Cisco® ASA 5500 Series Adaptive
Security Appliances are
purpose-built solutions that combine
best-in-class security and VPN
services with an innovative,
extensible services architecture.
Designed as a core component of the
Cisco Self-Defending Network, the
Cisco ASA 5500 Series provides
proactive threat defense that stops
attacks before they spread through
the network, controls network
activity and application traffic,
and delivers flexible VPN
connectivity. The result is a
powerful multifunction network
security appliance family that
provides the security breadth and
depth for protecting home office,
branch office, small and
medium-sized business, enterprise,
and data center networks while
reducing the overall deployment and
operations costs and complexities
associated with providing this new
level of security.
The Cisco ASA 5500 Series
delivers a powerful combination
of multiple market-proven
technologies in a single
platform, making it
operationally and economically
feasible for organizations to
deploy comprehensive security
services to more locations. The
comprehensive portfolio of
services within the Cisco ASA
5500 Series enables
customization for
location-specific needs through
tailored product editions for
small to medium-sized businesses
and for enterprises. These
editions enable superior
protection by providing the
right services for the right
location. Each edition combines
a focused set of Cisco ASA 5500
Series services (such as
firewall, SSL and IPsec VPN,
IPS, and content security
services) to meet the needs of
specific environments within the
enterprise network. By ensuring
the security needs of each
location are met, the overall
network security posture is
raised.
The Cisco ASA 5500 Series helps
businesses more effectively and
efficiently protect their
networks while delivering
exceptional investment
protection through the following
key elements:
• Market-proven security and VPN capabilities-Full-featured, high-performance firewall, intrusion prevention (IPS), content security, and Secure Sockets Layer/IP Security (SSL/IPsec) VPN technologies deliver robust application security, user- and application-based access control, worm and virus mitigation, malware protection, content filtering, and remote user/site connectivity.
• Extensible services architecture-Taking advantage of a modular services processing and policy framework offered by the Cisco ASA 5500 Series, businesses can apply specific security and network services on a per-traffic-flow basis, delivering highly granular policy controls and a wide range of protective services with streamlined traffic processing. The efficiencies of this policy framework, as well as software and hardware extensibility through user-installable security services modules (SSMs) and security services cards (SSCs), advance the evolution of existing services and the deployment of new services without requiring a platform replacement or performance compromise. With these capabilites, the Cisco ASA 5500 Series provides the foundation for highly customizable security policies and unprecedented services extensibility to help protect against the fast-evolving threat environment.
• Reduced deployment and operations costs-The multifunction Cisco ASA 5500 Series allows for platform, configuration, and management standardization, helping to decrease the costs of deployment and ongoing operations.
Introducing the Cisco ASA 5500 Series
The Cisco ASA 5500 Series
includes the Cisco ASA 5505,
5510, 5520, 5540, 5550, and 5580
Adaptive Security
Appliances-purpose-built,
high-performance security
solutions that take advantage of
Cisco expertise in developing
industry-leading, award-winning
security and VPN solutions. The
series builds upon proven
technologies from Cisco PIX® 500
Series Security Appliances,
Cisco IPS 4200 Series Sensors,
and Cisco VPN 3000 Series
Concentrators. Designed as a key
component of the Cisco
Self-Defending Network, the
Cisco ASA 5500 Series provides
proactive threat defense that
stops attacks before they spread
through the network, controls
network activity and application
traffic, and delivers flexible
VPN connectivity. The result is
a powerful multifunction network
security appliance family that
provides the security breadth
and depth for protecting small
and medium-sized business (SMB),
enterprise, and service provider
networks while reducing the
overall deployment and
operations costs and
complexities associated with
providing this new level of
security.
Through its unique Modular
Policy Framework (MPF), the
Cisco ASA 5500 Series brings a
new level of security and policy
control to applications and
networks. MPF allows businesses
to adapt and extend the profile
of the Cisco ASA 5500 Series
through highly customizable,
flow-specific security policies
tailored to application
requirements while providing
performance and extensibility
through user-installable SSMs.
This adaptable architecture
enables businesses to rapidly
deploy security services when
and where they are needed, such
as tailoring inspection
techniques to specific
application and user needs or
adding additional intrusion
prevention and content security
such as those delivered by the
Adaptive Inspection and
Prevention (AIP) and Content
Security and Control (CSC) SSM.
Furthermore, the modular
hardware architecture of the
Cisco ASA 5500 Series along with
flexible MPF enables the
integration of future network
and security, extending the
outstanding investment
protection provided by the Cisco
ASA 5500 Series, and allowing
businesses to adapt their
network defenses to new threats
as they arise.
All Cisco ASA 5500 Series
appliances include maximum IPsec
VPN users on the base system;
SSL VPN is licensed and
purchased separately. By
converging SSL and IPsec VPN
services with comprehensive
threat defense technologies, the
Cisco ASA 5500 Series provides
highly customizable network
access tailored to meet the
requirements of diverse
deployment environments while
providing advanced endpoint and
network-level security.
Cisco ASA 5505 Adaptive Security Appliance
The Cisco ASA 5505 Adaptive
Security Appliance is a
next-generation, full-featured
security appliance for small
business, branch office, and
enterprise teleworker
environments. The Cisco ASA 5505
delivers high-performance
firewall, SSL and IPsec VPN, and
rich networking services in a
modular, "plug-and-play"
appliance. Using the integrated
Cisco Adaptive Security Device
Manager, the Cisco ASA 5505 can
be rapidly deployed and easily
managed, enabling businesses to
minimize operations costs. The
Cisco ASA 5505 features a
flexible 8-port 10/100 Fast
Ethernet switch, whose ports can
be dynamically grouped to create
up to three separate VLANs for
home, business, and Internet
traffic for improved network
segmentation and security. The
Cisco ASA 5505 provides two
Power over Ethernet (PoE) ports,
enabling simplified deployment
of Cisco IP phones with
zero-touch secure voice over IP
(VoIP) capabilities, and
deployment of external wireless
access points for extended
network mobility. The Cisco ASA
5505 also provides significant
expandability and investment
protection through its modular
design, similar to the rest of
the Cisco ASA 5500 Series,
offering both an external
expansion slot and multiple USB
ports that enable the addition
of services in the future.
As business needs grow,
customers can install a Security
Plus upgrade license, enabling
the Cisco ASA 5505 Adaptive
Security Appliance to scale to
support a higher connection
capacity and a higher number of
IPsec VPN users, add full DMZ
support, and integrate into
switched network environments
through VLAN trunking support.
Furthermore, this upgrade
license maximizes business
continuity by enabling support
for redundant ISP connections
and stateless Active/Standby
high-availability services. This
combination of market-leading
security and VPN services,
advanced networking features,
flexible remote management
capabilities, and future
extensibility makes the Cisco
ASA 5505 an excellent choice for
businesses requiring a
best-in-class small business,
branch office, or enterprise
teleworker security solution.
Table 1 lists features of the
Cisco ASA 5505.
Table 1. Cisco ASA 5505 Adaptive Security Appliance Platform Capabilities and Capacities
| Feature | Description |
| Firewall Throughput | Up to 150 Mbps |
| VPN Throughput | Up to 100 Mbps |
| Concurrent Sessions | 10,000/25,000** |
| IPsec VPN Peers | 10; 25** |
| SSL VPN Peer License Levels* | 10 or 25 |
| Interfaces | 8-port Fast Ethernet switch with dynamic port grouping (including 2 PoE ports) |
| Virtual Interfaces (VLANs) | 3 (no trunking support) / 20 (with trunking support)** |
| High Availability | Not supported; stateless Active/Standby and redundant ISP support** |
* Separately licensed feature;
includes two with the base
system
** Upgrade available with Cisco
ASA 5505 Security Plus license
Cisco ASA 5510 Adaptive Security Appliance
The Cisco ASA 5510 Adaptive
Security Appliance delivers
advanced security and networking
services for small and
medium-sized businesses and
enterprise remote/branch offices
in an easy-to-deploy,
cost-effective appliance. These
services can be easily managed
and monitored by the integrated,
Cisco Adaptive Security Device
Manager application, thus
reducing the overall deployment
and operations costs associated
with providing this high level
of security. The Cisco ASA 5510
Adaptive Security Appliance
provides high-performance
firewall and VPN services and
five integrated 10/100 Fast
Ethernet interfaces. It
optionally provides
high-performance intrusion
prevention and worm mitigation
services through the AIP
SSM, or comprehensive malware
protection services through the
CSC SSM. This unique combination
of services on a single platform
makes the Cisco ASA 5510 an
excellent choice for businesses
requiring a cost-effective,
extensible, DMZ-enabled security
solution.
As business needs grow,
customers can install a Security
Plus license, upgrading two of
the Cisco ASA 5510 Adaptive
Security Appliance interfaces to
Gigabit Ethernet and enabling
integration into switched
network environments through
VLAN support. This upgrade
license maximizes business
continuity by enabling
Active/Active and Active/Standby
high-availability services.
Using the optional security
context capabilities of the
Cisco ASA 5510 Adaptive Security
Appliance, businesses can deploy
up to five virtual firewalls
within an appliance to enable
compartmentalized control of
security policies on a
departmental level. This
virtualization strengthens
security and reduces overall
management and support costs
while consolidating multiple
security devices into a single
appliance.
Businesses can extend their SSL
and IPsec VPN capacity to
support a larger number of
mobile workers, remote sites,
and business partners.
Businesses can scale up to 250
SSL VPN peers on each Cisco ASA
5510 by installing an SSL VPN
upgrade license; 250 IPsec VPN
peers are supported on the base
platform. VPN capacity and
resiliency can also be increased
by taking advantage of the Cisco
ASA 5510's integrated VPN
clustering and load-balancing
capabilities (available if a
Security Plus license is
installed). The Cisco ASA 5510
supports up to 10 appliances in
a cluster, supporting a maximum
of 2500 SSL VPN peers or 2500
IPsec VPN peers per cluster.
Table 2 lists features of the
Cisco ASA 5510.
Table 2. Cisco ASA 5510 Adaptive Security Appliance Platform Capabilities and Capacities
| Feature | Description |
| Firewall Throughput | Up to 300 Mbps |
| Concurrent Threat Mitigation Throughput (firewall + IPS services) |
• Up to 150 Mbps
with AIP SSM-10
• Up to 300 Mbps
with AIP SSM-20
|
| VPN Throughput | Up to 170 Mbps |
| Concurrent Sessions | 50,000; 130,000*** |
| IPsec VPN Peers | 250 |
| SSL VPN Peer License Levels* | 10, 25, 50, 100, or 250 |
| Security Contexts | Up to 5** |
| Interfaces*** | Five Fast Ethernet ports; 2 Gigabit Ethernet + 3 Fast Ethernet*** |
| Virtual Interfaces (VLANs) | 50; 100*** |
| Scalability*** | VPN clustering and load balancing |
| High Availability | Not supported; Active/Active, Active/Standby*** |
* Separately licensed
feature; includes two with
the base system
** Separately licensed
feature; includes two with
the Cisco ASA 5510 Security
Plus license
*** Upgrade available with
Cisco ASA 5510 Security Plus
license
Cisco ASA 5520 Adaptive Security Appliance
The Cisco ASA 5520 Adaptive
Security Appliance delivers
security services with
Active/Active high
availability and Gigabit
Ethernet connectivity for
medium-sized enterprise
networks in a modular,
high-performance appliance.
With four Gigabit Ethernet
interfaces and support for
up to 100 VLANs, businesses
can easily deploy the Cisco
ASA 5520 into multiple zones
within their network. The
Cisco ASA 5520 Adaptive
Security Appliance scales
with businesses as their
network security
requirements grow,
delivering solid investment
protection.
Businesses can extend their
SSL and IPsec VPN capacity
to support a larger number
of mobile workers, remote
sites, and business
partners. Businesses can
scale up to 750 SSL VPN
peers on each Cisco ASA 5520
by installing an SSL VPN
upgrade license; 750 IPsec
VPN peers are supported on
the base platform. VPN
capacity and resiliency can
also be increased by taking
advantage of the Cisco ASA
5520's integrated VPN
clustering and
load-balancing capabilities.
The Cisco ASA 5520 supports
up to 10 appliances in a
cluster, supporting a
maximum of 7500 SSL VPN
peers or 7500 IPsec VPN
peers per cluster. The
advanced application-layer
security and content
security defenses provided
by the Cisco ASA 5520 can be
extended by deploying the
high-performance intrusion
prevention and worm
mitigation capabilities of
the AIP SSM, or the
comprehensive malware
protection of the CSC SSM.
Using the optional security
context capabilities of the
Cisco ASA 5520 Adaptive
Security Appliance,
businesses can deploy up to
20 virtual firewalls within
an appliance to enable
compartmentalized control of
security policies on a
departmental level. This
virtualization strengthens
security and reduces overall
management and support costs
while consolidating multiple
security devices into a
single appliance.
Table 3 lists features of
the Cisco ASA 5520.
Table 3. Cisco ASA 5520 Adaptive Security Appliance Platform Capabilities and Capacities
| Feature | Description |
| Firewall Throughput | Up to 450 Mbps |
| Concurrent Threat Mitigation Throughput (firewall + IPS services) |
• Up to 225 Mbps
with AIP SSM-10
• Up to 375 Mbps
with AIP SSM-20
|
| VPN Throughput | Up to 225 Mbps |
| Concurrent Sessions | 280,000 |
| IPsec VPN Peers | 750 |
| SSL VPN Peer License Levels* | 10, 25, 50, 100, 250, 500, or 750 |
| Security Contexts* | Up to 20 |
| Interfaces | 4 Gigabit Ethernet ports and 1 Fast Ethernet port |
| Virtual Interfaces (VLANs) | 150 |
| Scalability | VPN clustering and load balancing |
| High Availability | Active/Active, Active/Standby |
* Separately licensed
feature; includes two with
base system
Cisco ASA 5540 Adaptive Security Appliance
The Cisco ASA 5540 Adaptive
Security Appliance delivers
high-performance,
high-density security
services with Active/Active
high availability and
Gigabit Ethernet
connectivity for
medium-sized and large
enterprise and
service-provider networks,
in a reliable, modular
appliance. With four Gigabit
Ethernet interfaces and
support for up to 100 VLANs,
businesses can use the Cisco
ASA 5540 to segment their
network into numerous zones
for improved security. The
Cisco ASA 5540 Adaptive
Security Appliance scales
with businesses as their
network security
requirements grow,
delivering exceptional
investment protection and
services scalability. The
advanced network and
application-layer security
services and content
security defenses provided
by the Cisco ASA 5540
Adaptive Security Appliance
can be extended by deploying
the AIP SSM for
high-performance intrusion
prevention and worm
mitigation.
Businesses can scale their
SSL and IPsec VPN capacity
to support a larger number
of mobile workers, remote
sites, and business
partners. Businesses can
scale up to 2500 SSL VPN
peers on each Cisco ASA 5540
by installing an SSL VPN
upgrade license; 5000 IPsec
VPN peers are supported on
the base platform. VPN
capacity and resiliency can
also be increased by taking
advantage of the Cisco ASA
5540's integrated VPN
clustering and
load-balancing capabilities.
The Cisco ASA 5540 supports
up to 10 appliances in a
cluster, supporting a
maximum of 25,000 SSL VPN
peers or 50,000 IPsec VPN
peers per cluster. Using the
optional security context
capabilities of the Cisco
ASA 5540 Adaptive Security
Appliance, businesses can
deploy up to 50 virtual
firewalls within an
appliance to enable
compartmentalized control of
security policies on a
per-department or
per-customer basis, and
deliver reduced overall
management and support
costs.
Table 4 lists features of
the Cisco ASA 5540.
Table 4. Cisco ASA 5540 Adaptive Security Appliance Platform Capabilities and Capacities
| Feature | Description |
| Firewall Throughput | Up to 650 Mbps |
| Concurrent Threat Mitigation Throughput (firewall + IPS services) | Up to 450 Mbps with AIP SSM-20 |
| VPN Throughput | Up to 325 Mbps |
| Concurrent Sessions | 400,000 |
| IPsec VPN Peers | 5000 |
| SSL VPN Peer License Levels* | 10, 25, 50, 100, 250, 500, 750, 1000, and 2500 |
| Security Contexts* | Up to 50* |
| Interfaces | 4 Gigabit Ethernet ports and 1 Fast Ethernet port |
| Virtual Interfaces (VLANs) | 200 |
| Scalability | VPN clustering and load balancing |
| High Availability | Active/Active, Active/Standby |
* Separately licensed
feature; includes two with
base system
Cisco ASA 5550 Adaptive Security Appliance
The Cisco ASA 5550 Adaptive
Security Appliance delivers
gigabit-class security
services with Active/Active
high availability and fiber
and Gigabit Ethernet
connectivity for large
enterprise and
service-provider networks in
a reliable, 1-rack-unit form
factor. Using its eight
Gigabit Ethernet interfaces,
four Small Form-Factor
Pluggable (SFP) fiber
interfaces*, and support for
up to 200 VLANs, businesses
can segment their network
into numerous
high-performance zones for
improved security.
The Cisco ASA 5550 Adaptive
Security Appliance scales
with businesses as their
network security
requirements grow,
delivering exceptional
investment protection and
services scalability.
Businesses can scale their
SSL and IPsec VPN capacity
to support a larger number
of mobile workers, remote
sites, and business
partners. Businesses can
scale up to 5000 SSL VPN
peers on each Cisco ASA 5550
by installing an SSL VPN
upgrade license; 5000 IPsec
VPN peers are supported on
the base platform. VPN
capacity and resiliency can
also be increased by taking
advantage of the Cisco ASA
5550's integrated VPN
clustering and
load-balancing capabilities.
The Cisco ASA 5550 supports
up to 10 appliances in a
cluster, supporting a
maximum of 50,000 SSL VPN
peers or 50,000 IPsec VPN
peers per cluster. Using the
optional security context
capabilities of the Cisco
ASA 5550 Adaptive Security
Appliance, businesses can
deploy up to 50 virtual
firewalls within an
appliance to enable
compartmentalized control of
security policies on a
per-department or
per-customer basis, and
deliver reduced overall
management and support
costs.
Note: The system provides a total of 12 Gigabit Ethernet ports, of which only 8 can be in service at any time. Businesses can choose between copper or fiber connectivity, providing flexibility for data center, campus, or enterprise edge connectivity.
Table 5 lists features of
the Cisco ASA 5550.
Table 5. Cisco ASA 5550 Adaptive Security Appliance Platform Capabilities and Capacities
| Feature | Description |
| Firewall Throughput | Up to 1.2 Gbps |
| VPN Throughput | Up to 425 Mbps |
| Concurrent Sessions | 650,000 |
| IPsec VPN Peers | 5000 |
| SSL VPN Peer License Levels* | 10, 25, 50, 100, 250, 500, 750, 1000, 2500, and 5000 |
| Security Contexts* | Up to 50 |
| Interfaces | 8 Gigabit Ethernet ports, 4 SFP fiber ports, and 1 Fast Ethernet port |
| Virtual Interfaces (VLANs) | 250 |
| Scalability | VPN clustering and load balancing |
| High Availability | Active/Active, Active/Standby |
* Separately licensed
feature; includes two with
base system
Cisco ASA 5580 Adaptive Security Appliances
The Cisco ASA 5580-20 and
5580-40 Adaptive Security
Appliances deliver
multigigabit security
services for large
enterprise, data center, and
service-provider networks in
a robust, 4-rack-unit form
factor. The Cisco ASA 5580
accommodates high-density
copper and optical
interfaces with scalability
from Fast Ethernet to
10Gigabit Ethernet, enabling
unparalleled security and
deployment flexibility.
Cisco ASA 5580 Adaptive
Security Appliances include
six interface card expansion
slots with support for up to
24 Gigabit Ethernet
interfaces or up to 12
10Gigabit Ethernet
interfaces that simplify
provisioning and enable
campus segmentation.
Furthermore, this
high-density design enables
security virtualization
while retaining physical
segmentation desired in
managed security and
infrastructure consolidation
applications.
The Cisco ASA 5580 Series
are offered at two
performance levels: the
Cisco ASA 5580-20 with 6.5
Gbps firewall performance,
and the high-end Cisco ASA
5580-40 with 14 Gbps
firewall performance. Their
multicore, multiprocessor
architecture delivers
radical scalability for the
most demanding network
security and VPN
concentration applications.
Real-time applications can
be transparently secured
thanks to the extremely low
latency, high session
concurrency, and connection
setup rates. Cisco ASA 5580
Adaptive Security Appliances
can also be clustered to
provide improved reliability
and scalability, with
support for up to 100,000
SSL or IPsec remote-access
clients when deploying 10
appliances in a cluster.
Additional features
including security
virtualization through the
use of security contexts and
VLANs, increase service
velocity while reducing
operational and
administrative overhead.
Table 6 lists features of
the Cisco ASA 5580 Security
Appliances.
Table 6. Cisco ASA 5580 Adaptive Security Appliance Platform Capabilities and Capacities
| Feature | ASA 5580-20 | ASA 5580-40 |
| Max Firewall Throughput | 5 Gbps (real-world HTTP), 10 Gbps (jumbo frames) | 10 Gbps (real-world HTTP), 20 Gbps (jumbo frames) |
| Max VPN Throughput | 1 Gbps | 1 Gbps |
| Concurrent Sessions | 1,000,000 | 2,000,000 |
| IPsec VPN Peers | 10000 | 10000 |
| SSL VPN Peer License Levels* | 10, 25, 50, 100, 250, 500, 750, 1000, 2500, 5000, and 10,000 | 10, 25, 50, 100, 250, 500, 750, 1000, 2500, 5000, and 10000 |
| Security Contexts | Up to 50* | Up to 50* |
| Interfaces | 2 Gigabit Ethernet management | 2 Gigabit Ethernet management |
| Interface Card Slots | 6 | 6 |
| Interface Card Options |
• 4 Port
10/100/1000,
RJ45
• 4 Port Gigabit
Ethernet fiber,
SR, LC
• 2 Port
10Gigabit
Ethernet fiber,
SR, LC
|
• 4 Port
10/100/1000,
RJ45
• 4 Port Gigabit
Ethernet fiber,
SR, LC
• 2 Port
10Gigabit
Ethernet fiber,
SR, LC
|
| Virtual interfaces (VLANs) | 100 (250**) | 100 (250**) |
| Scalability | VPN clustering and load balancing | VPN clustering and load balancing |
| High Availability | Active/Active, Active/Standby | Active/Active, Active/Standby |
| Redundant Power | Supported, second power supply optional | Supported, second power supply optional |
