05-11-2012 09:36 AM - edited 03-11-2019 04:05 PM
Hello all!
We're currently evaluating our options in regards to firewalls at the company i work for. We currently have 2 PIX 515e's in a HA pair that we are looking to replace. On the Cisco side of things we are looking hard at the new -X line of ASA appliances specifically the 5515-X and the 5525-X. We have about 200ish users right now with the very likely potential to double that in the next year. Of the three primary applications we use, 1 of them is web based the others reside in house.
The reality is that no matter which direction we go in anything we be an improvement over what we have right now however we would still like to make the best choice possible. Does anyone know the real under the hood so to speak differences between the new ASA-X line and the older ASA line? Like which processors they use ect? Also, I know the 5515-X would be more than sufficient for the users we have now and even the users we will have in the future however what would the real world impact between the 5515-X and 25-X be?
I realize these are somewhat vague and general questions however I appreciate any insight the community would be willing to offer.
Solved! Go to Solution.
05-11-2012 10:01 AM
Additionally, the information below is formatted more for comparing the old with the new. You may wish to copy it into Word or something for a better view.
Cisco ASA Model | ASA 5505 | ASA 5510 | ASA 5512-X | ASA 5515-X |
Firewall Throughput (Max)1 | 150 Mbps | 300 Mbps | 1 Gbps | 1.2 Gbps |
Firewall Throughput (Multi-Protocol) | - | - | 500 Mbps | 600 Mbps |
Concurrent Threat Mitigation Throughput (Firewall + IPS Services) | 75 Mbps with AIP SSC-5 | 150 Mbps with AIP SSM-10; 300 Mbps with AIP SSM-20 | 250 Mbps | 400 Mbps |
Maximum Firewall Connections | 10,000 /25,000 | 50,000 /130,000 | 100,000 | 250,000 |
Maximum Firewall Connections/Second | 4,000 | 9,000 | 10,000 | 15,000 |
Packets per second (64 byte) | 85,000 | 190,000 | 450,000 | 500,000 |
Maximum 3DES/AES VPN Throughput2 | 100 Mbps | 170 Mbps | 200 Mbps | 250 Mbps |
Maximum Site-to-Site and IPsec IKEv1 Client VPN User Sessions | 10/25 | 250 | 250 | 250 |
Maximum AnyConnect or Clientless VPN User Sessions | 25 | 250 | 250 | 250 |
Bundled SSL VPN User Sessions | 2 | 2 | 2 | 2 |
VLANs | 3 (trunking disabled) /20 (trunking enabled) | 50 / 100 | 50 | 100 |
High-Availability Support3 | Not supported | A/A and A/S | Not supported | A/A and A/S |
1 Maximum throughput measured under ideal test conditions
2VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken in to consideration as part of your capacity planning
3 A/A = Active/Active; A/S = Active/Standby
Cisco ASA Model | ASA 5520 | ASA 5525-X | ASA 5540 | ASA 5545-X | ASA 5550 | ASA 5555-X |
Firewall Throughput (Max)1 | 450 Mbps | 2 Gbps | 650 Mbps | 3 Gbps | 1.2 Gbps | 4 Gbps |
Firewall Throughput (Multi-Protocol) | - | 1 Gbps | - | 1.5 Gbps | - | 2 Gbps |
Concurrent Threat Mitigation Throughput (Firewall + IPS Services) | 225 Mbps with AIP SSM-10; 375 Mbps with AIP SSM-20; 450 Mbps with AIP SSM-40 | 600 Mbps | 500 Mbps wth AIP SSM-20; 650 Mbps with AIP SSM-40 | 900 Mbps | Not Available | 1.3 Gbps |
Maximum Firewall Connections | 280,000 | 500,000 | 400,000 | 750,000 | 650,000 | 1,000,000 |
Maximum Firewall Connections/Second | 12,000 | 20,000 | 25,000 | 30,000 | 33,000 | 50,000 |
Packets per second (64 byte) | 320,000 | 700,000 | 500,000 | 900,000 | 600,000 | 1,100,000 |
Maximum 3DES/AES VPN Throughput2 | 225 Mbps | 300 Mbps | 325 Mbps | 400 Mbps | 425 Mbps | 700 Mbps |
Maximum Site-to-Site and IPsec IKEv1 Client VPN User Sessions | 750 | 750 | 5,000 | 2,500 | 5,000 | 5,000 |
Maximum AnyConnect or Clientless VPN User Sessions | 750 | 750 | 2,500 | 2,500 | 5,000 | 5,000 |
Bundled SSL VPN User Sessions | 2 | 2 | 2 | 2 | 2 | 2 |
VLANs | 150 | 200 | 200 | 300 | 400 | 500 |
High-Availability Support3 | A/A and A/S | A/A and A/S | A/A and A/S | A/A and A/S | A/A and A/S | A/A and A/S |
1 Maximum throughput measured under ideal test conditions
2VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken in to consideration as part of your capacity planning
3 A/A = Active/Active; A/S = Active/Standby
ASA 5585-X with SSP10 | ASA 5585-X with SSP20 | ASA 5585-X with SSP40 | ASA 5585-X with SSP60 | ASA Services Module | |
Firewall Throughput (Max)1 | 4 Gbps | 10 Gbps | 20 Gbps | 40 Gbps | 20 Gbps |
Firewall Throughput (Multi-Protocol) | 2 Gbps | 5 Gbps | 10 Gbps | 20 Gbps | 16 Gbps |
Maximum Firewall Connections | 1,000,000 | 2,000,000 | 4,000,000 | 10,000,000 | 10,000,000 |
Maximum Firewall Connections/Second | 50,000 | 125,000 | 200,000 | 350,000 | 300,000 |
Packets Per Second (64 byte) | 1,500,000 | 3,000,000 | 5,000,000 | 9,000,000 | 5,000,000 |
Maximum 3DES/AES VPN Throughput2 | 1 Gbps | 2 Gbps | 3 Gbps | 5 Gbps | Available mid CY2012 |
Maximum Site-to-Site and IPsec IKEv1 Client VPN User Sessions | 5,000 | 10,000 | 10,000 | 10,000 | Available mid CY2012 |
Maximum AnyConnect or Clientless VPN User Sessions | 5,000 | 10,000 | 10,000 | 10,000 | Available mid CY2012 |
Bundled SSL VPN User Session | 2 | 2 | 2 | 2 | Available mid CY2012 |
VLANs | 1,024 | 1,024 | 1,024 | 1,024 | 1,000 |
High-Availability Support3 | A/A and A/S | A/A and A/S | A/A and A/S | A/A and A/S | A/A and A/S |
1 Maximum throughput measured under ideal test conditions
2VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken in to consideration as part of your capacity planning
3 A/A = Active/Active; A/S = Active/Standby
Kind Regards,
Kevin
Please rate helpful posts as well as mark your question as answered once the issue is resolved. This will allow people to find this solution easier.
05-11-2012 03:57 PM
Besides the performance numbers cited above, the new boxes do all use new processors and the ASA systems software is running in 64-bit mode. That's how the performance jumps so markedly.
There are other nice touches like a USB port that can be used with a standard USB stick to save backups, load software etc. - no more CF card as disk1.
05-11-2012 09:54 AM
The new x line of ASA's are exceptionally "better" in regards to processing, throughput, and overall performance.
You can find the information you're looking for at...
OLD ASAs
NEW X SERIES ASAs
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700608.html
I have also pasted the information x-series below.
Kind Regards,
Kevin
Please rate helpful posts as well as mark your question as answered once the issue is resolved. This will allow people to find this solution easier.
05-11-2012 10:01 AM
Additionally, the information below is formatted more for comparing the old with the new. You may wish to copy it into Word or something for a better view.
Cisco ASA Model | ASA 5505 | ASA 5510 | ASA 5512-X | ASA 5515-X |
Firewall Throughput (Max)1 | 150 Mbps | 300 Mbps | 1 Gbps | 1.2 Gbps |
Firewall Throughput (Multi-Protocol) | - | - | 500 Mbps | 600 Mbps |
Concurrent Threat Mitigation Throughput (Firewall + IPS Services) | 75 Mbps with AIP SSC-5 | 150 Mbps with AIP SSM-10; 300 Mbps with AIP SSM-20 | 250 Mbps | 400 Mbps |
Maximum Firewall Connections | 10,000 /25,000 | 50,000 /130,000 | 100,000 | 250,000 |
Maximum Firewall Connections/Second | 4,000 | 9,000 | 10,000 | 15,000 |
Packets per second (64 byte) | 85,000 | 190,000 | 450,000 | 500,000 |
Maximum 3DES/AES VPN Throughput2 | 100 Mbps | 170 Mbps | 200 Mbps | 250 Mbps |
Maximum Site-to-Site and IPsec IKEv1 Client VPN User Sessions | 10/25 | 250 | 250 | 250 |
Maximum AnyConnect or Clientless VPN User Sessions | 25 | 250 | 250 | 250 |
Bundled SSL VPN User Sessions | 2 | 2 | 2 | 2 |
VLANs | 3 (trunking disabled) /20 (trunking enabled) | 50 / 100 | 50 | 100 |
High-Availability Support3 | Not supported | A/A and A/S | Not supported | A/A and A/S |
1 Maximum throughput measured under ideal test conditions
2VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken in to consideration as part of your capacity planning
3 A/A = Active/Active; A/S = Active/Standby
Cisco ASA Model | ASA 5520 | ASA 5525-X | ASA 5540 | ASA 5545-X | ASA 5550 | ASA 5555-X |
Firewall Throughput (Max)1 | 450 Mbps | 2 Gbps | 650 Mbps | 3 Gbps | 1.2 Gbps | 4 Gbps |
Firewall Throughput (Multi-Protocol) | - | 1 Gbps | - | 1.5 Gbps | - | 2 Gbps |
Concurrent Threat Mitigation Throughput (Firewall + IPS Services) | 225 Mbps with AIP SSM-10; 375 Mbps with AIP SSM-20; 450 Mbps with AIP SSM-40 | 600 Mbps | 500 Mbps wth AIP SSM-20; 650 Mbps with AIP SSM-40 | 900 Mbps | Not Available | 1.3 Gbps |
Maximum Firewall Connections | 280,000 | 500,000 | 400,000 | 750,000 | 650,000 | 1,000,000 |
Maximum Firewall Connections/Second | 12,000 | 20,000 | 25,000 | 30,000 | 33,000 | 50,000 |
Packets per second (64 byte) | 320,000 | 700,000 | 500,000 | 900,000 | 600,000 | 1,100,000 |
Maximum 3DES/AES VPN Throughput2 | 225 Mbps | 300 Mbps | 325 Mbps | 400 Mbps | 425 Mbps | 700 Mbps |
Maximum Site-to-Site and IPsec IKEv1 Client VPN User Sessions | 750 | 750 | 5,000 | 2,500 | 5,000 | 5,000 |
Maximum AnyConnect or Clientless VPN User Sessions | 750 | 750 | 2,500 | 2,500 | 5,000 | 5,000 |
Bundled SSL VPN User Sessions | 2 | 2 | 2 | 2 | 2 | 2 |
VLANs | 150 | 200 | 200 | 300 | 400 | 500 |
High-Availability Support3 | A/A and A/S | A/A and A/S | A/A and A/S | A/A and A/S | A/A and A/S | A/A and A/S |
1 Maximum throughput measured under ideal test conditions
2VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken in to consideration as part of your capacity planning
3 A/A = Active/Active; A/S = Active/Standby
ASA 5585-X with SSP10 | ASA 5585-X with SSP20 | ASA 5585-X with SSP40 | ASA 5585-X with SSP60 | ASA Services Module | |
Firewall Throughput (Max)1 | 4 Gbps | 10 Gbps | 20 Gbps | 40 Gbps | 20 Gbps |
Firewall Throughput (Multi-Protocol) | 2 Gbps | 5 Gbps | 10 Gbps | 20 Gbps | 16 Gbps |
Maximum Firewall Connections | 1,000,000 | 2,000,000 | 4,000,000 | 10,000,000 | 10,000,000 |
Maximum Firewall Connections/Second | 50,000 | 125,000 | 200,000 | 350,000 | 300,000 |
Packets Per Second (64 byte) | 1,500,000 | 3,000,000 | 5,000,000 | 9,000,000 | 5,000,000 |
Maximum 3DES/AES VPN Throughput2 | 1 Gbps | 2 Gbps | 3 Gbps | 5 Gbps | Available mid CY2012 |
Maximum Site-to-Site and IPsec IKEv1 Client VPN User Sessions | 5,000 | 10,000 | 10,000 | 10,000 | Available mid CY2012 |
Maximum AnyConnect or Clientless VPN User Sessions | 5,000 | 10,000 | 10,000 | 10,000 | Available mid CY2012 |
Bundled SSL VPN User Session | 2 | 2 | 2 | 2 | Available mid CY2012 |
VLANs | 1,024 | 1,024 | 1,024 | 1,024 | 1,000 |
High-Availability Support3 | A/A and A/S | A/A and A/S | A/A and A/S | A/A and A/S | A/A and A/S |
1 Maximum throughput measured under ideal test conditions
2VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken in to consideration as part of your capacity planning
3 A/A = Active/Active; A/S = Active/Standby
Kind Regards,
Kevin
Please rate helpful posts as well as mark your question as answered once the issue is resolved. This will allow people to find this solution easier.
05-11-2012 03:57 PM
Besides the performance numbers cited above, the new boxes do all use new processors and the ASA systems software is running in 64-bit mode. That's how the performance jumps so markedly.
There are other nice touches like a USB port that can be used with a standard USB stick to save backups, load software etc. - no more CF card as disk1.
05-16-2012 06:10 AM
Thanks guys, we're still working through our options on this one but I appreciate the input.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide