
62 lb (28.20 kg) with SSP, IPS SSP, and 2 power supply modules

Form factor

2 RU, standard 19-inch rack-mountable

Power
AC Input

Rated input voltage
(per power supply module)

100 to 240 VAC

Rated input frequency

50 to 66 Hz

Rated input power
(per power supply module)

1161 W @ 100 VAC
1598 W @ 200 VAC

Rated input current
(per power supply module)

12A (100 VAC)
8A (200 VAC)

Typical heat dissipation

1280 BTU/hr (1 SSP)
2200 BTU/hr (2 SSPs)

Power supply output steady state (typical)

Maximum peak

320 W (1 SSP)
670 W (1 SSP and 1 IPS SSP)

370 W (1 SSP)
770 W (1 SSP and 1 IPS SSP)

DC Input

Rated input voltage
(per power supply module)

-48 VDC to -60 VDC

Rated input power
(per power supply module)

1353 W @ -48 VDC
1403 W @ -60 VDC

Rated input current
(per power supply)

33 A

Maximum heat dissipation

5450 BTU/hr

Power supply output steady state (typical)

Maximum peak

320 W (1 SSP)
670 W (1 SSP and 1 IPS SSP)

370 W (1 SSP)
770 W (1 SSP and 1 IPS SSP)

Environment

Temperature

Operating 32 to 104°F (0 to 40°C)
Nonoperating -40°F to 158°F (-40°C to 70°C)

Airflow

Front to back

Relative humidity (noncondensing)

Operating 10% to 90%
Nonoperating 5% to 95%

Altitude

Operating 0 to 10,000 ft (3,050 m)
Nonoperating 0 to 30,000 ft (9,144 m)

Noise

65 dBa max

Memory Configurations

The ASA 5585-X has up to 6 DIMM modules per CPU. DIMM population is platform-dependent. Table 1-5 shows the memory configurations.

 

Table 1-5 ASA 5585-X Memory Configurations

Model
SSP Memory
IPS SSP Memory

ASA 5585-X with SSP-10

6-GB DRAM

6-GB DRAM

ASA 5585-X with SSP-20

12-GB DRAM

12-GB DRAM

ASA 5585-X with SSP-40

12-GB DRAM

24-GB DRAM

ASA 5585-X with SSP-60

24-GB DRAM

48-GB DRAM


Note The IPS SSP or ASA CX SSP must be at the same level as the SSP model; for example, if you have the ASA 5585-X SSP-10, you can only install the IPS SSP-10.


Power Supply Module Requirements

Table 1-6 lists the power supply module requirements for the AC and DC power supply modules.

 

Table 1-6 Power Supply Module Requirements

AC Power Supply Module
50 V
12 V
3.3 V_STBY
Output Voltage

Maximum

52.0 V

12.2 V

3.45 V

Nominal

50.0 V

12.0 V

3.35 V

Minimum

48.0 V

11.8 V

3.25 V

Output Current @ 200 VAC

Maximum

17.3 A

27.0 A

1.5 A

Minimum

0

0

0

Output Current @ 100 VAC

Maximum

17.3 A

27.0 A

1.5 A

Minimum

0

0

0

DC Power Supply Module

50 V

12 V
3.3 V_STBY
Output Voltage

Maximum

52.0 V

12.45 V

3.45 V

Nominal

50.0 V

12.0 V

3.35 V

Minimum

48.0 V

12.05 V

3.25 V

Output Current @ -48 VDC

Maximum

17.3 A

23.0 A

1.5 A

Minimum

0

0

0

Output Current @ -60 VDC

Maximum

17.3 A

23.0 A

1.5 A

Minimum

0

0

0

SFP/SFP+ Modules

The SFP/SFP+ module is a hot-swappable input/output device that plugs into the SFP/SFP+ ports and provides Gigabit Ethernet connectivity. The SFP and SFP+ modules are optional and not included with the ASA 5585-X. You can purchase them separately. For 1 Gb, you need SFP. For 10Gb, you need SFP+. The two ports are the same, but you can only use 10 Gb if you buy a license for the SSP-10 and IPS-20. Otherwise, the ports are restricted to 1 Gb. The ports are always 10 Gb-enabled for the SSP-40 and IPS-60. The interfaces are called TenGigabitEthernet 0/ x for the SSP and TenGigabitEthernet 1/ x for the ASA 5585-X IPS SSP whether they are 10 Gb-enabled or not.

Table 1-7 lists the SFP/SFP+ modules that the ASA 5585-X supports.

 

Table 1-7 SFP/SFP+ Modules

1G SFP Module

GLC-SX-MM

1000 Base-SX SFP module

GLC-SX-MMD

1000BASE-SX short wavelength, with DOM

GLC-LH-SM

1000 Base-LX/LH SFP module

GLC-LH-SMD

1000BASE-LX/LH long-wavelength, with DOM

GLC-EX-SMD

1000 Base-EX SFP module, SMF, 1310nm, DOM

GLC-T

1000BASE-T standard

10G SFP+ Module

SFP-10G-ER

10G ER SFP+ module

SFP-10G-SR

10G SR SFP+ module

SFP-10G-LRM

10G LRM SFP+ module

SFP-10G-LR

10G LR SFP+ module

SFP-H10GB-ACU7M

10GBASE-CU SFP+ Cable 7 Meter, active

SFP-H10GB-ACU10M

10GBASE-CU SFP+ Cable 10 Meter, active

SFP-H10GB-CU1M

10GBASE-CU SFP+ cable 1 meter, passive

SFP-H10GB-CU3M

10GBASE-CU SFP+ cable 3 meter, passive

SFP-H10GB-CU5M

10GBASE-CU SFP+ cable 5 meter, passive