Cisco's firewall appliances monitor network traffic and determine whether to permit specific traffic based on defined security rules (policies). Unlike pure switches or routers, firewalls can provide transport-layer and application-layer filtering. Cisco's ASA 5500-X Next Generation Firewall (NGFW) Series is designed to replace Cisco's older ASA 5500 family of firewalls, which in turn supplanted Cisco's PIX firewalls. All these products combine Cisco's proven firewall technology with increasingly sophisticated intrusion prevention system (IPS) capabilities. Advantages of the ASA 5500-X line over legacy Cisco firewalls include a 64-bit architecture and multicore CPU technology, higher firewall and VPN throughput, more flexible management options, compatibility with Cisco's powerful advanced security services, and the ability to run multiple security services simultaneously without compromising performance.
With Cisco's acquisition of Sourcefire, the extensive line of Cisco ASA 5500-X firewalls are available with Firepower Services, based on the world's most widely deployed IPS solution and featuring enhanced capabilities such as advanced malware protection, URL filtering, analytics and automation.
Versions of ASA 5500-X firewalls are available to meet the budgets and operational requirements of small and mid-size organizations ranging from branches offices to enterprises. The combination of improved performance plus new firewall services and management options offered by Cisco for the ASA 5500-X family allow IT departments to address the momentous changes in the networking landscape such as bring-your-own-device (BYOD) and cloud computing and to deal with the 100,000-plus web-based threats that appear daily.
Progent's Cisco-certified CCIE network consultants and information security specialists can help you manage and troubleshoot your ASA 5500-X firewalls, reimage your older ASA 5500-X devices to support Firepower services, migrate from older ASA 5500 or PIX firewalls to ASA 5500-X models, configure additional ASA 5500-X devices, implement and validate security policies, connect your on-premises firewalls with public cloud services, tune your firewall configuration to optimize performance, and integrate ASA 5500-X firewall with Cisco Firepower Management Center for centralized management of your security infrastructure.
Basic Firewall Security Services for Cisco's ASA 5500-X Series
First generation Cisco ASA 5500-X firewalls are capable of running Cisco's basic software-based and cloud-based security services without requiring additional hardware modules.
Standard Cisco Security Services that can be run with ASA 5500-X firewalls include:
Firepower Services for Cisco ASA
- Cisco Security Intelligence Operations (SIO) to protect against zero-day threats by providing near-real-time threat intelligence feeds to WSE, IPS, and CWS
- Application Visibility and Control (AVC) to manage individual and group access to specific components of an application and to control certain behaviors within micro-applications
- Web Security Essentials for reputation-based security policies to control access to web sites and applications
- Built-in Cisco IPS for HIPPA, PCI and NERC CIP compliant threat mitigation that combines passive OS fingerprinting with reputation and features on-box and off-box analyses
- Cisco ASA Botnet Traffic Filter (BTF) for detecting rogue activity and infected end points
- Integration with Cisco AnyConnect Mobility Client with VPN split-tunneling to allow critical business applications while excluding unauthorized personal apps
- Cisco Cloud Web Security (CWS) utilizes a worldwide network of data centers to provide web security and application visibility
- Support for native VPN clients such as Apple iOS and Android clients
Cisco ASA 5500-X firewalls can support Cisco's ASA Firepower Services to provide layered threat protection in a single appliance. Firepower support is enabled via software modules for all ASA 5500-X models except the ASA 5585-X, which requires a hardware module. Newer ASA 5500-X models ship with Firewall preinstalled and others can be reimaged with Firepower software. ASA Firepower Services include the software-based features of Cisco's Firepower 4100 Series and Firepower 9300 Series firewall appliances. These software features include:
- Multi-layered threat protection against both familiar and new threats including targeted and persistent malware attacks
- Advanced Malware Protection (AMP) based on big data technology to detect and control breaches
- A next-generation intrusion prevention system (NGIPS) that offers contextual awareness of users, infrastructure, applications, and content to help detect multi-vector threats, automate remediation, and determine the root cause of security breaches
- Granular Application Visibility and Control (AVC) with thousands of application-layer and risk-based controls that can activate custom IPS threat detection policies
Key security features of Firepower Services for Cisco ASA 5500-X Firewalls
Smaller organizations with simpler deployments of ASA 5500-X firewalls can manage and monitor the devices locally using Cisco's on-device Adaptive Security Device Manager (ASDM), which is included with all configurations. The on-box ASDM manager includes a simple web interface that allows you to configure, monitor, and troubleshoot Cisco firewall appliances and service modules.
For more complex deployments including multi-site environments you can centrally manage ASA 5500-X Firepower software and hardware modules with Firepower Management Center physical or virtual appliances. Firepower Management Center offers in-depth unified firewall management, recognition and control over thousands of applications, intrusion defense, URL filtering, and AMP. Cisco has repeatedly rebranded and continuously refined the Firepower Management Center, which was originally the Sourcefire Defense Center and has been subsequently called the Defense Center, FireSIGHT Defense Center, and FireSIGHT Management Center.
Firepower Management Center offers ASA users expanded functionality over Cisco's ASDM on-box manager. Enhanced capabilities include contextual awareness and visibility including file trajectory, network AMP with client remediation, a dashboard with dynamically updated network visualization, automated threat assessment with prioritized impact analysis and policy tuning, full-featured IPS with preprocessor tuning, AVC with custom application detectors, custom health alerting, customization templates and export capabilities for reporting, plus APIs for remediation, host input and database access. Hardware-based features such as clustering, stacking, switching, routing, VPN, and NAT are managed using ASDM and ASA CLI instead of the Firepower Management Center.
Cisco's ASA 5500-X Product Family
Cisco's ASA 5500-X family of firewalls allows organizations to choose a model that delivers appropriate and affordable functionality. All ASA 5500-X appliances are built around Cisco's popular and time-tested stateful-inspection firewall, feature Cisco's new 64-bit multicore hardware architecture, and can run Cisco's advanced security services. The main differences among the various models in the ASA 5500-X family are capacity, performance, scalability, and fault tolerance. Progent can help you evaluate and deploy the firewalls that make the most sense for your current and anticipated requirements.
Cisco ASA 5506-X and ASA 5508-X Firewalls for Entry-level Deployments
Cisco's ASA 5506-X firewall is an entry-level security appliance designed for desktops or for wall mounting and available in standard, wireless and ruggedized versions. The ASA 5506-X supports firewall throughput of 300 Mbps, 10 IPsec site-to-site VPN peers (50 with a Cisco Security Plus license), up to 100 Mbps 3DEAS/AES VPN throughput, and Application Visibility and Control (AVC) throughput of 250 Mbps. The ASA 5506-X supports 20,000 concurrent sessions (50,000 with a Security Plus license), 5,000 new connections per second, and 5 VLANs (or 30 VLANs with Cisco's Security Plus license). The unit has eight 1 GE ports and does not have an expansion slot for additional ports.
Cisco's ASA 5508-X firewall is a 1RU firewall designed for small office and branch office deployments. The ASA 5508-X supports 500 Mbps of firewall throughput, 100 IPsec site-to-site VPN peers, 175 Mbps 3DEAS/AES VPN throughput, and 450 Mbps AVC performance. The ASA 5508-X can supports 100,000 concurrent sessions, 10,000 new connections per second, and 50 VLANs. The unit has eight integrated 1 GE ports and no expansion slot.
Cisco ASA 5512-X, ASA 5515-X and ASA 5516-X Firewalls for Small Offices and Branch Offices
Cisco's ASA 5512-X firewall is designed for small offices or branch offices. In contrast to the entry-level ASA 5505, the ASA 5512-X is packaged in a 1RU rack-mountable form factor and has built-in IPS capability. The ASA 5512-X offers multiprotocol firewall throughput of 500 Mbps, supports 250 IPsec site-to-site VPN peers, and delivers 3DEAS/AES VPN throughput of up to 200 Mbps and AVC throughput of 300 Mbps. The ASA 5512-X supports 100,000 concurrent sessions, 10,000 new connections per second, and up to 50 VLANs (or 100 VLANs with Cisco's Security Plus license). The device has six integrated 10/100/1000 Ethernet ports and has one expansion slot for six 10/100/1000 ports or six SFP GE ports.
Cisco's ASA 5515-X firewall is a high-performance 1RU firewall for small offices and branch offices. The ASA 5515-X supports 600 Mbps of firewall throughput, 250 IPsec VPN peers, 250 Mbps 3DEAS/AES VPN throughput, and AVC throughput of 500 Mbps. The ASA 5515-X supports 250,000 concurrent sessions, 15,000 new connections per second, and up to 100 VLANs. The firewall includes six integrated 10/100/1000 Ethernet ports or six SFP GE ports and has a single expansion slot for six 10/100/1000 ports or six SFP GE ports.
Cisco's ASA 5516-X firewall is a 1RU firewall intended for small to mid-size office environments and supports 900 Mbps of stateful inspection multiprotocol throughput, 300 IPsec VPN peers, 250 Mbps 3DEAS/AES VPN throughput, and AVC throughput of 850 Mbps. The ASA 5515-X supports 250,000 concurrent sessions, 20,000 new connections per second, and 100 VLANs. The firewall includes eight integrated 1 GE ports and does not have a slot for I/O expansion.
Cisco ASA 5525-X, 5545-X and 5555-X Firewalls for the Internet Edge
Cisco's ASA 5525-X firewall is designed as a replacement for the older ASA 5520 firewall to provide midsize businesses with advanced security at the Internet Edge. The 1RU ASA 5525-X can deliver 1 Gbps of multiprotocol throughput and supports 300 VPN IPsec peers, 300 Mbps 3DES/AES VPN throughput, and Application Visibility and Control throughput of 1.1 Gbps. The ASA 5525-X can handle up to 500,000 concurrent sessions, 20,000 new connections per second, and as many as 200 VLANs. Eight 10/100/1000 ports are integrated with the ASA 5525-X firewall and an expansion slot supports six 10/100/1000 ports or six SFP GE ports.
Cisco's ASA 5545-X firewall replaced the ASA 5540 firewall, now in end of life, and provides a solid mid-market product for Internet Edge security. The 1RU ASA 5545-X appliance features 1.5 Gbps multiprotocol firewall performance and supports 400 site-to-site VPN IPsec peers, 400 Mbps 3DES/AES VPN throughput, and AVC throughput of 1.5 Gbps. The ASA 5545-X can manage up to 750,000 concurrent connections, 30,000 new connections per second, and up to 300 VLANs. The ASA 5545-X includes eight integrated 10/100/1000 ports and has an expansion slot that supports six 10/100/1000 ports or six SFP GE ports.
The Cisco ASA 5555-X firewall takes the place of the discontinued ASA 5550 and offers midsize companies high-performance Internet Edge security. The ASA 5555-X supports 2 Gbps of multiprotocol firewall throughput, 700 VPN IPsec peers, 700 Mbps 3DES/AES VPN throughput, and application control throughput of 1.75 Gbps. The ASA 5555-X handles up to 1,000,000 concurrent connections, up to 50,000 new connections per second, and 500 VLANs. Eight integrated 10/100/1000 ports are included and an expansion slot supports six 10/100/1000 ports or six SFP GE ports.
Cisco ASA 5585-X Firewall
The high end of Cisco's ASA 5500-X line of firewalls is the ASA 5585-X, which is the only model packaged in a 2-slot chassis with a two rack unit (2RU) footprint. Designed to replace Cisco's earlier ASA 5580 firewall, the ASA 5585-X is suited for enterprise data centers, Internet service providers, and other mission-critical applications that require high throughput and connection capacity.
The bottom slot of the Cisco ASA 5585-X chassis holds the firewall/VPN Security Services Processor (SSP), and the top slot holds the IPS Security Services Processor (IPS SSP). Four SSPs and four IPS SSPs are available. Depending on the SSP installed, firewall throughput for the ASA 5585-X ranges from 2 to 20 Gbps, between 5,000 and 10,000 VPN IPsec peers are supported, 3DES/AES VPN throughput ranges from 2 to 10 Gbps, and AVC ranges from 4.5 Gbps to 15 Gbps. The ASA 5585-X supports from 500,000 to 4,000,000 concurrent sessions, from 40,000 to 160,000 new connections per second, and 1024 VLANs. Integrated I/O configurations can be either 8x10/100/1000 ports and 2x10 GE SFP+ ports or 6x10/100/1000 ports and 4x10 GE SFP+ ports. Expansion I/O can be 8x10 GE SFP/SFP+ ports, 4x10 GE SFP/SFP+ ports, or 12x1 GE SFP ports and 8x10/100/1000 ports.
How Progent Can Help You with Cisco ASA 5500-X Firewalls and Firepower Services
Cisco's ASA 5500-X firewalls are a critical component of a comprehensive network security solution. Designing, deploying, configuring, tuning and troubleshooting a cohesive security ecosystem based on Cisco ASA 5500-X firewalls with Firepower Services requires a broad set of information technology skills ranging from information security and compliance expertise to remote debugging. Progent offers consulting support for every aspect of network security. Services offered by Progent specific to Cisco's firewalls include needs assessment, product selection, pilot testing, deployment and integration, migration from legacy devices, upgrade services, system expansion or consolidation, training, and ongoing maintenance and support. Progent's Cisco-certified network engineers can provide ASA 5500-X firewall and Firepower Services support online anywhere or onsite in major metropolitan areas throughout the U.S. Progent offers as-needed technical support or system design guidance to help you through occasional technical roadblocks, or Progent can provide comprehensive project management or co-management services.
Common examples of remote consulting services provided by Progent to support Cisco ASA 5500-X firewalls with Firepower Services include:
Related services available from Progent to deliver and maintain comprehensive security solution include network vulnerability assessment and mitigation for devices and applications, data security ecosystem design, BYOD smartphone and tablet integration help including iPhone and iPad integration, Android phone and tablet consulting, and RIM BlackBerry expertise, 24x7 remote network monitoring and reporting, Wi-Fi site surveys, and disaster recovery planning. For complex firewall deployment projects, Progent offers pilot testing and performance evaluation services at the Progent Test Lab at the QTS Data Center.
- Replace PIX or ASA 5500 firewalls with ASA 5500-X devices with Firepower Services
- Re-image ASA firewalls with ASA for Firepower Services
- Update Firepower Service Modules
- Configure and troubleshoot NAT rules, DHCP, crypto ACL, and ASDM parameters
- Resolve issues with AnyConnect, Mac desktop VPN client, and Microsoft Azure access
- Setup IPsec VPN between ASA and Sonicwall or other firewalls
- Create new IPsec configurations with policy-based instead of route-based tunnels
- Perform ASA password recovery
- Generate self-sign certificates
- Configure and test failover
- Identify and resolve ASA bandwidth issues
- Resolve Jabber issues
- Resolve licensing issues for AnyConnect and Firepower
- Set up and verify IPS and HTTP policies
- Show clients how to use of Firepower Management Center
- Set up and troubleshoot VMware ESXi host for Firepower Management Center Virtual
To learn more about consulting services available from Progent to integrate and manage network solutions based on Cisco technology, select a topic:
Integration of Cisco and Third-party Security Technology
Progent offers expertise in firewall and VPN products from all major vendors and can help you integrate Cisco technology with additional security solutions to help you build a cost-effective network infrastructure that provides a level of security and flexibility appropriate for your business. Third-party firewall and VPN support services available from Progent include:
To ask Progent about consulting help with Cisco ASA and PIX firewalls, call 1-800-993-9400 or visit Contact Progent.