Cisco Network Consultants

Cisco's ASA 5500-X firewalls provide integrated firewall, VPN, and intrusion prevention system (IPS) services in compact single-box packages, delivering a broad range of capabilities to meet the security needs of organizations ranging from small and mid-size businesses to enterprises and Internet service providers. Cisco's PIX and ASA 5500 firewalls have reached end-of-life (EOL) status but remain widely used by small and mid-size businesses as well as by many enterprise data centers. The ASA 5500-X Series Next-Generation Firewalls deliver significantly more bang for the buck and have superseded the ASA 5500 and PIX firewalls for new deployments. Cisco's ASA 5500-X firewalls have in turn been replaced by Cisco's Firepower Series of Next Generation firewalls. Progent's Cisco-certified network security experts can help you plan and carry out a smooth migration to ASA 5500-X firewalls from an ASA 5500 or PIX firewall solution, or Progent can help upgrade your current ASA 5500-X environment by providing "Cisco Firepower NGFW Firewall migration services.

Following Cisco's purchase of Sourcefire, the entire family of Cisco ASA 5500-X firewalls can be provisioned to support Firepower Services, built on Sourcefire's Snort technology, which is the world's most deployed network intrusion protection system. Firepower services bring enhanced features including advanced malware protection (AMP), URL filtering, dynamic threat analytics, and security automation.

Firepower Services for Cisco ASA 5500-X Firewalls
Cisco ASA 5500-X firewalls accept software or hardware modules that support Cisco's ASA Firepower Services, which offer multi-layer defense against sophisticated threats. Firepower Services are based on technology acquired by Cisco from Sourcefire. Key features of Firepower Services for ASA firewalls include:

• Layered defense against both familiar and zero-day threats
• Advanced Malware Protection (AMP) that utilizes big data to discover and mitigate security breaches
• Cisco's Next-Generation Intrusion Prevention System (NGIPS) that provides contextual analysis that covers clients, network infrastructure, apps, and content to detect attacks that incorporate multiple vectors
• Fine-grained Application Visibility and Control, or AVC, that is aware of thousands of applications and can automatically launch both standard and custom IPS policies based on the severity of risk

Simpler deployments of ASA 5500-X firewalls can be efficiently managed via Cisco's on-box Adaptive Security Device Manager (ASDM), which is provided with all ASA 5500-X models. ASDM includes an easy-to-use web console that provides a convenient mechanism for deploying, managing, and debugging ASA 5500-X devices and service modules.

For multi-device and multi-site deployments, ASA 5500-X firewalls with Firepower Services can be managed with Firepower Management Center, available as one or more physical or virtual devices. Firepower Management Center provides centralized firewall management, visibility and control over applications, advanced IPS, URL filtering, and AMP. Due to frequent rebranding since Cisco's acquisition of Sourcefire Defense Center, Firepower Management Center has been delivered under various names including Defense Center, FireSIGHT Defense Center, and FireSIGHT Management Center.

Firepower Management Center provides features unavailable with the ASA 5500-X ASDM on-device manager. These include context awareness capabilities such as file trajectory, advanced malware protection (AMP) with mitigation for user devices, a console that offers real-time network visualization, automated policy tuning based on impact assessment of threats, comprehensive IPS, custom application detectors for AVC, customized health notifications, enhanced reporting features, and application interfaces for host input and database access. Hardware-dependent features like clustering, stacking, switching, routing, VPN, and NAT must be managed via Cisco's ASA 5500-X on-box ASDM and the ASA command line interface.

Cisco's ASA 5500-X Product Family
Cisco's extensive family of ASA 5500-X series firewalls includes an enhanced replacement for each rack-mountable model in the older ASA 5500 family of firewalls. Each ASA 5500-X device targets the same environment as the corresponding earlier models, which gives small offices and branch offices, midsize businesses, and large enterprises plenty of options in choosing a firewall that fits their performance requirements and budgets. All ASA 5500-X products build on Cisco's proven and widely deployed stateful-inspection firewall technology and all incorporate 64-bit hardware with multicore CPUs and can run Cisco's advanced security services. All models in Cisco's ASA 5500-X family provide consistent security across any mix of physical, virtual, and cloud environments.

Cisco ASA 5506-X and ASA 5508-X Firewalls
Cisco's ASA 5506-X firewall is a value-priced desktop device for entry-level firewall applications. Cisco offers a Wi-Fi enabled model as well as a hardened version for rugged environments. The ASA 5506-X offers 300 Mbps of multiprotocol firewall throughput, 100 Mbps 3DEAS/AES VPN throughput, and 250 Mbps Application Visibility and Control (AVC) performance. The ASA 5506-X can handle 10 IPsec VPN peers (or 50 with a Cisco Security Plus license), 20,000 simultaneous sessions (or 50,000 with Security Plus), 5,000 new connections per second, and 5 VLANs (or 30 VLANs with Security Plus). The appliance comes with eight integrated 1 GE ports and does not have an expansion I/O slot.

Cisco's ASA 5508-X firewall is a value-priced 1RU firewall designed for smaller deployments. The ASA 5508-X supports up to 500 Mbps of multiprotocol throughput, 100 IPsec VPN peers, 175 Mbps 3DEAS/AES VPN performance, and AVC throughput of 450 Mbps. The ASA 5508-X can handle 100,000 concurrent sessions, 10,000 new connections per second, and up to 50 VLANs. The firewall includes eight integrated 1 GE ports and no slot for I/O expansion.

Cisco ASA 5512-X, ASA 5515-X and ASA 5516-X Firewalls
Cisco's ASA 5512-X firewall is designed for small offices or branch offices and is packaged in a 1RU rack-mountable form factor. The ASA 5512-X delivers multiprotocol firewall throughput of 500 Mbps, 3DEAS/AES VPN throughput of up to 200 Mbps, and Application Visibility and Control (AVC) throughput of 300 Mbps. The ASA 5512-X supports 250 IPsec site-to-site VPN peers, 100,000 concurrent sessions, 10,000 new connections per second, and up to 50 VLANs (or 100 VLANs with Cisco's Security Plus license). The device has six integrated 10/100/1000 Ethernet ports and has one expansion slot for six 10/100/1000 ports or six SFP GE ports.

Cisco's ASA 5515-X firewall is a high-performance 1RU firewall for small offices and branch offices. The ASA 5515-X supports 600 Mbps of firewall throughput, 250 Mbps 3DEAS/AES VPN throughput, and AVC throughput of 500 Mbps. In addition, the ASA 5515-X can handle 250 IPsec VPN peers, 250,000 concurrent sessions, 15,000 new connections per second, and up to 100 VLANs. The firewall includes six integrated 10/100/1000 Ethernet ports or six SFP GE ports and has a single expansion slot for six 10/100/1000 ports or six SFP GE ports.

Cisco's ASA 5516-X firewall is a 1RU device designed for deployments in small or mid-size organizations. The unit offers up to 900 Mbps of firewall throughput, 250 Mbps of 3DEAS/AES VPN throughput, and AVC performance of 850 Mbps. The ASA 5516-X supports 300 IPsec VPN peers, 250,000 simultaneous sessions, 20,000 new connections per second, and up to 100 VLANs. The ASA 5516-X incorporates eight built-in 1 GE ports and has no I/O expansion slot.

Cisco ASA 5525-X, ASA 5545-X and ASA 5555-X Firewalls
Cisco's ASA 5525-X firewall replaces the discontinued ASA 5520 firewall and offers midsize businesses next-generation security at the Internet Edge. The 1RU appliance offers 1 Gbps of multiprotocol firewall throughput, 300 Mbps 3DES/AES VPN throughput, and Application Visibility and Control throughput of 1.1 Gbps. The ASA 5525-X can handle 300 VPN IPsec peers, up to 500,000 concurrent sessions, 20,000 new connections per second, and as many as 200 VLANs. The device includes eight integrated 10/100/1000 ports and has an expansion slot that can support either six 10/100/1000 ports or six SFP GE ports.

Cisco's ASA 5545-X firewall is designed as an upgrade for the legacy ASA 5540 security appliance and delivers mid-range performance for edge security. The 1RU ASA 5545-X provides 1.5 Gbps firewall throughput, 400 Mbps 3DES/AES VPN performance, and 1.5 Gbps AVC performance. The ASA 5545-X can support 400 site-to-site VPN IPsec peers, 750,000 concurrent sessions, 30,000 new connections per second, and 300 VLANs. The ASA 5545-X has eight built-in 10/100/1000 Ethernet ports and includes an expansion slot for six additional 10/100/1000 ports or for six SFP GE ports.

The Cisco ASA 5555-X firewall is designed as an upgrade for Cisco's earlier ASA 5550, now at end-of-life, and provides midsize organizations with high throughput and advanced security at the Internet edge. The ASA 5555-X delivers 2 Gbps of firewall performance, 700 Mbps 3DES/AES VPN performance, and AVC throughput of 1.75 Gbps. The ASA 5555-X handles up to 700 VPN IPsec peers, 1,000,000 simultaneous sessions, 50,000 new connections per second, and up to 500 VLANs. Eight 10/100/1000 ports are integrated with the ASA 5555-X and an expansion slot allows you to add six 10/100/1000 ports or six SFP GE ports.

Cisco ASA 5585-X Firewalls
The top of the line of Cisco's ASA 5500-X firewall family is the ASA 5585-X, which is the only version with a 2RU dual-slot chassis. Intended as an upgrade for the discontinued ASA 5580 firewall, the ASA 5585-X is designed for enterprise data centers, ISPs, and other environments that need to deliver high performance and handle high traffic density.

The lower slot of the Cisco ASA 5585-X chassis is for the firewall/VPN Security Services Processor (SSP), and the upper slot is for the IPS SSP. Cisco offers four different SSPs and four IPS SSPs. Based on the SSP selected, the ASA 5585-X's multi-protocol firewall performance can be from 2 to 20 Gbps, 3DES/AES VPN throughput from 2 to 10 Gbps, and Application Visibility and Control from 4.5 Gbps to 15 Gbps. The ASA 5585-X can manage 5,000 to 10,000 VPN IPsec site-to-site peers, 500,000 to 4,000,000 simultaneous sessions, 40,000 to 160,000 new connections per second, and 1024 VLANs. Integrated I/O can be configured to support eight 10/100/1000 ports and 2x10 GE SFP+ ports or six 10/100/1000 ports and four 10 GE SFP+ ports. Expansion I/O options include eight 10 GE SFP/SFP+ ports, four 10 GE SFP/SFP+ ports, or twelve 1 GE SFP ports plus eight 10/100/1000 ports.

For more information about Progent's support for Cisco ASA 5500-X firewalls, Firepower Services, and Firepower Management Center, visit Cisco ASA 5500-X firewalls with Firepower Services consulting.

How Progent Can Support Your ASA 5500-X Firewalls with Firepower Services
Cisco ASA 5500-X with Firepower Services incorporate a broad array of configuration, management, and expansion options that offer you the ability to set up these security appliances to match your company's specific requirements. Progent's CCIE authorized network engineers can help you to design and manage an efficient network infrastructure that includes Cisco ASA 5500-X security appliances and that offers world-class security, availability, throughput, and manageability. Progent can also assist you to modernize your existing ASA 5500-X deployment providing "Cisco Firepower NGFW Firewall migration expertise. Progent's GISA and CISSP-ISSP-qualified information security professionals can help you to create a security policy appropriate for your environment and can configure your security appliance to support your security policies. Progent's security evaluation consultants can assess the strength of your current firewall solution and validate the overall security of your entire IT environment. Progent's Technical Response Center can provide emergency online technical support for Cisco products and can give you quick access to a Cisco CCIE network engineer.

Progent offers a range of additional consulting services to help businesses of any size create a complete, company-wide security solution. Progent's project management services can help you define and implement an efficient plan to migrate from legacy Cisco appliances to the latest generation of devices. Progent's vulnerability testing and mitigation services for network devices and applications can help you validate the security and compliance of your IT environment. Progent's certified information security engineers can help you develop and test a comprehensive security strategy that addresses the complex data theft and privacy issues associated with cloud computing. Progent can help you use Cisco's AnyConnect to provide secure VPN connections for platforms including Windows, Mac, Linux, iOS, and Android. Progent's BYOD consulting experts can help you manage smartphones and tablets by offering services that include iPhone and iPad integration, and Android phone and tablet consulting. Progent's ProSight WAN Watch 24x7 remote network monitoring and reporting services provide proactive protection and for your information system. Progent's disaster recovery planning consultants can help you create and validate a DR/BC plan that is based on industry best practices. Progent's QTS Data Center Test Lab is available to prototype new firewall solutions and verify that they provide the performance and security your business requires.

For more details concerning Progent's consulting services for Cisco technology, select a topic:

• Overview of Progent's Cisco Expertise
• Fast and Affordable Online Support from a Cisco CCIE Consultant
• Cisco Firepower NGFW Series Firewalls: Configuration and Management Support
• Cisco ASA 5500 Firewalls Upgrade. Migration Support
• Cisco PIX Series Firewall Management Help
• Cisco Routers Consulting Services
• Cisco Wireless Deployment Support
• Cisco Aironet Wireless Access Points Consulting Help
• Cisco Small Business WiFi APs Deployment Services
• Cisco Catalyst 802.11ax Wi-Fi 6/6E Access Points Planning, Deployment and Troubleshooting Consulting
• Cisco WiFi Controllers Support Services
• Meraki Wireless Access Points Consulting Help
• Cisco Unified Communications Manager (CUCM or Unified CM) and Cisco CallManager Integration and Troubleshooting
• Cisco Voice over IP (VoIP) Phones and IP Video Desktop Phones Consulting Services and Wireless VoIP Phone Configuration
• Cisco Jabber Configuration and Troubleshooting Services
• Cisco Catalyst Switches Engineering Expertise
• Nexus Switches Support and Troubleshooting Expertise
• Cisco Meraki Switches Configuration and Maintenance Expertise
• Cisco VPN and Network Security Integration Assistance
• SIP and CUBE Infrastructure Solutions: SIP PSTN Trunks and Cisco CUBE Integration Expertise
• Cisco Duo MFA Two-factor Authentication Services for an At-Home Workforce
• Design Expertise for Cisco-powered Data Centers
• Data Center Optimization Expertise for Internet Service Providers
• Centralized Cloud-based and Hybrid Management Strategies for Cisco-powered Infrastructure

• Check Point Software Consulting
• Watchguard Consulting
• Juniper Networks NetScreen and SSG Firewall Consulting
• SonicWall Consulting
• Symantec Raptor Consulting