Solved: New ASA-X line

MooreIT01 · ‎05-11-2012

Hello all!

We're currently evaluating our options in regards to firewalls at the company i work for. We currently have 2 PIX 515e's in a HA pair that we are looking to replace. On the Cisco side of things we are looking hard at the new -X line of ASA appliances specifically the 5515-X and the 5525-X. We have about 200ish users right now with the very likely potential to double that in the next year. Of the three primary applications we use, 1 of them is web based the others reside in house.

The reality is that no matter which direction we go in anything we be an improvement over what we have right now however we would still like to make the best choice possible. Does anyone know the real under the hood so to speak differences between the new ASA-X line and the older ASA line? Like which processors they use ect? Also, I know the 5515-X would be more than sufficient for the users we have now and even the users we will have in the future however what would the real world impact between the 5515-X and 25-X be?

I realize these are somewhat vague and general questions however I appreciate any insight the community would be willing to offer.

Kevin P Sheahan · ‎05-11-2012

Additionally, the information below is formatted more for comparing the old with the new. You may wish to copy it into Word or something for a better view.

Cisco ASA Model	ASA 5505	ASA 5510	ASA 5512-X	ASA 5515-X

Firewall Throughput (Max)¹	150 Mbps	300 Mbps	1 Gbps	1.2 Gbps
Firewall Throughput (Multi-Protocol)	-	-	500 Mbps	600 Mbps
Concurrent Threat Mitigation Throughput (Firewall + IPS Services)	75 Mbps with AIP SSC-5	150 Mbps with AIP SSM-10; 300 Mbps with AIP SSM-20	250 Mbps	400 Mbps
Maximum Firewall Connections	10,000 /25,000	50,000 /130,000	100,000	250,000
Maximum Firewall Connections/Second	4,000	9,000	10,000	15,000
Packets per second (64 byte)	85,000	190,000	450,000	500,000
Maximum 3DES/AES VPN Throughput²	100 Mbps	170 Mbps	200 Mbps	250 Mbps
Maximum Site-to-Site and IPsec IKEv1 Client VPN User Sessions	10/25	250	250	250
Maximum AnyConnect or Clientless VPN User Sessions	25	250	250	250
Bundled SSL VPN User Sessions	2	2	2	2
VLANs	3 (trunking disabled) /20 (trunking enabled)	50 / 100	50	100
High-Availability Support³	Not supported	A/A and A/S	Not supported	A/A and A/S

¹ Maximum throughput measured under ideal test conditions
²VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken in to consideration as part of your capacity planning
³ A/A = Active/Active; A/S = Active/Standby

Cisco ASA Model	ASA 5520	ASA 5525-X	ASA 5540	ASA 5545-X	ASA 5550	ASA 5555-X

Firewall Throughput (Max)¹	450 Mbps	2 Gbps	650 Mbps	3 Gbps	1.2 Gbps	4 Gbps
Firewall Throughput (Multi-Protocol)	-	1 Gbps	-	1.5 Gbps	-	2 Gbps
Concurrent Threat Mitigation Throughput (Firewall + IPS Services)	225 Mbps with AIP SSM-10; 375 Mbps with AIP SSM-20; 450 Mbps with AIP SSM-40	600 Mbps	500 Mbps wth AIP SSM-20; 650 Mbps with AIP SSM-40	900 Mbps	Not Available	1.3 Gbps
Maximum Firewall Connections	280,000	500,000	400,000	750,000	650,000	1,000,000
Maximum Firewall Connections/Second	12,000	20,000	25,000	30,000	33,000	50,000
Packets per second (64 byte)	320,000	700,000	500,000	900,000	600,000	1,100,000
Maximum 3DES/AES VPN Throughput²	225 Mbps	300 Mbps	325 Mbps	400 Mbps	425 Mbps	700 Mbps
Maximum Site-to-Site and IPsec IKEv1 Client VPN User Sessions	750	750	5,000	2,500	5,000	5,000
Maximum AnyConnect or Clientless VPN User Sessions	750	750	2,500	2,500	5,000	5,000
Bundled SSL VPN User Sessions	2	2	2	2	2	2
VLANs	150	200	200	300	400	500
High-Availability Support³	A/A and A/S	A/A and A/S	A/A and A/S	A/A and A/S	A/A and A/S	A/A and A/S

¹ Maximum throughput measured under ideal test conditions
²VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken in to consideration as part of your capacity planning
³ A/A = Active/Active; A/S = Active/Standby

	ASA 5585-X with SSP10	ASA 5585-X with SSP20	ASA 5585-X with SSP40	ASA 5585-X with SSP60	ASA Services Module

Firewall Throughput (Max)¹	4 Gbps	10 Gbps	20 Gbps	40 Gbps	20 Gbps
Firewall Throughput (Multi-Protocol)	2 Gbps	5 Gbps	10 Gbps	20 Gbps	16 Gbps
Maximum Firewall Connections	1,000,000	2,000,000	4,000,000	10,000,000	10,000,000
Maximum Firewall Connections/Second	50,000	125,000	200,000	350,000	300,000
Packets Per Second (64 byte)	1,500,000	3,000,000	5,000,000	9,000,000	5,000,000
Maximum 3DES/AES VPN Throughput²	1 Gbps	2 Gbps	3 Gbps	5 Gbps	Available mid CY2012
Maximum Site-to-Site and IPsec IKEv1 Client VPN User Sessions	5,000	10,000	10,000	10,000	Available mid CY2012
Maximum AnyConnect or Clientless VPN User Sessions	5,000	10,000	10,000	10,000	Available mid CY2012
Bundled SSL VPN User Session	2	2	2	2	Available mid CY2012
VLANs	1,024	1,024	1,024	1,024	1,000
High-Availability Support³	A/A and A/S	A/A and A/S	A/A and A/S	A/A and A/S	A/A and A/S

¹ Maximum throughput measured under ideal test conditions
²VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken in to consideration as part of your capacity planning
³ A/A = Active/Active; A/S = Active/Standby

Kind Regards,

Kevin

Please rate helpful posts as well as mark your question as answered once the issue is resolved. This will allow people to find this solution easier.

Kind Regards, Kevin Sheahan, CCIE # 41349

View solution in original post

Marvin Rhoads · ‎05-11-2012

Besides the performance numbers cited above, the new boxes do all use new processors and the ASA systems software is running in 64-bit mode. That's how the performance jumps so markedly.

There are other nice touches like a USB port that can be used with a standard USB stick to save backups, load software etc. - no more CF card as disk1.

View solution in original post

Kevin P Sheahan · ‎05-11-2012

The new x line of ASA's are exceptionally "better" in regards to processing, throughput, and overall performance.

You can find the information you're looking for at...

OLD ASAs

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

NEW X SERIES ASAs

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700608.html

I have also pasted the information x-series below.

	ASA 5512-X	ASA 5515-X	ASA 5525-X	ASA 5545-X	ASA 5555-X
Firewall throughput (maximum)	1 Gbps	1.2 Gbps	2 Gbps	3 Gbps	4 Gbps
Firewall throughput (multiprotocol)	500 Mbps	600 Mbps	1 Gbps	1.5 Gbps	2 Gbps
Connections per second	9,000	10,000	20,000	30,000	50,000
Concurrent connections	100,000	250,000	500,000	750,000	1,000,000
Concurrent firewall and IPS throughput	250 Mbps	400 Mbps	600 Mbps	900 Mbps	1.3 Gbps
3DES/AES VPN throughput (maximum)	200 Mbps	250 Mbps	300 Mbps	400 Mbps	700 Mbps
Integrated GE copper I/O ports	6	6	8	8	8
Expansion I/O	6-port GE Cu or 6-port GE SFP	6-port GE Cu or 6-port GE SFP	6-port GE Cu or 6-port GE SFP	6-port GE Cu or 6-port GE SFP	6-port GE Cu or 6-port GE SFP
VLANs	50	100	200	300	500
Security contexts (included/maximum)	0/0	2/5	2/20	2/50	2/100
ASA OS	64-bit	64-bit	64-bit	64-bit	64-bit

Kind Regards,

Kevin

Please rate helpful posts as well as mark your question as answered once the issue is resolved. This will allow people to find this solution easier.

Kind Regards, Kevin Sheahan, CCIE # 41349

Kevin P Sheahan · ‎05-11-2012

Additionally, the information below is formatted more for comparing the old with the new. You may wish to copy it into Word or something for a better view.

Cisco ASA Model	ASA 5505	ASA 5510	ASA 5512-X	ASA 5515-X

Firewall Throughput (Max)¹	150 Mbps	300 Mbps	1 Gbps	1.2 Gbps
Firewall Throughput (Multi-Protocol)	-	-	500 Mbps	600 Mbps
Concurrent Threat Mitigation Throughput (Firewall + IPS Services)	75 Mbps with AIP SSC-5	150 Mbps with AIP SSM-10; 300 Mbps with AIP SSM-20	250 Mbps	400 Mbps
Maximum Firewall Connections	10,000 /25,000	50,000 /130,000	100,000	250,000
Maximum Firewall Connections/Second	4,000	9,000	10,000	15,000
Packets per second (64 byte)	85,000	190,000	450,000	500,000
Maximum 3DES/AES VPN Throughput²	100 Mbps	170 Mbps	200 Mbps	250 Mbps
Maximum Site-to-Site and IPsec IKEv1 Client VPN User Sessions	10/25	250	250	250
Maximum AnyConnect or Clientless VPN User Sessions	25	250	250	250
Bundled SSL VPN User Sessions	2	2	2	2
VLANs	3 (trunking disabled) /20 (trunking enabled)	50 / 100	50	100
High-Availability Support³	Not supported	A/A and A/S	Not supported	A/A and A/S

¹ Maximum throughput measured under ideal test conditions
²VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken in to consideration as part of your capacity planning
³ A/A = Active/Active; A/S = Active/Standby

Cisco ASA Model	ASA 5520	ASA 5525-X	ASA 5540	ASA 5545-X	ASA 5550	ASA 5555-X

Firewall Throughput (Max)¹	450 Mbps	2 Gbps	650 Mbps	3 Gbps	1.2 Gbps	4 Gbps
Firewall Throughput (Multi-Protocol)	-	1 Gbps	-	1.5 Gbps	-	2 Gbps
Concurrent Threat Mitigation Throughput (Firewall + IPS Services)	225 Mbps with AIP SSM-10; 375 Mbps with AIP SSM-20; 450 Mbps with AIP SSM-40	600 Mbps	500 Mbps wth AIP SSM-20; 650 Mbps with AIP SSM-40	900 Mbps	Not Available	1.3 Gbps
Maximum Firewall Connections	280,000	500,000	400,000	750,000	650,000	1,000,000
Maximum Firewall Connections/Second	12,000	20,000	25,000	30,000	33,000	50,000
Packets per second (64 byte)	320,000	700,000	500,000	900,000	600,000	1,100,000
Maximum 3DES/AES VPN Throughput²	225 Mbps	300 Mbps	325 Mbps	400 Mbps	425 Mbps	700 Mbps
Maximum Site-to-Site and IPsec IKEv1 Client VPN User Sessions	750	750	5,000	2,500	5,000	5,000
Maximum AnyConnect or Clientless VPN User Sessions	750	750	2,500	2,500	5,000	5,000
Bundled SSL VPN User Sessions	2	2	2	2	2	2
VLANs	150	200	200	300	400	500
High-Availability Support³	A/A and A/S	A/A and A/S	A/A and A/S	A/A and A/S	A/A and A/S	A/A and A/S

¹ Maximum throughput measured under ideal test conditions
²VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken in to consideration as part of your capacity planning
³ A/A = Active/Active; A/S = Active/Standby

	ASA 5585-X with SSP10	ASA 5585-X with SSP20	ASA 5585-X with SSP40	ASA 5585-X with SSP60	ASA Services Module

Firewall Throughput (Max)¹	4 Gbps	10 Gbps	20 Gbps	40 Gbps	20 Gbps
Firewall Throughput (Multi-Protocol)	2 Gbps	5 Gbps	10 Gbps	20 Gbps	16 Gbps
Maximum Firewall Connections	1,000,000	2,000,000	4,000,000	10,000,000	10,000,000
Maximum Firewall Connections/Second	50,000	125,000	200,000	350,000	300,000
Packets Per Second (64 byte)	1,500,000	3,000,000	5,000,000	9,000,000	5,000,000
Maximum 3DES/AES VPN Throughput²	1 Gbps	2 Gbps	3 Gbps	5 Gbps	Available mid CY2012
Maximum Site-to-Site and IPsec IKEv1 Client VPN User Sessions	5,000	10,000	10,000	10,000	Available mid CY2012
Maximum AnyConnect or Clientless VPN User Sessions	5,000	10,000	10,000	10,000	Available mid CY2012
Bundled SSL VPN User Session	2	2	2	2	Available mid CY2012
VLANs	1,024	1,024	1,024	1,024	1,000
High-Availability Support³	A/A and A/S	A/A and A/S	A/A and A/S	A/A and A/S	A/A and A/S

¹ Maximum throughput measured under ideal test conditions
²VPN throughput and sessions count depend on the ASA device configuration and VPN traffic patterns. These elements should be taken in to consideration as part of your capacity planning
³ A/A = Active/Active; A/S = Active/Standby

Kind Regards,

Kevin

Please rate helpful posts as well as mark your question as answered once the issue is resolved. This will allow people to find this solution easier.

Kind Regards, Kevin Sheahan, CCIE # 41349

Marvin Rhoads · ‎05-11-2012

Besides the performance numbers cited above, the new boxes do all use new processors and the ASA systems software is running in 64-bit mode. That's how the performance jumps so markedly.

There are other nice touches like a USB port that can be used with a standard USB stick to save backups, load software etc. - no more CF card as disk1.

MooreIT01 · ‎05-16-2012

Thanks guys, we're still working through our options on this one but I appreciate the input.