It’s so cool that Cisco ASA 5500-X Series Next-Generation Firewalls provide next-generation security capabilities at scale without requiring additional hardware module.
Cisco ASA 5500-X Series, these appliances support services such as application visibility and control, web security essentials, intrusion prevention, remote access and cloud web security to provide an end-to-end, scalable security solution. Furthermore, integrating with Cisco ISE (Identity Services Engine) and Cisco AnyConnect Mobility solution, ASA 5500-X Series Firewalls provide a comprehensive BYOD solution for high-end enterprises and small businesses alike.
What’s New?
• Cisco ASA Next-Generation Firewall provides services such as Application Visibility and Control (AVC) Services to control specific behaviors within allowed micro- applications, Web Security Essentials (WSE) Services to restrict web and web application usage based on reputation of the site and Intrusion Prevention (IPS) to provide critical threat protection from internet edge related attacks on your personal use computing systems. Through Cisco Security Intelligence Operations (SIO)*, these services provide web reputation that protects against zero-day threats.
• Cisco Prime Security Manager can now be used to centrally manage core ASA-X features along with Next-Generation services such as Application Visibility and Control, Web Security and IPS.
• ASA IPS is the only context aware IPS that uses device awareness, network reputation of the source, target value and user identity to drive mitigation decisions and provides a proactive protection against threats. It uses a combination of on- and off-box intelligence and does not require an additional hardware module.
• 4x increase in firewall throughput protects users as their current and future data consumption demands increase.
• Redundant power supplies (on the ASA 5545-X and 5555-X appliances) protect against power outages.
• Multicore enterprise-class CPUs deliver better performance.
• Additional copper and small form-factor pluggable (SFP) Gigabit Ethernet ports provide greater flexibility for network configuration.
• Cisco Cloud Web Security provides unmatched web security, application visibility and control for organizations of all sizes through a network of global data centers.
• Cisco AnyConnect enables seamless secure remote access by providing an always-on secure connectivity experience across a broad set of desktop and mobile devices.
Back-View Summary-Cisco ASA 5500-X Series
More Figures Show the More details and Comparison between Cisco ASA 5500 and 5500-X Series.
Next Generation ASA Mid-Range Appliances
Cisco ASA 5500-X Hardware
Cisco ASA 5500-X Model Comparison
More Comparison between Cisco ASA 5500 and ASA 5500-X Series
ASA 5510-ASA 5550 vs. ASA 5512-X-ASA 5555-X
ASA 5512-X versus ASA 5510 Key Changes
* Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module
Performance: 4X Firewall Throughput; Increased IPS, VPN Throughput
Hardware: Multi-core instead of Single-core; CPUs; 4X Memory; Dedicated Management port; Additional (+1) integrated I/O ports; Additional (+2) expansion I/O ports; GE instead of FE ports; Expansion slot now only for I/O; Expansion
Services: IPS does not require hardware; module; Next-gen services ready
ASA 5515-X versus ASA 5510+ Key Changes
* Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module
Security Plus License Not Required
Performance: 4X Firewall Throughput; Increased IPS, VPN Throughput
Hardware: Multi-core instead of Single-core CPUs; 8X Memory; Dedicated Management port; Additional (+1) integrated I/O ports; Additional (+2) expansion I/O ports; All GE ports instead of FE ports; Expansion slot now only for I/O; Expansion
Services: IPS does not require hardware module; Next-gen services ready
ASA 5525-X versus ASA 5520 Key Changes
* Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module
Performance: 4X Firewall Throughput; Increased IPS, VPN Throughput
Hardware: Multi-core instead of Single-core; CPUs; 4X Memory; Dedicated Management port; Additional (+3) integrated I/O ports; Additional (+2) expansion I/O ports; Expansion slot now only for I/O, Expansion
Services: IPS does not require hardware; Module; Next-gen services ready
ASA 5545-X versus ASA 5540 Key Changes
* Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module
Performance: 4X Firewall Throughput; Increased IPS, VPN Throughput
Hardware: Multi-core instead of Single-core; CPUs; 6X Memory; Dedicated Management port; Additional (+3) integrated I/O ports; Additional (+2) expansion I/O ports; Expansion slot now only for I/O; Expansion
Services: IPS does not require hardware; Module; Next-gen services ready
ASA 5555-X versus ASA 5550 Key Changes
* Content Security Service to be made available as Scansafe-connector on ASA; Next-Gen services can be added without requiring additional hardware module
Performance: 4X Firewall Throughput; Increased IPS, VPN Throughput
Hardware: Multi-core instead of Single-core; CPUs; 4X Memory; Dedicated Management port; Expansion I/O now available
Services: IPS does not require hardware; Module; Next-gen services ready
Licensing Changes-ASA Licensing
New Feature–IPS Module
• A new licensing feature was introduced to enable the use of the IPS Software Module.
• Traffic destined to IPS will be dropped by ASA if this license is not enabled AND ‘failclose’ is configured.
• IPS Signature Update license is required on top of the above license.
• All other license features remain unchanged and are based on ASA 8.4.2 software.
Enabling IPS Service
ASA Management Model
• Dedicated Out-Of-Band management port M0/0
• Failover & VLAN sub-interface features are not configurable on M0/0
• ASA and integrated IPS management are independent of each other.
• Management model is similar to previous ASA/SSM appliances
• ASA and IPS software module have separate management IP addresses but share the same physical port M0/0 for outbound connectivity
• ASA can log IPS module’s console messages “show module 1 log console”
• ASA configures and manages all external data ports
ASA and IPS Management Model
Similarities with SSM/SSP
• ASA and IPS are managed very similar to previous SSM/SSP deployments.
• ASA is used to recover, reload, shutdown, etc. IPS.
• ASA is used to configure service-policies to pass traffic to IPS.
• ASA and IPS have unique IP addresses for management purposes.
• ASDM, IME, and IDM behave the same.
Differences with SSM/SSP
• ASA and IPS share the only dedicated management port on the box.
• IPS must use the dedicated management port. However, ASA can use any port on the box to manage the system.
• When ASA and IPS are sharing the dedicated management port then the IP address for ASA and IPS should be within the same subnet.
• The IPS image stored on the embedded flash is used to recover the software module instead of downloading the image over the SSM/SSP dedicated management port.
More Cisco ASA 5500-X Topics
Does Cisco ASA 5500-X Series Support Both IPS and AVC/WSE in One Box?
