Cisco Secure Firewall ASA Compatibility

ASA and ASDM Compatibility Per Model

This section lists ASA and ASDM compatibility per model.

Note

For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories.

ASA 9.19

Releases in bold are the recommended versions.

Note

ASA 9.18(x) was the final version for the Firepower 4110, 4120, 4140, 4150, and Security Modules SM-24, SM-36, and SM-44 for the Firepower 9300.
ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.19(1) can manage an ASA 5516-X on ASA 9.10(1). See the following exceptions:
- For the Firepower 1010E, ASDM 7.19(1) is not supported. You must use 7.19(1.90)+ or 7.18(2.1).
New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.18 with ASA 9.19. For ASA interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.19(1.2) with ASDM 7.19(1).

Table 1. ASA and ASDM Compatibility: 9.19
ASA	ASDM	ASA Model
ASA	ASDM	ASA Virtual	Firepower 1010 1120 1140 1150	Firepower 1010E	Firepower 2110 2120 2130 2140	Secure Firewall 3105 3110 3120 3130 3140	Firepower 4112 4115 4125 4145	Firepower 9300	ISA 3000
9.19(1)	7.19(1)	YES	YES	—	YES	YES	YES	YES	YES

ASA 9.18 to 9.17

Releases in bold are the recommended versions.

Note

ASA 9.16(x) was the final version for the ASA 5506-X, 5506H-X, 5506W-X, 5508-X, and 5516-X.
ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.17(1) can manage an ASA 5516-X on ASA 9.10(1). See the following exceptions:
- For the Firepower 1010E, ASDM 7.19(1) is not supported. You must use 7.19(1.90)+ or 7.18(2.1).
New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.17 with ASA 9.18. For ASA interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.17(1.2) with ASDM 7.17(1).
ASA 9.17(1.13) and 9.18(2) and later requires ASDM 7.18(1.152) or later. The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image than 7.18(1.152) with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. (CSCwb05291, CSCwb05264)

Table 2. ASA and ASDM Compatibility: 9.18 to 9.17
ASA	ASDM	ASA Model
ASA	ASDM	ASA Virtual	Firepower 1010 1120 1140 1150	Firepower 1010E	Firepower 2110 2120 2130 2140	Secure Firewall 3110 3120 3130 3140	Firepower 4110 4112 4115 4120 4125 4140 4145 4150	Firepower 9300	ISA 3000
9.18(3)	7.19(1.90)	YES	YES	YES	YES	YES	YES	YES	YES
9.18(2.218)	7.18(2.1)	—	—	YES	—	—	—	—	—
9.18(2)	7.18(1.152)	YES	YES	—	YES	YES	YES	YES	YES
9.18(1)	7.18(1)	YES	YES	—	YES	YES	YES	YES	YES
9.17(1.13)	7.18(1.152)	YES	YES	—	YES	YES	YES	YES	YES
9.17(1)	7.17(1)	YES	YES	—	YES	YES	YES	YES	YES

ASA 9.16 to 9.15

Releases in bold are the recommended versions.

Note

ASA 9.16(x) was the final version for the ASA 5506-X, 5506H-X, 5506W-X, 5508-X, and 5516-X.
ASA 9.14(x) was the final version for the ASA 5525-X, 5545-X, and 5555-X.
ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.15(1) can manage an ASA 5516-X on ASA 9.10(1).
New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.15 with ASA 9.16. For ASA interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.16(1.15) with ASDM 7.16(1).
ASA 9.16(3.19) and later requires ASDM 7.18(1.152) or later. The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image than 7.18(1.152) with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. (CSCwb05291, CSCwb05264)

Table 3. ASA and ASDM Compatibility: 9.16 to 9.15
ASA	ASDM	ASA Model
ASA	ASDM	ASA 5506-X 5506H-X 5506W-X 5508-X 5516-X	ASAv	Firepower 1010 1120 1140 1150	Firepower 2110 2120 2130 2140	Firepower 4110 4112 4115 4120 4125 4140 4145 4150	Firepower 9300	ISA 3000
9.16(4)	7.18(1.152)	YES	YES	YES	YES	YES	YES	YES
9.16(3.19)	7.18(1.152)	YES	YES	YES	YES	YES	YES	YES
9.16(3)	7.16(1.150)	YES	YES	YES	YES	YES	YES	YES
9.16(2)	7.16(1.150)	YES	YES	YES	YES	YES	YES	YES
9.16(1)	7.16(1)	YES	YES	YES	YES	YES	YES	YES
9.15(1)	7.15(1)	YES	YES	YES	YES	YES	YES	YES

ASA 9.14 to 9.13

Releases in bold are the recommended versions.

Note

ASA 9.14(x) was the final version for the ASA 5525-X, 5545-X, and 5555-X.
ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM.
ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.13(1) can manage an ASA 5516-X on ASA 9.10(1). ASDM 7.13(1) and ASDM 7.14(1) did not support ASA 5512-X, 5515-X, 5585-X, and ASASM; you must upgrade to ASDM 7.13(1.101) or 7.14(1.48) to restore ASDM support.
New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.13 with ASA 9.14. For ASA interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.14(1.2) with ASDM 7.14(1).
ASA 9.14(4.14) and later requires ASDM 7.18(1.152) or later. The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image than 7.18(1.152) with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. (CSCwb05291, CSCwb05264)

Table 4. ASA and ASDM Compatibility: 9.14 to 9.13
ASA	ASDM	ASA Model
ASA	ASDM	ASA 5506-X 5506H-X 5506W-X 5508-X 5516-X	ASA 5525-X 5545-X 5555-X	ASAv	Firepower 1010 1120 1140 1150	Firepower 2110 2120 2130 2140	Firepower 4110 4112 4115 4120 4125 4140 4145 4150	Firepower 9300	ISA 3000
9.14(4.14)	7.18(1.152)	YES	YES	YES	YES	YES	YES	YES	YES
9.14(4.6)	7.17(1.152)	YES	YES	YES	YES	YES	YES	YES	YES
9.14(4)	7.17(1)	YES	YES	YES	YES	YES	YES	YES	YES
9.14(3)	7.16(1.150)	YES	YES	YES	YES	YES	YES	YES	YES
9.14(2)	7.14(1.48)	YES	YES	YES	YES	YES	YES	YES	YES
9.14(1.30)	7.14(1.48)	YES	YES	YES	YES	YES	YES	YES	YES
9.14(1.6)	7.14(1.48)	—	—	YES (+ASAv100)	—	—	—	—	—
9.14(1)	7.14(1)	YES	YES	YES	YES	YES	YES	YES	YES
9.13(1)	7.13(1)	YES	YES	YES	YES	YES	YES (except 4112)	YES	YES

ASA 9.12 to 9.5

Releases in bold are the recommended versions.

Note

ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM.
ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.12(1) can manage an ASA 5515-X on ASA 9.10(1).
New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.10 with ASA 9.12. For ASA interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.12(1.15) with ASDM 7.12(1).
ASA 9.8(4.45) and 9.12(4.50) and later require ASDM 7.18(1.152) or later. The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image than 7.18(1.152) with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. (CSCwb05291, CSCwb05264)

Table 5. ASA and ASDM Compatibility: 9.12 to 9.5
ASA	ASDM	ASA Model
ASA	ASDM	ASA 5506-X 5506H-X 5506W-X 5508-X 5516-X	ASA 5512-X 5515-X 5525-X 5545-X 5555-X	ASA 5585-X	ASAv	ASASM	Firepower 2110 2120 2130 2140	Firepower 4110 4120 4140 4150	Firepower 4115 4125 4145	Firepower 9300	ISA 3000
9.12(4.50)	7.18(1.152)	YES	YES	YES	YES	YES	YES	YES	YES	YES	YES
9.12(4)	7.13(1.101)	YES	YES	YES	YES	YES	YES	YES	YES	YES	YES
9.12(3)	7.12(2)	YES	YES	YES	YES	YES	YES	YES	YES	YES	YES
9.12(2)	7.12(2)	YES	YES	YES	YES	YES	YES	YES	YES	YES	YES
9.12(1)	7.12(1)	YES	YES	YES	YES	YES	YES	YES	YES	YES	YES
9.10(1)	7.10(1)	YES	YES	YES	YES	YES	YES	YES	—	YES	YES
9.9(2)	7.9(2)	YES	YES	YES	YES	YES	YES	YES	—	YES	YES
9.9(1)	7.9(1)	YES	YES	YES	YES	YES	YES	YES	—	YES	YES
9.8(4.45)	7.18(1.152)	YES	YES	YES	YES	YES	YES	YES	—	YES	YES
9.8(4)	7.12(1)	YES	YES	YES	YES	YES	YES	YES	—	YES	YES
9.8(3)	7.9(2.152)	YES	YES	YES	YES	YES	YES	YES	—	YES	YES
9.8(2)	7.8(2)	YES	YES	YES	YES	YES	YES	YES	—	YES	YES
9.8(1.200)	No support	—	—	—	YES	—	—	—	—	—	—
9.8(1)	7.8(1)	YES	YES	YES	YES (+ASAv50)	YES	—	YES	—	YES	YES
9.7(1.4)	7.7(1)	YES	YES	YES	YES	YES	—	YES	—	YES	YES
9.6(4)	7.9(1)	YES	YES	YES	YES	YES	—	YES	—	YES	YES
9.6(3.1)	7.7(1)	YES	YES	YES	YES	YES	—	YES	—	YES	YES
9.6(2)	7.6(2)	YES	YES	YES	YES	YES	—	YES	—	YES	YES
9.6(1)	7.6(1)	YES	YES	YES	YES	YES	—	YES (except 4150)	—	YES	YES
9.5(3.9)	7.6(2)	YES	YES	YES	YES	YES	—	—	—	—	YES
9.5(2.200)	7.5(2.153)	—	—	—	YES	—	—	—	—	—	—
9.5(2.2)	7.5(2)	—	—	—	—	—	—	—	—	YES	—
9.5(2.1)	7.5(2)	—	—	—	—	—	—	—	—	YES	—
9.5(2)	7.5(2)	YES	YES	YES	YES	YES	—	—	—	—	YES
9.5(1.200)	7.5(1)	—	—	—	YES	—	—	—	—	—	—
9.5(1.5)	7.5(1.112)	YES	YES	YES	YES	YES	—	—	—	—	—
9.5(1)	7.5(1)	YES	YES	YES	YES	YES	—	—	—	—	—

ASA and VPN Compatibility

For ASA and VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.

Firepower 4100/9300 Compatibility with ASA and Threat Defense

The following table lists compatibility between the ASA and threat defense applications with the Firepower 4100/9300.

The bold versions listed below are specially-qualified companion releases. You should use these software combinations whenever possible because Cisco performs enhanced testing for these combinations.

For upgrading, see the following guidelines:

FXOS—For 2.2.2 and later, you can upgrade directly to a higher version. When upgrading from versions earlier than 2.2.2, you need to upgrade to each intermediate version. Note that you cannot upgrade FXOS to a version that does not support your current logical device version. You will need to upgrade in steps: upgrade FXOS to the highest version that supports your current logical device; then upgrade your logical device to the highest version supported with that FXOS version. For example, if you want to upgrade from FXOS 2.2/ASA 9.8 to FXOS 2.13/ASA 9.19, you would have to perform the following upgrades:
1. FXOS 2.2→FXOS 2.11 (the highest version that supports 9.8)
2. ASA 9.8→ASA 9.17 (the highest version supported by 2.11)
3. FXOS 2.11→FXOS 2.13
4. ASA 9.17→ASA 9.19
Threat Defense—Interim upgrades may be required for threat defense, in addition to the FXOS requirements above. For the exact upgrade path, refer to the management center upgrade guide for your version.
ASA—ASA lets you upgrade directly from your current version to any higher version, noting the FXOS requirements above.

Note

This section applies only to the Firepower 4100/9300. Other models utilize FXOS only as an underlying operating system that is included in the ASA and threat defense unified image bundles. For the Secure Firewall 3100 in multi-instance mode, see the Threat Defense compatibility guide.

Note

FXOS 2.8(1.125)+ and later versions do not support ASA 9.14(1) or 9.14(1.10) for ASA SNMP polls and traps; you must use 9.14(1.15)+. Other releases, such as 9.13 or 9.12, are not affected.

Note

FXOS 2.12/ASA 9.18/Threat Defense 7.2 was the final version for the Firepower 4110, 4120, 4140, 4150, and Security Modules SM-24, SM-36, and SM-44 for the Firepower 9300.

Table 6. ASA or Threat Defense, and Firepower 4100/9300 Compatibility

FXOS Version

Model

ASA Version

Threat Defense Version

2.13

Firepower 4112

9.19 (recommended)

9.18

9.17

9.16

9.15

9.14

7.3 (recommended)

7.2

7.1

7.0

6.7

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.19 (recommended)

9.18

9.17

9.16

9.15

9.14

9.13

9.12

7.3 (recommended)

7.2

7.1

7.0

6.7

6.6

6.5

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

2.12

Firepower 4112

9.18 (recommended)

9.17

9.16

9.15

9.14

7.2 (recommended)

7.1

7.0

6.7

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.18 (recommended)

9.17

9.16

9.15

9.14

9.13

9.12

7.2 (recommended)

7.1

7.0

6.7

6.6

6.5

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.18 (recommended)

9.17

9.16

9.15

9.14

9.13

9.12

7.2 (recommended)

7.1

7.0

6.7

6.6

6.5

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.11

Firepower 4112

9.17 (recommended)

9.16

9.15

9.14

7.1 (recommended)

7.0

6.7

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.17 (recommended)

9.16

9.15

9.14

9.13

9.12

7.1 (recommended)

7.0

6.7

6.6

6.5

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.17 (recommended)

9.16

9.15

9.14

9.13

9.12

9.9

9.8

7.1 (recommended)

7.0

6.7

6.6

6.5

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.10

Note

For compatibility with 7.0.2+ and 9.16(3.11)+, you need FXOS 2.10(1.179)+.

Firepower 4112

9.16 (recommended)

9.15

9.14

7.0 (recommended)

6.7

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.16 (recommended)

9.15

9.14

9.13

9.12

7.0 (recommended)

6.7

6.6

6.5

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.16 (recommended)

9.15

9.14

9.13

9.12

9.9

9.8

7.0 (recommended)

6.7

6.6

6.5

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.9

Firepower 4112

9.15 (recommended)

9.14

6.7 (recommended)

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.15 (recommended)

9.14

9.13

9.12

6.7 (recommended)

6.6

6.5

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.15 (recommended)

9.14

9.13

9.12

9.9

9.8

6.7 (recommended)

6.6

6.5

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.8

Firepower 4112

9.14

6.6

Note

6.6.1+ requires FXOS 2.8(1.125)+.

Firepower 4145

Firepower 4125

Firepower 4115

9.14 (recommended)

9.13

9.12

Note

Firepower 9300 SM-56 requires ASA 9.12(2)+

6.6 (recommended)

Note

6.6.1+ requires FXOS 2.8(1.125)+.

6.5

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.14 (recommended)

9.13

9.12

9.9

9.8

6.6 (recommended)

Note

6.6.1+ requires FXOS 2.8(1.125)+.

6.5

6.4

6.2.3

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.7

Firepower 4145

Firepower 4125

Firepower 4115

9.13 (recommended)

9.12

Note

Firepower 9300 SM-56 requires ASA 9.12.2+

6.5 (recommended)

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.13 (recommended)

9.12

9.9

9.8

6.5 (recommended)

6.4

6.2.3

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.6(1.157)+

Note

You can now run ASA 9.12+ and FTD 6.4+ on separate modules in the same Firepower 9300 chassis

Firepower 4145

Firepower 4125

Firepower 4115

9.12

Note

Firepower 9300 SM-56 requires ASA 9.12.2+

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.12 (recommended)

9.9

9.8

6.4 (recommended)

6.2.3

6.1

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.6(1.131)

Firepower 9300 SM-48

Firepower 9300 SM-40

9.12

Not supported

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.12 (recommended)

9.9

9.8

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.3(1.73)+

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.9 (recommended)

9.8

Note

9.8(2.12)+ is required for flow offload when running FXOS 2.3(1.130)+.

6.2.3 (recommended)

Note

6.2.3.16+ requires FXOS 2.3.1.157+

6.1

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.3(1.66)

2.3(1.58)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.9 (recommended)

9.8

Note

9.8(2.12)+ is required for flow offload when running FXOS 2.3(1.130)+.

6.1

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.2

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.8

Threat Defense versions are EoL

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.0(1)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

ASA versions are EoL

6.1.0

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

Firepower 1000/2100 and Secure Firewall 3100 ASA and FXOS Bundle Versions

Firepower 1000/2100 and Secure Firewall 3100 platforms utilize FXOS as an underlying operating system that is included in the ASA unified image bundles. The following table lists the ASA and FXOS versions in each released bundle.

Note

You cannot install ASA or FXOS separately; you must install them both as part of the bundle.

Table 7. ASA Firepower 1000/2100 and Secure Firewall 3100 ASA and FXOS Bundle Versions
ASA Bundle Version	FXOS Version
9.19(1)	2.13(0.198)
9.18(3)	2.12(0.468)
9.18(2)	2.12(0.438)
9.18(1)	2.12(0.31)
9.17(1)	2.11(1.154)
9.16(3)	2.10(1.189)
9.16(2)	2.10(1.162)
9.16(1)	2.10(1.159)
9.15(1)	2.9(1.131)
9.14(3)	2.8(1.157)
9.14(2)	2.8(1.134)
9.14(1.30)	2.8(1.129)
9.14(1)	2.8(1.105)
9.13(1)	2.7(1.107)
9.12(4)	2.6(1.198)
9.12(3)	2.6(1.156)
9.12(2)	2.6(1.141)
9.12(1)	2.6(1.113)
9.10(1)	2.4(1.92)
9.9(2)	2.3(1.77)
9.9(1)	2.3(1.54)
9.8(4)	2.2(2.119)
9.8(3)	2.2(2.90)
9.8(2)	2.2(2.52)

ASA Virtual Hypervisor Compatibility

You can deploy the ASA virtual on the following hypervisors.

Note

ASA virtual deployment on a platform using nested or multi-level hypervisor is not supported.

Table 8. ASA Virtual Hypervisor Compatibility

Hypervisor

Version and Details

ASA Virtual OS

Alibaba Cloud

ASA 9.18(x) and later

Alibaba Cloud supports the ASAv5, ASAv10 and ASAv30 models on the following instance types:

ecs.g5ne.large (ASAv5 and ASAv10)
ecs.g5ne.xlarge, ecs.g5ne.2xlarge, ecs.g5ne.4xlarge (ASAv5, ASAv10 and ASAv30)

Note

The ASAv50 and ASAv100 are not supported on Alibaba Cloud.

ASA 9.18(x)

Amazon Web Services

ASA 9.17(x) and later

Amazon Web Services supports the following instance types:

c5a.large, c5a.xlarge, c5a.2xlarge, c5a.4xlarge
c5d.large, c5d.xlarge, c5d.2xlarge, c5d.4xlarge
c5ad.large, c5ad.xlarge, c5ad.2xlarge, c5ad.4xlarge
m5n.large, m5n.xlarge, m5n.2xlarge, m5n.4xlarge
m5zn.large, m5zn.xlarge, m5zn.2xlarge

ASA 9.14(x) and later

Amazon Web Services supports the following instance types:

c5.4xlarge
c5n.large, c5n.xlarge, c5n.2xlarge, c5n.4xlarge

ASA 9.13(x) and later

ASAv50 support added.
ASA Virtual Flexible Licensing allows any ASA Virtual license to be used on any supported ASA Virtual vCPU/memory configuration. You can deploy the ASA Virtual on a wide variety of Amazon Web Services instances types such as:
- c5.large, c5.xlarge, c5.2xlarge, c4.2xlarge, c3.2xlarge, m4.2xlarge

ASA 9.12(x) and earlier

Amazon Web Services supports the ASAv10 and ASAv30 models on the following instance types:

c3.large, c4.large, and m4.large instances (ASAv10)
c3.xlarge, c4.xlarge, and m4.xlarge instances (ASAv30)

Note

The ASAv100 is not supported on Amazon Web Services.

ASA 9.18(x)

ASA 9.17(x)

ASA 9.16(x)

ASA 9.15(x)

ASA 9.14(x)

ASA 9.13(x)

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(x)

ASA 9.4(1.200), 9.4(2), 9.4(3), 9.4(4)

Kernel-based Virtual Machine (KVM)

qemu-kvm, libvirt-bin, bridge-utils, virt-manager, genisoimage, virtinst, and virsh tools (part of KVM installation).
Linux Ubuntu 18.04 LTS host.

The ASA Virtual has been extensively tested on an Ubuntu 18.04 LTS host, but you can use other Linux distributions.

ASA 9.14(x)

ASAv100 support added.

ASA 9.13(x)

ASA Virtual Flexible Licensing allows any ASA Virtual license to be used on any supported ASA Virtual vCPU/memory configuration. You have greater flexibility when you deploy the ASA Virtual in a KVM private cloud environment.

ASA 9.8(x)

ASAv50 support added.

ASA 9.18(x)

ASA 9.17(x)

ASA 9.16(x)

ASA 9.15(x)

ASA 9.14(x)

ASA 9.13(x)

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(x)

ASA 9.4(x)

ASA 9.3(2.200), 9.3(3)

Microsoft Azure

ASA 9.17(x) and later

Microsoft Azure supports the following instance types:

Standard_D8s_v3
Standard_D16s_v3
Standard_F8s_v2
Standard_F16s_v2

ASA 9.15(x) and later

Microsoft Azure supports the following instance types:

D5, DS5, D5_v2, DS5_v2, D16_v3
F16, F16s

ASA 9.13(x) and later

ASA Virtual Flexible Licensing allows any ASA Virtual license to be used on any supported ASA Virtual vCPU/memory configuration. You can deploy the ASA Virtual on a wide variety of Microsoft Azure instances types such as.
- DS3, DS3_v2, D4, D4_v2, DS4, DS4_v2, D8_v3
- F4, F4s, F8, F8s
ASAv50 support added.

ASA 9.12(x) and earlier

Microsoft Azure supports the ASAv5, ASAv10, and ASAv30 models on the following instance types:

Standard D3 instance
Standard D3_v2 instance

Note

The ASAv100 is not supported on Microsoft Azure.

ASA 9.18(x)

ASA 9.17(x)

ASA 9.16(x)

ASA 9.15(x)

ASA 9.14(x)

ASA 9.13(x)

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(2), 9.6(3), 9.6(4)

ASA 9.5(2.200), 9.5(3)

Google Cloud Platform (GCP)

Google Cloud Platform (GCP) supports the ASA Virtual on the following GCP machine types:

c2-standard-4 (ASAv5, ASAv10, and ASAv30)
c2-standard-8 (ASAv50)
c2-standard-16 (ASAv100)

ASA 9.18(x)

ASA 9.17(x)

ASA 9.16(x)

ASA 9.15(x)

OpenStack

OpenStack supports the ASA Virtual:

Enabling OpenStack platform support for ASA Virtual allows you to run ASA Virtual on open source cloud platforms.
OpenStack uses a KVM hypervisor to manage virtual resources.
ASA Virtual devices are already supported on the KVM hypervisor. Therefore, there is no extra addition of kernel packages or drivers to enable OpenStack support.

ASA 9.18(x)

ASA 9.17(x)

ASA 9.16(x)

Oracle Cloud Infrastructure (OCI)

Oracle Cloud Infrastructure (OCI) supports the ASA Virtual on the following OCI shape types:

VM.Standard2.4 (ASAv5, ASAv10, and ASAv30)
VM.Standard2.8 (ASAv50 and ASAv100)

ASA 9.18(x)

ASA 9.17(x)

ASA 9.16(x)

ASA 9.15(x)

VMware vSphere

7.0:

ESXi Server
(Optional) vCenter Server
vSphere Web Client, vSphere Client, or OVFTool for Windows or Linux

See the VMware documentation for more information about vSphere and hardware requirements:

http://www.vmware.com/support/pubs/

Note

You cannot deploy the ASA Virtual using vCloud Director.

ASA 9.18(x)

ASA 9.17(x)

ASA 9.16(x)

6.0, 6.5, 6.7:

ESXi Server
(Optional) vCenter Server
vSphere Web Client, vSphere Client, or OVFTool for Windows or Linux

See the VMware documentation for more information about vSphere and hardware requirements:

http://www.vmware.com/support/pubs/

Note

You cannot deploy the ASA Virtual using vCloud Director.

ASA 9.14(x)

ASAv100 support added.

ASA 9.13(x) and later

ASAv Flexible Licensing allows any ASA Virtual license to be used on any supported ASA Virtual vCPU/memory configuration. You have greater flexibility when you deploy the ASA Virtual in a VMware private cloud environment.

ASA 9.8(x)

ASAv50 support added.

ASA 9.18(x)

ASA 9.17(x)

ASA 9.16(x)

ASA 9.15(x)

ASA 9.14(x)

ASA 9.13(x)

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(x)

ASA 9.4(x)

ASA 9.3(x)

ASA 9.2(x)

5.x:

ESXi Server
vCenter Server
vSphere Web Client or vSphere Client for Windows or Linux

See the VMware documentation for more information about vSphere and hardware requirements:

http://www.vmware.com/support/pubs/

Note

You cannot install the ASA Virtual directly on an ESXi host without using vCenter.

Note

You cannot deploy the ASA Virtual using vCloud Director.

ASA 9.13(x)

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x) (ASAv50 support added)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(x)

ASA 9.4(1.200), 9.4(2), 9.4(3), 9.4(4)

You can now install the ASA Virtual directly on an ESXi host without using vCenter.
OVFTool support

ASA 9.18(x)

ASA 9.17(x)

ASA 9.16(x)

ASA 9.15(x)

ASA 9.14(x) (ASAv100 support added)

ASA 9.13(x)

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x) (ASAv50 support added)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(x)

ASA 9.4(1.200), 9.4(2), 9.4(3), 9.4(4)

Microsoft Hyper-V

The Microsoft Hyper-V hypervisor supports the ASAv5, ASAv10, and ASAv30 models.

Note

The ASAv50 and ASAv100 are not supported on Microsoft Hyper-V.

ASA 9.13(x) and later

ASA Virtual Flexible Licensing allows any ASA Virtual license to be used on any supported ASA Virtual vCPU/memory configuration. You have greater flexibility when you deploy the ASA Virtual in a Microsoft Hyper-V private cloud environment.

ASA 9.18(x)

ASA 9.17(x)

ASA 9.16(x)

ASA 9.15(x)

ASA 9.14(x)

ASA 9.13(x)

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(x)

ASA 9.7(x)

ASA 9.6(x)

ASA 9.5(1.200), 9.5(2), 9.5(3)

Cisco Defense Orchestrator (CDO) Compatibility with the ASA

CDO can manage all platforms running ASA 8.4 and later (see ASA and ASDM Compatibility Per Model), except for the ASA Services Module (ASASM), which is not supported by CDO.

CDO can onboard an ASA running ASA 8.3 but cannot deploy changes to it or manage it in any other way. Support is "read-only."

CDO does not support management of the ASA FirePOWER module, which runs a different operating system from ASA. You can still use the ASA FirePOWER module in your system, but you need to manage it separately with Firepower Management Center or ASDM.

There may be a CDO feature that does not support all versions of ASA, such as ASA upgrades from pre-9.12 versions. In those cases, the CDO documentation will list any version exceptions with the prerequisites for that feature.

ASA REST API Compatibility

The following table lists ASA REST API and ASA compatibility.

Note

The ASA 5506-X series does not support the REST API if you are running the FirePOWER module Version 6.0 or later. Disable the ASA REST API using the no rest-api agent command.

Table 9. ASA REST API Compatibility
ASA	ASA REST API	ASA Model
ASA	ASA REST API	ASA 5506-X 5506H-X 5506W-X 5508-X 5516-X	ASA 5512-X 5515-X	ASA 5525-X 5545-X 5555-X	ASA 5585-X	ASAv	ASASM	Firepower 1010 1120 1140 1150	Firepower 2110 2120 2130 2140	Firepower 4110 4120 4140 4150	Firepower 4112 4115 4125 4145	Firepower 9300	ISA 3000
9.16(x)	7.16(x)	YES	—	—	—	YES	—	—	—	YES	—	YES	YES
9.15(x)	7.15(x)	YES	—	—	—	YES	—	—	—	YES	—	YES	YES
9.14(x)	7.14(x)	YES	—	YES	—	YES	—	—	—	YES	—	YES	YES
9.13(x)	7.13(x) The version changed with this release to match the ASDM number.	YES	—	YES	—	YES	—	—	—	YES	—	YES	YES
9.12(x)	1.3(2.346)	YES	YES	YES	YES	YES	—	—	—	YES	—	YES	YES
9.10(x)	1.3(2)	YES	YES	YES	YES	YES	—	—	—	YES	—	YES	YES
9.9(x)	1.3(2)	YES	YES	YES	YES	YES	—	—	—	YES	—	YES	YES
9.8(x)	1.3(2)	YES	YES	YES	YES	YES (+ASAv50)	—	—	—	YES	—	YES	YES
9.7(1.4)	1.3(2)	YES	YES	YES	YES	YES	—	—	—	YES	—	YES	YES
9.6(4)	1.3(2)	YES	YES	YES	YES	YES	—	—	—	YES	—	YES	YES
9.6(3.1)	1.3(2)	YES	YES	YES	YES	YES	—	—	—	YES	—	YES	YES
9.6(2)	1.3(2)	YES	YES	YES	YES	YES	—	—	—	YES	—	YES	YES
9.6(1)	1.3(1)	YES	YES	YES	YES	YES	—	—	—	YES (except 4150)	—	YES	YES
9.5(3.9)	1.2(2.200)	YES	YES	YES	YES	YES	—	—	—	—	—	—	YES
9.5(2.200)	1.2(2.200)	—	—	—	—	YES	—	—	—	—	—	—	—
9.5(2.2)	1.2(2)	—	—	—	—	—	—	—	—	—	—	YES	—
9.5(2.1)	1.2(2)	—	—	—	—	—	—	—	—	—	—	YES	—
9.5(2)	1.2(2)	YES	YES	YES	YES	YES	—	—	—	—	—	—	YES
9.5(1.200)	1.2(1)	—	—	—	—	YES	—	—	—	—	—	—	—
9.5(1.5)	1.2(1)	YES	YES	YES	YES	YES	—	—	—	—	—	—	—
9.5(1)	1.2(1)	YES	YES	YES	YES	YES	—	—	—	—	—	—	—
9.4(3)	1.2(1) 1.1(1)	YES	YES	YES	YES	YES	—	—	—	—	—	—	—
9.4(2.146)	1.1(2)	—	—	—	—	—	—	—	—	—	—	YES	—
9.4(2.145)	1.1(2)	—	—	—	—	—	—	—	—	—	—	YES	—
9.4(2)	1.2(1) 1.1(1)	YES	YES	YES	YES	YES	—	—	—	—	—	—	—
9.4(1.225)	1.2(1)	—	—	—	—	—	—	—	—	—	—	—	YES
9.4(1.200)	1.2(1) 1.1(1)	—	—	—	—	YES	—	—	—	—	—	—	—
9.4(1.152)	1.1(2)	—	—	—	—	—	—	—	—	—	—	YES	—
9.4(1)	1.2(1) 1.1(1)	YES	YES	YES	YES	YES	—	—	—	—	—	—	—
9.3(2.200)	1.2(1)+ 1.1(1) 1.0(1)	—	—	—	—	YES	—	—	—	—	—	—	—
9.3(2)	1.2(1) 1.1(1) 1.0(1)	YES (ASA 5506-X only)	YES	YES	YES	YES	—	—	—	—	—	—	—

Smart Licensing Agent Version per ASA Release

The following Smart Agent versions are used in ASA software for communication with the Smart Licensing server.

Table 10.
ASA Version	Smart Agent Version
9.14	4.9.3
9.13	4.9.3
9.12	4.3.6
9.10	4.3.6
9.9	1.6.14_rel/129

ASA 5506W-X Wireless Access Point Software Compatibility

The ASA 5506W-X includes a Cisco Aironet 702i wireless access point integrated into the ASA. The access point includes an autonomous Cisco IOS image, which enables individual device management. You can install the lightweightimage if you want to add the ASA 5506W-X to a Cisco Unified Wireless Network and use a wireless LAN controller. See the Converting Autonomous Access Points to Lightweight Mode chapter in the Cisco Wireless Control Configuration Guide for more information about using the lightweight image in unified mode.

The following table shows the supported software for the access point as well as the supported Cisco Wireless LAN Controller software if you convert to unified mode.

Table 11. ASA 5506W-X Wireless Access Point Software Compatibility
Built-in Access Point	Cisco IOS Release	Cisco Wireless LAN Controller Release
Aironet 702i	15.3(3)JBB+	8.1.102.0+

ASA and ASA FirePOWER Module Compatibility

Compatibility Table

The following table shows the ASA, ASDM, and ASA FirePOWER support. If you are using an FMC to manage ASA FirePOWER, you can ignore the ASDM requirements.

Note that:

ASA 9.16(x)/ASDM 7.16(x)/Firepower 7.0.0/7.0.x is the final version for the ASA FirePOWER module on the ASA 5508-X, 5516-X, and the ISA 3000.
ASA 9.14(x)/ASDM 7.14(x)/FirePOWER 6.6.0/6.6.x is the final version for the ASA FirePOWER module on the ASA 5525-X, 5545-X, and 5555-X.
ASA 9.12(x)/ASDM 7.12(x)/FirePOWER 6.4.0 is the final version for the ASA FirePOWER module on the ASA 5515-X and 5585-X.
ASA 9.9(x)/ASDM 7.9(2)/FirePOWER 6.2.3 is the final version for the ASA FirePOWER module on the ASA 5506-X series and 5512-X.

ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.13(1) can manage an ASA 5516-X on ASA 9.10(1). ASDM 7.13(1) and ASDM 7.14(1) did not support ASA 5512-X, 5515-X, 5585-X, and ASASM; you must upgrade to ASDM 7.13(1.101) or 7.14(1.48) to restore ASDM support.

Table 12. ASA and ASA FirePOWER Compatibility
ASA FirePOWER Version	ASDM Version (for local mgmt)	ASA Version	ASA Model
ASA FirePOWER Version	ASDM Version (for local mgmt)	ASA Version	5506-X Series	5508-X 5516-X	5512-X	5515-X	5525-X 5545-X 5555-X	5585-X (See below for SSP notes)	ISA 3000
7.0.x	ASDM 7.16(1)	ASA 9.16(x) ASA 9.15(x) ASA 9.14(x) ASA 9.13(x) ASA 9.12(x) ASA 9.10(x) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(2), 9.5(3)	—	YES	—	—	—	—	YES
6.7.x	ASDM 7.15(1)	ASA 9.16(x) ASA 9.15(x) ASA 9.14(x) ASA 9.13(x) ASA 9.12(x) ASA 9.10(x) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(2), 9.5(3)	—	YES	—	—	—	—	YES
6.6.x	ASDM 7.14(1)	ASA 9.16(x) (No 5525-X, 5545-X, 5555-X) ASA 9.15(x) (No 5525-X, 5545-X, 5555-X) ASA 9.14(x) ASA 9.13(x) ASA 9.12(x) ASA 9.10(x) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(2), 9.5(3)	—	YES	—	—	YES	—	YES
6.5.0	ASDM 7.13(1)	ASA 9.16(x) (No 5525-X, 5545-X, 5555-X) ASA 9.15(x) (No 5525-X, 5545-X, 5555-X) ASA 9.14(x) ASA 9.13(x) ASA 9.12(x) ASA 9.10(x) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(2), 9.5(3)	—	YES	—	—	YES	—	YES
6.4.0	ASDM 7.12(1)	ASA 9.16(x) (No 5515-X, 5525-X, 5545-X, 5555-X, 5585-X) ASA 9.15(x) (No 5515-X, 5525-X, 5545-X, 5555-X, 5585-X) ASA 9.14(x) (No 5515-X, 5585-X) ASA 9.13(x) (No 5515-X, 5585-X) ASA 9.12(x) ASA 9.10(x) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(2), 9.5(3)	—	YES	—	YES	YES	YES	YES
6.3.0	ASDM 7.10(1)	ASA 9.16(x) (No 5515-X, 5525-X, 5545-X, 5555-X, 5585-X) ASA 9.15(x) (No 5515-X, 5525-X, 5545-X, 5555-X, 5585-X) ASA 9.14(x) (No 5515-X, 5585-X) ASA 9.13(x) (No 5515-X, 5585-X) ASA 9.12(x) ASA 9.10(x) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(2), 9.5(3)	—	YES	—	YES	YES	YES	YES
6.2.3	ASDM 7.9(2)	ASA 9.16(x) (No 5506-X, 5512-X,5515-X, 5525-X, 5545-X, 5555-X, 5585-X) ASA 9.15(x) (No 5506-X, 5512-X,5515-X, 5525-X, 5545-X, 5555-X, 5585-X) ASA 9.14(x) (No 5506-X, 5512-X, 5515-X, 5585-X) ASA 9.13(x) (No 5506-X, 5512-X, 5515-X, 5585-X) ASA 9.12(x) (No 5506-X, 5512-X) ASA 9.10(x) (No 5506-X, 5512-X) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(2), 9.5(3) (No 5506-X)	YES	YES	YES	YES	YES	YES	—
6.2.2	ASDM 7.8(2)	ASA 9.16(x) (No 5506-X, 5512-X,5515-X, 5525-X, 5545-X, 5555-X, 5585-X) ASA 9.15(x) (No 5506-X, 5512-X,5515-X, 5525-X, 5545-X, 5555-X, 5585-X) ASA 9.14(x) (No 5506-X, 5512-X, 5515-X, 5585-X) ASA 9.13(x) (No 5506-X, 5512-X, 5515-X, 5585-X) ASA 9.12(x) (No 5506-X, 5512-X) ASA 9.10(x) (No 5506-X, 5512-X) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(2), 9.5(3) (No 5506-X)	YES	YES	YES	YES	YES	YES	—
6.2.0	ASDM 7.7(1)	ASA 9.16(x) (No 5506-X, 5512-X,5515-X, 5525-X, 5545-X, 5555-X, 5585-X) ASA 9.15(x) (No 5506-X, 5512-X,5515-X, 5525-X, 5545-X, 5555-X, 5585-X) ASA 9.14(x) (No 5506-X, 5512-X, 5515-X, 5585-X) ASA 9.13(x) (No 5506-X, 5512-X, 5515-X, 5585-X) ASA 9.12(x) (No 5506-X, 5512-X) ASA 9.10(x) (No 5506-X, 5512-X) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(2), 9.5(3) (No 5506-X)	YES	YES	YES	YES	YES	YES	—
6.1.0	ASDM 7.6(2)	ASA 9.16(x) (No 5506-X, 5512-X,5515-X, 5525-X, 5545-X, 5555-X, 5585-X) ASA 9.15(x) (No 5506-X, 5512-X,5515-X, 5525-X, 5545-X, 5555-X, 5585-X) ASA 9.14(x) (No 5506-X, 5512-X, 5515-X, 5585-X) ASA 9.13(x) (No 5506-X, 5512-X, 5515-X, 5585-X) ASA 9.12(x) (No 5506-X, 5512-X) ASA 9.10(x) (No 5506-X, 5512-X) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(2), 9.5(3) (No 5506-X)	YES	YES	YES	YES	YES	YES	—
6.0.1	ASDM 7.6(1) (no ASA 9.4(x) support with ASDM; only FMC)	ASA 9.6(x) ASA 9.5(1.5), 9.5(2), 9.5(3) ASA 9.4(x) Due to CSCuv91730, we recommend that you upgrade to 9.4(2) and later.	YES	YES	YES	YES	YES	YES	—
6.0.0	ASDM 7.5(1.112) (no ASA 9.4(x) support with ASDM; only FMC)	ASA 9.6(x) ASA 9.5(1.5), 9.5(2), 9.5(3) ASA 9.4(x) Due to CSCuv91730, we recommend that you upgrade to 9.4(2) and later.	YES	YES	YES	YES	YES	YES	—
5.4.1.7+	ASDM 7.5(1.112) (no ASA 9.4(x) support with ASDM; only FMC)	ASA 9.16(x) (No 5506-X, 5512-X,5515-X, 5525-X, 5545-X, 5555-X, 5585-X) ASA 9.15(x) (No 5506-X, 5512-X,5515-X, 5525-X, 5545-X, 5555-X, 5585-X) ASA 9.14(x) (No 5506-X) ASA 9.13(x) (No 5506-X) ASA 9.12(x) (No 5506-X) ASA 9.10(x) (No 5506-X) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(2), 9.5(3) ASA 9.4(x) ASA 9.4(1.225) (ISA 3000 only) ASA 9.3(2), 9.3(3) (no 5508-X or 5516-X) Due to CSCuv91730, we recommend that you upgrade to 9.3(3.8) or 9.4(2) and later.	YES	YES	—	—	—	—	YES
5.4.1	ASDM 7.3(3)	ASA 9.16(x) (No 5506-X) ASA 9.15(x) (No 5506-X) ASA 9.14(x) (No 5506-X) ASA 9.13(x) (No 5506-X) ASA 9.12(x) (No 5506-X) ASA 9.10(x) (No 5506-X) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(1.5), 9.5(2), 9.5(3) ASA 9.4(x) ASA 9.3(2), 9.3(3) (5506-X only) Due to CSCuv91730, we recommend that you upgrade to 9.3(3.8) or 9.4(2) and later.	YES	YES	—	—	—	—	—
5.4.0.2+	—	ASA 9.14(x) (No 5512-X, 5515-X, 5585-X) ASA 9.13(x) (No 5512-X, 5515-X, 5585-X) ASA 9.12(x) ASA 9.10(x) ASA 9.9(x) ASA 9.8(x) ASA 9.7(x) ASA 9.6(x) ASA 9.5(1.5), 9.5(2), 9.5(3) ASA 9.4(x) ASA 9.3(2), 9.3(3) Due to CSCuv91730, we recommend that you upgrade to 9.3(3.8) or 9.4(2) and later.	—	—	YES	YES	YES	YES	—
5.4.0.1	—	ASA 9.2(2.4), 9.2(3), 9.2(4) Due to CSCuv91730, we recommend that you upgrade to 9.2(4.5) and later.	—	—	YES	YES	YES	YES	—
5.3.1	—	ASA 9.2(2.4), 9.2(3), 9.2(4) Due to CSCuv91730, we recommend that you upgrade to 9.2(4.5) and later.	—	—	YES	YES	YES	YES	—

ASA 5585-X SSP Compatibility

Same level SSPs

ASA FirePOWER SSP -10, -20, -40, and -60

Requirements: Install in slot 1, with matching-level ASA SSP in slot 0

Mixed level SSPs

Support for the following combinations starts with version 5.4.0.1.

ASA SSP-10/ASA FirePOWER SSP-40
ASA SSP-20/ASA FirePOWER SSP-60
ASA SSP-40/ASA FirePOWER SSP-60

Requirements: ASA SSP in slot 0, ASA FirePOWER SSP in slot 1

Note

For the SSP40/60 combination, you might see an error message that this combination is not supported. You can ignore the message.

Secure Firewall 3100 Network Module Compatibility

Table 13. Secure Firewall 3100 Network Module Compatibility

Modules Supported

Model

ASA OS

6-port 1G SFP Hardware Bypass Network Module, SX (multimode) (FPR3K-XNM-6X1SXF)
6-port 10G SFP Hardware Bypass Network Module, SR (multimode) (FPR3K-XNM-6X10SRF)
6-port 10G SFP Hardware Bypass Network Module, LR (single mode) (FPR3K-XNM-6X10LRF)
8-port 1G Copper Hardware Bypass Network Module, RJ45 (copper) (FPR3K-XNM-8X1GF)

Secure Firewall 3110
Secure Firewall 3120
Secure Firewall 3130
Secure Firewall 3140

9.18(2)+

Note

The ASA does not support the hardware bypass functionality of these modules, but you can use them as regular interfaces.

6-port 25G SFP Hardware Bypass Network Module, SR (multimode) (FPR3K-XNM-X25SRF)
6-port 25G Hardware Bypass Network Module, LR (single mode) (FPR3K-XNM-6X25LRF)

Secure Firewall 3130
Secure Firewall 3140

9.18(2)+

Note

The ASA does not support the hardware bypass functionality of these modules, but you can use them as regular interfaces.

8-port 1-Gb copper hardware bypass network module, RJ45 copper (FPR3K-XNM-8X1GF)
8-port 1/10-Gb SFP+ network module (FPR3K-XNM-8X10G)
8-port 1/10/25-Gb ZSFP network module (FPR3K-XNM-8X25G)

Secure Firewall 3110
Secure Firewall 3120
Secure Firewall 3130
Secure Firewall 3140

9.18(x)

9.17(x)

4-port 40-Gb QSFP+ network module (FPR3K-XNM-4X40G)

Secure Firewall 3130
Secure Firewall 3140

9.18(x)

9.17(x)

Firepower 2100 Network Module Compatibility

Note

If a network module is listed for multiple Firepower models, and the part number only differs in the model number (FPRXK-NM-module), then that module is compatible with the other Firepower models. For example, the FPR9K-NM-6X10SR-F module is compatible on the Firepower 2100 (FPR2K-NM-6X10SR-F) and Firepower 4100 (FPR4K-NM-6X10SR-F). See the FXOS compatibility guide for information about Firepower 4100 and 9300 network modules.

Table 14. Firepower 2100 Network Module Compatibility

Modules Supported

Model

ASA OS

Firepower 6-port 1G SX FTW Network Module single-wide (FPR2K-NM-6X1SX-F)
Firepower 6-port 10G SR FTW Network Module single-wide (FPR2K-NM-6X10SR-F)
Firepower 6-port 10G LR FTW Network Module single-wide (FPR2K-NM-6X10LR-F)

Firepower 2130

Firepower 2140

ASA 9.18(x)

ASA 9.17(x)

ASA 9.16(x)

ASA 9.15(x)

ASA 9.14(x)

ASA 9.13(x)

ASA 9.12(x)

ASA 9.10(x)

Note

The ASA does not support the hardware bypass functionality of these modules, but you can use them as regular interfaces.

Firepower 8-port 1G Network Module single-wide (FPR2K-NM-8X1G)

Firepower 2130

Firepower 2140

ASA 9.18(x)

ASA 9.17(x)

ASA 9.16(x)

ASA 9.15(x)

ASA 9.14(x)

ASA 9.13(x)

ASA 9.12(x)

ASA 9.10(x)

Firepower 8-port 10G Network Module single-wide (FPR2K-NM-8X10G)

Firepower 2130

Firepower 2140

ASA 9.18(x)

ASA 9.17(x)

ASA 9.16(x)

ASA 9.15(x)

ASA 9.14(x)

ASA 9.13(x)

ASA 9.12(x)

ASA 9.10(x)

ASA 9.9(x)

ASA 9.8(2), 9.8(3)

ASA and Threat Defense Clustering External Hardware Support

Clustering will work with both Cisco and non-Cisco switches from other major switching vendors with no known interoperability issues if they comply with the following requirements and recommendations. Clustering is compatible with technologies such as vPC (Nexus), VSS (Catalyst), and StackWise & StackWise Virtual (Catalyst).

Switch Requirements

All third party switches must be compliant to the IEEE standard (802.3ad) Link Aggregation Control Protocol.
EtherChannel bundling must be completed within 45 seconds when connected to Firepower devices and 33 seconds when connected to ASA devices.
On the cluster control link, the switch must provide fully unimpeded unicast and broadcast connectivity at Layer 2 between all cluster members.
On the cluster control link, the switch must not impose any limitations on IP addressing or the packet format above Layer 2 headers.
On the cluster control link, the switch interfaces must support jumbo frames and be configurable for an MTU above 1600.

Switch Recommendations

The switch should provide uniform traffic distribution over the EtherChannel's individual links.
The switch should have an EtherChannel load-balancing algorithm that provides traffic symmetry.
The EtherChannel load balance hash algorithm should be configurable using the 5-tuple, 4-tuple, or 2-tuple to calculate the hash.

Note

For the Firepower 9300 cluster, intra-chassis clustering can operate with any switch because Firepower 9300-to-switch connections use standard interface types.

Note

Some switches, such as the Nexus series, do not support LACP rate fast when performing in-service software upgrades (ISSUs), so we do not recommend using ISSUs with clustering.

ASA and Cisco Application Policy Infrastructure Controller (APIC) Compatibility

The platforms supported include:

ASA 5525-X, 5545-X, and 5555-X (8.6(x)—9.14(x))
ASA 5512-X, 5515-X (8.6(x)—9.12(x))
ASA 5585-X (8.4(x)—9.12(x))
ASAv (9.2(x) and newer)
Firepower 4100 and 9300 (9.6(x) and newer)
Firepower 2100 (9.8(x) and newer)

The following table lists the supported ASA device packages, ASA versions, and APIC versions.

Table 15. ASA Device Package, ASA, and APIC Compatibility
ASA Device Package Version	Integration Model	APIC Version	ASA Version
1.3(12.4)	Cloud Orchestrator Policy Orchestration Fabric Insertion	3.1(1)—5.0(2)	8.4(x)—9.16(x)
1.3(12.3)	Cloud Orchestrator Policy Orchestration Fabric Insertion	3.1(1)—4.1(1)	8.4(x)—9.12(x)
1.3(11.22)	Cloud Orchestrator Policy Orchestration Fabric Insertion	3.1(1)—4.0(1)	8.4(x)—9.10(x)
1.3(10.24)	Cloud Orchestrator Policy Orchestration Fabric Insertion	3.1(1*)	8.4(x)—9.8(x)
1.2(12.3)	Policy Orchestration Fabric Insertion	3.0(2*) and older	8.4(x)—9.16(x)
1.2(12.2)	Policy Orchestration Fabric Insertion	3.0(2*) and older	8.4(x)—9.12(x)
1.2(11.16)	Policy Orchestration Fabric Insertion	3.0(2*) and older	8.4(x)—9.10(1)
1.2(10.26)	Policy Orchestration Fabric Insertion	3.0(2*)	8.4(x)—9.8(x)
1.2(9.18)	Policy Orchestration Fabric Insertion	3.0(1*)	8.4(x)—9.8(x)
1.2(8.9)	Policy Orchestration Fabric Insertion	2.2(2*)	8.4(x)—9.7(x)
1.2(7.x)	Policy Orchestration Fabric Insertion	2.1(1*)	8.4(x)—9.6(2)
1.2(6.15)	Policy Orchestration	2.0(1*)	8.4(x)—9.5(2)
1.2(5.21)	Policy Orchestration	1.3(1*)	8.4(x)—9.5(1)
1.2(5.5)	Policy Orchestration	1.2(2*)	8.4(x)—9.4(x)

Note

We do not recommend using any ASA device package older than 2016.

Note

Policy Orchestration = Service Policy Mode = Fully Managed Mode.

Note

Fabric Insertion = Customized ASA device package for L2-3 automation only.

End-of-Life Announcements

For a list of all Cisco End-of-Life platforms, see End-of-Sale and End-of-Life Products.

See the following pages for ASA software and hardware End-of-Life announcements:

Additional Resources

See the following additional resources:

Cisco’s Next Generation Firewall Product Line Software Release and Sustaining Bulletin

Cisco Secure Firewall ASA Compatibility

Available Languages

Download Options

Bias-Free Language

Cisco Secure Firewall ASA Compatibility

ASA and ASDM Compatibility Per Model

ASA 9.19

ASA 9.18 to 9.17

ASA 9.16 to 9.15

ASA 9.14 to 9.13

ASA 9.12 to 9.5

ASA and VPN Compatibility

Firepower 4100/9300 Compatibility with ASA and Threat Defense

Firepower 1000/2100 and Secure Firewall 3100 ASA and FXOS Bundle Versions

ASA Virtual Hypervisor Compatibility

Cisco Defense Orchestrator (CDO) Compatibility with the ASA

ASA REST API Compatibility

Smart Licensing Agent Version per ASA Release

ASA 5506W-X Wireless Access Point Software Compatibility

ASA and ASA FirePOWER Module Compatibility

Compatibility Table

ASA 5585-X SSP Compatibility

Secure Firewall 3100 Network Module Compatibility

Firepower 2100 Network Module Compatibility

ASA and Threat Defense Clustering External Hardware Support

Switch Requirements

Switch Recommendations

ASA and Cisco Application Policy Infrastructure Controller (APIC) Compatibility

End-of-Life Announcements

Additional Resources

Was this Document Helpful?

Contact Cisco

This Document Applies to These Products