Thanks, that's a great answer :-)

I'm planning on getting 500/50 MBit/s internet and it would kinda make me sad if my joy for the ASA would detain my speed-wise needs... and of course this needs are only for the occasional download so the probably 100 MBit/s will be fine for anything else.

I have two follow-up questions, if you would be so kind (and able..):

- If I get the ASA with security plus license, I still need to add a FirePOWER license right? And if I researched correctly, this would cost me about 150$ a year (for the "basic" FirePOWER lic)?

- What's up with this whole Meraki stuff? To be honest, I didn't really hear/read about it until a few days ago... cloud managed, ok... well this only really comes into play if you have a lot of those right? Is it worth thinking about getting any same level Meraki device instead of the 5506-X?

Thanks again and have a nice evening!

Differently to the old 5505, SecPlus is not often needed on the 5506-X as the 5506-X doesn't have the same limitations:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/intro-license.html#concept_6FA65A78F1FF4CF4947EEF7AC74956C0

FirePower is always licensed in addition to the base ASA. There are different license with different features like IPS, URL-Filtering and AMP. What is this $150-license? I only know more expensive licenses ...

Meraki? Well, It's a little bit like networking really should be. It's by far not as flexible as the regular Cisco-stuff, but I assume that it's the better solution for most companies. It's much easier to manage and there is also less possibility to configure it wrong. (Minimum 70% of all ASAs I see at customers have a really bad config and are not well managed; that can all be done better with Meraki). Perhaps you qualify for a free AP when you attend a webinar: https://meraki.cisco.com/de/freeap/

If've already looked over the limitations and there's only one thing that really bugs me. That is the 5 VLAN limit. To be honest, I can get a pretty good deal on the Sec Plus ASA so I think I'll just go for it...

Well yes, the 150$ is a little bit understated.. I would need, just for example, the "L-ASA5506-TAM-1Y" right? This would cost me around 250$/year?

Thanks for the link.. I'm not sure if I qualify since my employer is a Cisco reseller. Does the reseller part only include Meraki stuff or Cisco in general? If only Meraki is included I should qualify.

I have exactly the same issue and are wondering about the performance.

I have a 500/500Mbps glass fiber internet connection, connected through 1GbE; I get around 530/530Mbps on a speedtest. I want to buy an ASA 5506-X. I'm not planning to use the FirePOWER services. I wonder if it can handle 500/500Mbps throughput.

Did you buy the 5506-X already? If so, what is your experience?

Unfortunately, I did not. Altough I am going to order the ASA in the next few days, I guess it will take a few weeks until I have it up and running.

Anyway, I will post my findings here as soon as possible.

Rackmount Kit for Cisco ASA 5506 – CisRack RM-CI-T2

US Distributed by Live-Tech

https://www.mylive-tech.com/store/networking/networking-rackmount/rackmount-kit-for-cisco-asa-5506-cisrack-rm-ci-t2/

I have been putting 1gig through the 5506 without problems in a test setup. i tested with a filetransfer from one computer to another in different zones. But I have not stress tested it with max connection, because it is only used in a SOHO environment.

With basic config: NAT, FW, Inspection

Thank you for sharing. The only thing is; a file transer is not a valid test at all. If you re-try a file transfer it is cached and it looks like you get full speed, while in fact it doesn't.

The best test is to use something like IPERF on the source and destination. Run a performance test with multiple sessions at the same time.

I actually did the iperf test instead, and it showed me the 1gbit on 5 concurrent sessions i think. It was just easier to explain it as a file transfer here:)

Again this is only a couple of connections so it cant be compare to real-world enterprise traffic, but it shows something about the performance in a SOHO environment.

Did the Remote-Access VPN test as well, and got 110-120 mbit through. So agoin performance above the baseline.

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html

All the tests i did resulted in a CPU increase, because everything is done in SW, Routing, NAT, VPN, SSL offloading.

40-60% for 1gbit TCP

70-80% for 110 mbit VPN

I tried the BlackNurse attack yesterday and did a test with 30mbit small UDP packets on random ports(both blocked and allowed) as well. It all resultet in defeat of the ASA during the test.

99% for 20mbit BlackNurse/UDP traffic

hi karsten,

i'm about to get my free meraki AP as well :)

i've got a meraki ap/site deployment soon.

but i'm choosing between that and the 'free trial' option.

which one is better?

I know this is sort of late, but let me share some $.02.

I had a few issues with internal systems being accessed from the outside world. Turns out TAC told me”because you have absolutely everything configured and active, well over 10k active IDS rules, and you are also doing SSL inspection, your max throughout will be limited to less than 3Mbps”.

So watch out for the Fort Knox type of config. Looks great on paper but it can definitively hog your device to death.

I have balanced my rules to the point I have as much active and I can peak my 150Mbps up/down traffic with some spare change.

Enjoy your new toy ;)