Cisco® ASA 5500 and ASA 5500-X Series Next-Generation Firewalls integrate the world's most proven stateful inspection firewall with a comprehensive suite of highly integrated next-generation firewall services for networks of all sizes - small and midsize businesses with one or a few locations, large enterprises, service providers, and mission-critical data centers. The Cisco ASA 5500 and ASA 5500-X Series Next-Generation Firewalls deliver MultiScale™ performance with unprecedented services flexibility, including next-generation firewall capabilities, modular scalability, feature extensibility, and lower deployment and operations costs.
Midsize businesses protecting the Internet edge require the same level of protection as large enterprise networks. You require enterprise-strength security, but purchasing a firewall that was built to handle the performance needs and budget of a large enterprise would be unnecessary and a waste of company resources. You need a firewall that provides the performance you need at a price you can afford, along with the visibility and control you need to take advantage of new applications and devices without compromising security.
Features and Benefits
Cisco ASA 5500 and ASA 5500-X Series Next-Generation Firewalls are available in a wide range of sizes and performance levels to fit your network and budget while offering the same proven level of security that protects some of the largest networks at some of the most security-conscious companies in the world. The ASA 5500 and ASA 5500-X Next-Generation Series Firewalls scale to meet the performance and security requirements of a wide range of network applications, to correspond with your changing needs.
Like their enterprise counterparts, Cisco ASA 5500 and ASA 5500-X Series Next-Generation Firewalls for the Internet edge protect critical assets through:
• Exceptional next-generation firewall services that provide the visibility and control your enterprise needs to safely take advantage of new applications and devices1
• Application Visibility and Control (AVC) to control specific behaviors within allowed micro-applications
• Web Security Essentials (WSE) to restrict web and web application usage based on reputation of the site
• Broad and deep network security through an array of integrated cloud- and software-based next-generation firewall services backed by Cisco Security Intelligence Operations (SIO)
• Highly effective intrusion prevention system (IPS) with Cisco Global Correlation
• High-performance VPN and always-on remote access
• The ability to enable additional security services quickly and easily in response to changing needs
Cisco ASA 5525-X, 5545-X, and 5555-X
The Cisco ASA 5525-X, 5545-X, and 5555-X are next-generation firewalls that combine the most widely deployed stateful inspection firewall in the industry with a comprehensive suite of next-generation network security services - for comprehensive security without compromise. They help meet evolving security needs by delivering multiple next-generation security services, multigigabit performance, flexible interface options, and redundant power supplies, all in a compact 1-RU form factor. These firewalls optionally provide broad and deep network security services through an array of integrated cloud- and software-based security services, including Application Visibility and Control (AVC), Web Security Essentials (WSE), Cisco Cloud Web Security (CWS), and the only context-aware IPS - with no need for additional hardware modules.
The ASA 5525-X, 5545-X, and 5555-X Next-Generation Firewalls are part of the ASA 5500-X Series, which is built on the same proven security platform as the rest of the ASA family of firewalls and delivers superior performance for exceptional operational efficiency. These models are designed to meet evolving security needs by providing, among other things, innovative next-generation firewall services that make it possible to take advantage of new applications and devices without compromising security. Unlike other next-generation firewalls, the Cisco ASA 5500-X Series keeps pace with rapidly evolving needs by offering end-to-end network intelligence gained from combining the visibility from local traffic with in-depth global network intelligence through:
With up to 4 Gbps of firewall throughput, 1,000,000 concurrent firewall connections, 50,000 connections per second, and 6 integrated Gigabit Ethernet interfaces, the ASA 5525-X, 5545-X, and 5555-X are excellent choices for businesses requiring high performance, cost effectiveness, exceptional application visibility and control, and an extensible security solution that can grow with their changing needs.
Cisco ASA 5520, 5540, and 5550
The Cisco ASA 5520, 5540, and 5550 are modular, high-performance firewalls that deliver security services with Active/Active high availability and Gigabit Ethernet connectivity for medium-sized enterprise networks. With Gigabit Ethernet interfaces and support for up to 200 VLANs, businesses can easily deploy the Cisco ASA 5520, 5540, and 5550 into multiple zones within their network. The Cisco ASA 5520, 5540, and 5550 scale with businesses as their network security requirements grow, delivering solid investment protection.
Businesses can extend their SSL and IPsec VPN capacity to support a larger number of mobile workers, remote sites, and business partners. Up to 5000 Cisco AnyConnect and/or clientless VPN peers can be supported. VPN capacity and resiliency can be increased by taking advantage of integrated VPN clustering and load-balancing capabilities. The Cisco ASA 5520, 5540, and 5550 support up to 10 firewalls in a cluster, offering a maximum of 50,000 AnyConnect and/or clientless VPN peers or 50,000 IPsec VPN peers per cluster. For business continuity and event planning, the Cisco ASA 5520, 5540, and 5550 can also benefit from Cisco VPN Flex licenses, which enable administrators to react to or plan for short-term "bursts" of concurrent Premium VPN remote-access users for up to two months.
The advanced application-layer security and content security defenses provided by these firewalls can be extended by deploying the high-performance intrusion prevention and worm mitigation capabilities of the Advanced Inspection and Prevention Security Services Module (AIP SSM) or the comprehensive malware protection of the Content Security and Control Security Services Module (CSC SSM). Using these optional security context capabilities, businesses can deploy up to 100 virtual firewalls within a physical appliance to enable compartmentalized control of security policies on a departmental level. This virtualization strengthens security and reduces overall management and support costs while consolidating multiple security devices into a single appliance.
Table 1 compares the features and capacities of the Cisco ASA 5500 and ASA 5500-X Series Next-Generation Firewalls for the Internet Edge.
Table 1. Cisco ASA 5500 and ASA 5500-X Series Next-Generation Firewalls for the Internet Edge
UL 60950, CSA C22.2 No. 60950, EN 60950 IEC 60950, AS/NZS60950
IEC 60950-1: 2005, 2nd Edition
EN 60950-1:2006+A11: 2009
UL 60950-1:2007, 2nd Edition;
CSA C22.2 No. 60950-1-07, 2nd Edition
UL 60950, CSA C22.2 No. 60950, EN 60950 IEC 60950, AS/NZS60950
IEC 60950-1: 2005, 2nd Edition
EN 60950-1:2006+A11: 2009
UL 60950-1:2007, 2nd Edition;
CSA C22.2 No. 60950-1-07, 2nd Edition
UL 60950, CSA C22.2 No. 60950, EN 60950 IEC 60950, AS/NZS60950
IEC 60950-1: 2005, 2nd Edition
EN 60950-1:2006+A11: 2009
UL 60950-1:2007, 2nd Edition;
CSA C22.2 No. 60950-1-07, 2nd Edition
Electromagnetic Compatibility (EMC)
CE marking, FCC Part 15 Class A, AS/NZS CISPR22 Class A, VCCI Class A, EN55022 Class A, CISPR22 Class A, EN61000-3-2, EN61000-3-3
CE: EN55022 2006+A1: 2007 Class A; EN55024 1998+A1:2001+A2:2003; EN61000-3-2 2009;EN61000-3-3 2008;
FCC:CFR 47, Part 15 Subpart B Class A 2010,ANSI C63.4 2009;
ICES-003 ISSUE 4 FEBRUARY.2004;
VCCI:V-3/2011.04;
C-TICK:AS/NZS CISPR 22,2009
KC:KN22 & KN24
CE marking, FCC Part 15 Class A, AS/NZS CISPR22 Class A, VCCI Class A, EN55022 Class A, CISPR22 Class A, EN61000-3-2, EN61000-3-3
CE: EN55022 2006+A1: 2007 Class A; EN55024 1998+A1:2001+A2:2003; EN61000-3-2 2009;EN61000-3-3 2008;
FCC:CFR 47, Part 15 Subpart B Class A 2010,ANSI C63.4 2009;
ICES-003 ISSUE 4 FEBRUARY.2004;
VCCI:V-3/2011.04;
C-TICK:AS/NZS CISPR 22,2009
KC:KN22 & KN24
CE marking, FCC Part 15 Class A, AS/NZS CISPR22 Class A, VCCI Class A, EN55022 Class A, CISPR22 Class A, EN61000-3-2, EN61000-3-3
CE: EN55022 2006+A1: 2007 Class A; EN55024 1998+A1:2001+A2:2003; EN61000-3-2 2009;EN61000-3-3 2008;
FCC:CFR 47, Part 15 Subpart B Class A 2010,ANSI C63.4 2009;
ICES-003 ISSUE 4 FEBRUARY.2004;
VCCI:V-3/2011.04;
C-TICK:AS/NZS CISPR 22,2009
KC:KN22 & KN24
Industry Certifications
Common Criteria EAL4 US DoD Application-Level Firewall for Medium-Robustness Environments, Common Criteria EAL2 for IPS on AIP SSM-10 and -20, FIPS 140-2 Level 2, and NEBS Level 3
In process: Common Criteria EAL4+ US DoD Application-Level Firewall for Medium-Robustness Environments, and Common Criteria EAL4 for IPsec/SSL VPN
In process
FIPS 140-2 Level 2
In process: Common Criteria EAL4+ US DoD Application-Level Firewall for Medium-Robustness Environments, and Common Criteria EAL4 for IPsec/SSL VPN
In process
FIPS 140-2 Level 2
In process: Common Criteria EAL4+ US DoD Application-Level Firewall for Medium-Robustness Environments, and Common Criteria EAL4 for IPsec/SSL VPN
In process
1Maximum throughput measured with UDP traffic under ideal conditions.
2Multiprotocol: Traffic profile consisting primarily of TCP-based protocols/applications, such as HTTP, SMTP, FTP, IMAPv4, BitTorrent, and DNS.
3Firewall traffic that does not go through the IPS service can have higher throughput.
4Throughput was measured using ASA CX Software Release 9.1.1 with multiprotocol traffic profile with both AVC and WSE. Traffic logging was enabled as well.
5VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken into consideration as part of your capacity planning.
6Separately licensed feature; includes two SSL licenses with base system.
Cisco ASA 5500 Series Security Services Processors, Modules, and Cards
The Cisco ASA 5500 Series brings a new level of integrated security performance to networks with its highly effective IPS services and multiprocessor hardware architecture. This architecture allows businesses to adapt and extend the high-performance security services profile of the Cisco ASA 5500 Series. Customers can add additional high-performance services using security services modules with dedicated security co-processors, and can custom-tailor flow-specific policies using a highly flexible policy framework. This adaptable architecture enables businesses to deploy new security services when and where they are needed, such as adding the broad range of intrusion prevention and advanced antiworm services delivered by the IPS modules via the AIP SSM and AIP SSC, or the comprehensive malware protection and content security services enabled by the CSC SSM. Further, the Cisco ASA 5500 Series architecture allows Cisco to introduce new services to address new threats, giving businesses outstanding investment protection.
The Cisco ASA 5500 Series AIP SSM and AIP SSC are inline, network-based solutions that accurately identify, classify, and stop malicious traffic before it affects business continuity for IPv4, IPv6, and hybrid IPv6 and IPv4 networks. They combine inline prevention services with innovative technologies, resulting in total confidence in the provided protection of the deployed IPS solution, without the fear of legitimate traffic being dropped. The AIP SSM and AIP SSC also offer comprehensive network protection through their unique ability to collaborate with other network security resources, providing a proactive approach to protecting the network.
Accurate inline prevention technologies provide unparalleled confidence to take preventive action on a broader range of threats without the risk of dropping legitimate traffic. These unique technologies offer intelligent, automated, contextual analysis of data and help ensure that businesses are getting the most out of their intrusion prevention solutions. Furthermore, the IPS SSP, AIP SSM, and AIP SSC use multivector threat identification to protect the network from policy violations, vulnerability exploitations, and anomalous activity through detailed inspection of traffic in Layers 2 through 7.
Table 2 details the AIP SSM models that are available, and their respective performance and physical characteristics.
Table 2. Characteristics of Cisco ASA 5500 Series AIP SSM Models
UL 60950, CSA C22.2 No. 60950, EN 60950 IEC 60950, AS/NZS60950
Electromagnetic Compatibility (EMC)
CE marking, FCC Part 15 Class A, AS/NZS CISPR22 Class A, VCCI Class A, EN55022 Class A, CISPR22 Class A, EN61000-3-2, EN61000-3-3
Cisco ASA 5500 Series Content Security and Control Module
The Cisco ASA 5500 Series CSC SSM delivers industry-leading threat protection and content control at the Internet edge, providing comprehensive antivirus, antispyware, file blocking, antispam, antiphishing, URL blocking and filtering, and content filtering services in an easy-to-manage solution. The CSC SSM bolsters the Cisco ASA 5500 Series' strong security capabilities, providing customers with additional protection of and control over the content of their business communications. The module provides additional flexibility and choice over the functioning and deployment of Cisco ASA 5500 Series firewalls. Licensing options enable organizations to customize the features and capabilities to each group's needs, with features that include advanced content services and increased user capacity. The CSC SSM ships with a default feature set that provides antivirus, antispyware, and file blocking services.
A Plus license is available for each CSC SSM at an additional charge, delivering capabilities such as antispam, antiphishing, URL blocking and filtering, and content control services. Businesses can extend the user capacity of the CSC SSM by purchasing and installing additional user licenses. A detailed listing of these options is shown in Table 3 and in the CSC SSM data sheet.
Table 3. Characteristics of Cisco ASA 5500 Series CSC SSMs
Feature
Cisco ASA 5500 Series CSC-SSM-10
Cisco ASA 5500 Series CSC-SSM-20
Supported Platforms
• Cisco ASA 5520
• Cisco ASA 5520
• Cisco ASA 5540
Standard and Optional Features
Standard User License
50 users
500 users
Standard Feature Set
Antivirus, antispyware, file blocking
Optional User Upgrades (Total Users)
• 100 users
• 250 users
• 500 users
• 750 users
• 1000 users
Optional Feature Upgrades
Plus license: Adds antispam, antiphishing, URL blocking and filtering, and content control
Technical Specifications
Memory
1 GB
2 GB
System Flash
256 MB
256 MB
Environmental Operating Ranges
Operating
Temperature
32 to 104ºF (0 to 40ºC)
Relative Humidity
10 to 90 percent, noncondensing
Nonoperating
Temperature
-13 to 158ºF (-25 to 70ºC)
Power Consumption
90W maximum
Physical Specifications
Dimensions (H x W x D)
1.70 x 6.80 x 12.25 in. (4.32 x 17.27 x 31.12 cm)
Weight (with Power Supply)
3.00 lb (1.36 kg)
Regulatory and Standards Compliance
Safety
UL 60950, CSA C22.2 No. 60950, EN 60950 IEC 60950, AS/NZS60950
Electromagnetic Compatibility (EMC)
CE marking, FCC Part 15 Class A, AS/NZS CISPR22 Class A, VCCI Class A, EN55022 Class A, CISPR22 Class A, EN61000-3-2, EN61000-3-3
Cisco ASA 5500 Series 4-Port Gigabit Ethernet Module
The Cisco ASA 5500 Series 4-Port Gigabit Ethernet SSM enables businesses to better segment network traffic into separate security zones, providing more granular security for their network environment. These zones can range from the Internet to internal corporate departments/sites to DMZs. This high-performance module supports both copper and optical connection options by including four 10/100/1000 copper RJ-45 ports and four SFP ports. Businesses can choose between copper or fiber ports, providing flexibility for data center, campus, or enterprise edge connectivity. The module extends the I/O profile of the Cisco ASA 5500 Series to a total of five Fast Ethernet and four Gigabit Ethernet ports on the Cisco ASA 5510. Table 4 lists the characteristics of the Cisco ASA 5500 Series 4-Port Gigabit Ethernet SSMs.
Table 4. Characteristics of Cisco ASA 5500 Series 4-Port Gigabit Ethernet SSMs
Feature
Cisco ASA 5500 Series 4-Port GE SSM
Technical Specifications
Integrated LAN Ports
Four 10/100/1000BASE-T
Integrated SFP Ports
Four (Gigabit Ethernet Optical SFP 1000BASE-SX or LX/LH transceiver supported)
Environmental Operating Ranges
Operating
Temperature
32 to 104ºF (0 to 40ºC)
Relative Humidity
5 to 95 percent noncondensing
Nonoperating
Temperature
-13 to 158ºF (-25 to 70ºC)
Power Consumption
25W maximum
Physical Specifications
Dimensions (H x W x D)
1.70 x 6.80 x 12.25 in. (4.32 x 17.27 x 31.12 cm)
Weight (with Power Supply)
2.00 lb (0.91 kg)
Regulatory and Standards Compliance
Safety
UL 60950, CSA C22.2 No. 60950, EN 60950 IEC 60950, AS/NZS60950
Electromagnetic Compatibility (EMC)
CE marking, FCC Part 15 Class A, AS/NZS CISPR22 Class A, VCCI Class A, EN55022 Class A, CISPR22 Class A, EN61000-3-2, EN61000-3-3
Cisco ASA 5500-X Series 6-Port Gigabit Ethernet Interface Cards
Cisco ASA 5500-X Series 6-port Gigabit Ethernet Interface Cards extend the I/O profile of the ASA 5525-X through ASA 5555-X by providing additional GE ports. The cards provide the following benefits:
• Better segmentation of network traffic (into separate security zones)
• Fiber-optic cable connectivity for long distance communication
• Load sharing of traffic as well as protection against link failure by using EtherChannel
• Support for Jumbo Ethernet frames of up to 9000 bytes
• Protection against cable failure for the most demanding Active/Active and full mesh firewall deployments
Table 5 lists the characteristics of the Cisco ASA 5500-X Series 6-Port Gigabit Ethernet Interface Cards.
Table 5. Characteristics of Cisco ASA 5500-X Series 6-Port Gigabit Ethernet Interface Cards
Feature
Cisco ASA 5500-X Series 6-Port 10/100/1000
Cisco ASA 5500-X Series 6-Port GE SFP SX, LH, LX
Technical Specifications
Integrated Ports
Six 10/100/1000BASE-T
Six (Gigabit Ethernet Optical SFP 1000BASE-SX or LX/LH transceiver supported)
Environmental Operating Ranges
Operating
Temperature
32 to 113ºF (0 to 45ºC)
32 to 113ºF (0 to 45ºC)
Relative Humidity
5 to 95 percent noncondensing
5 to 95 percent noncondensing
Nonoperating
Temperature
-40 to 149ºF (-40 to 65ºC)
-40 to 149ºF (-40 to 65ºC)
Power Consumption
25W maximum
25W maximum
Physical Specifications
Dimensions
(H x W x D)
1.57 x 5.31 x 9.09 in. (3.99 x 13.49 x 23.09 cm)
1.57 x 5.31 x 9.09 in. (3.99 x 13.49 x 23.09 cm)
Weight
1.00 lb (0.45 kg)
1.00 lb (0.45 kg)
Regulatory and Standards Compliance
Safety
UL 60950, CSA C22.2 No. 60950, EN 60950 IEC 60950, AS/NZS60950
UL 60950, CSA C22.2 No. 60950, EN 60950 IEC 60950, AS/NZS60950
Electromagnetic Compatibility (EMC)
CE marking, FCC Part 15 Class A, AS/NZS CISPR22 Class A, VCCI Class A, EN55022 Class A, CISPR22 Class A, EN61000-3-2, EN61000-3-3
CE marking, FCC Part 15 Class A, AS/NZS CISPR22 Class A, VCCI Class A, EN55022 Class A, CISPR22 Class A, EN61000-3-2, EN61000-3-3
Ordering Information
To place an order, visit the Cisco Ordering Home Page. Table 6 provides ordering information for the Cisco ASA 5500 Series and ASA 5500-X Series Next-Generation Firewalls.
Cisco services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business.
Included in the "Operate" phase of the service lifecycle are Cisco Security IntelliShield Alert Manager Service, Cisco SMARTnet® Service, Cisco Service Provider Base, and Cisco Services for IPS. These services are suitable for enterprise, commercial, and service provider customers.
Cisco Security IntelliShield Alert Manager Service provides a customizable, web-based threat and vulnerability alert service that allows organizations to easily access timely, accurate, and credible information about potential vulnerabilities in their environment.
Cisco Services for IPS supports modules, platforms, and bundles of platforms and modules that feature IPS capabilities. Cisco SMARTnet and Service Provider Base support other products in this family.
For More Information
For more information, please visit the following links:
