Cisco ASA5510 Vs ASA5512-X or 5515-X

May 2, 2013 Leave a Comment

The Cisco ASA product line for small and branch offices includes 4 ASA models:

  • ASA5505 (either Basic License or Security Plus License)
  • ASA5510 (either Basic License or Security Plus License)
  • ASA5512-X (either Basic License or Security Plus License)
  • ASA5515-X

In this article I will describe the main differences between the ASA5510 and the newest generation ASA5512-X and ASA5515-X models. I have chosen these 3 models because Cisco ASA5512-X and 5515-X are recommended by Cisco as replacement models for the older 5510 firewall which will reach end-of-sale on September 16, 2013.

Specifically, Cisco recommends the following hardware migration path for the models above:

Older ASA Model

Recommended Replacement Model
ASA 5510 (Basic License) ASA 5512-X Basic License
ASA 5510 (Security Plus License) ASA 5512-X Security Plus License OR ASA 5515-X

 

As you can see above, both the 5510 and the 5512-X are offered with two types of licenses: Basic License (this is the default license type when you purchase) or a Security Plus License which costs extra money. On the other hand, the ASA5515-X comes with a single default license (there is no security plus license on this model).

The Security Plus license on the 5510 and 5512-X allows some enhancements such as additional VLANs (from 50 to 100), additional concurrent firewall sessions (on the 5510 model) etc. The most notable improvement offered by the Security Plus license on both 5510 and 5512-X is the device Failover support. It allows the devices to work in Active/Active or Active/Standby failover. This feature is not supported on the Basic license. (The 5515-X supports A/A and A/S failover by default).

The table below shows the most important differences between ASA5510 and 5512-X / 5515-X appliances.

 

Spec.

ASA5510

ASA5512-X

ASA5515-X

Max Firewall Throughput

300 Mbps max

1 Gbps

1.2 Gbps

IPS Support

Needs extra hardware module

Supported with NO extra hardware

Supported with NO extra hardware

3DES/AES VPN Throughput

170 Mbps

200 Mbps

250 Mbps

IPSEC Site-to-Site and Client VPN sessions

250

250

250

Anyconnect SSL VPN User Sessions

250

250

250

Integrated Ethernet Interfaces

5×10/100 FE

OR

2×10/100/1000 and 3×10/100 with SecPlus

6×10/100/1000

6×10/100/1000

Next Generation Firewall Features

Not Supported

Supported (extra license or subscription needed)

Supported (extra license or subscription needed)

Regarding network interfaces, the 5510 basic license supports only FastEthernet (10/100 FE) interfaces while the 5512-X and 5515-X support Gigabit (10/100/1000) copper interfaces. So, if you are migrating the configuration of an ASA5510 to a new 5512-X or 5515-X you need to take into consideration the interface command syntax.

The interface configuration of these devices will look like the following:

ASA 5510 Interface Configuration

! Physical Interface
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

! Creating Subinterfaces on interface E0/2
interface Ethernet0/2
no nameif
no security-level
no ip address
no shutdown

interface Ethernet0/2.10
vlan 10
nameif fw-out
security-level 50
ip address 172.16.61.1 255.255.255.0

ASA 5512-X or 5515-X Interface Configuration

! Physical Interface
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

! Creating Subinterfaces on interface GE0/2
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
no shutdown

interface GigabitEthernet0/2.10
vlan 10
nameif fw-out
security-level 50
ip address 172.16.61.1 255.255.255.0

So as you can see if you are migrating from 5510 to 5512-X or 5515-X you should change the commands on the interface configuration syntax. Other than the above, almost all the other core firewall commands will be the same.

Filed Under: Cisco Firewalls Tagged With: , ,

Cisco ASA CX Security Module

April 19, 2013 11 Comments

The new series of Cisco ASA devices (ASA 5500-X models which include 5512-X, 5515-X, 5525-X, 5545-X, 5555-X and 5585-X) have the capabilities to support Next Generation Firewall Security Services. They support these security services as cloud-based services (such as Cloud Web Security and Web Security Essentials) or as software based modules which do not need additional hardware (only a license to use the module). One of the prevalent security services modules is the ASA CX. This module has … [Continue reading]

Filed Under: Cisco Firewalls

Site-to-Site IPSEC VPN Between Cisco ASA and pfSense

March 1, 2013 10 Comments
pfSense Login

IPSEC is a standardized protocol (IETF standard) which means that it is supported by many different vendors. Therefore if you want to create a VPN between different vendor devices, then IPSEC VPN is the way to go. In this article we will see a site-to-site VPN using the IPSEC protocol between a Cisco ASA and a pfSense firewall. PfSense is an open source distribution of FreeBSD customized for use as a firewall and router. You can install pfSense on a PC with two (or more) NICs, essentially … [Continue reading]

Filed Under: Cisco VPN

Site-to-Site IPSEC VPN Between Two Cisco ASA – one with Dynamic IP

February 17, 2013 3 Comments
asa5520 picture

Cisco ASA 5500 Series appliances deliver IPsec and SSL VPN, firewall, and several other networking services on a single platform. Cisco ASA 5520, a member of the Cisco ASA 5500 Series, is shown in Figure 1 below. Figure 1 Cisco Adaptive Security Appliance (ASA) In this article, we will focus on site-to-site IPsec implementation between two Cisco ASA 5520 appliances, as shown in Figure 2. The outside interface of ASA1 is assigned a dynamic IP address by the service provider over DHCP, while … [Continue reading]

Filed Under: Cisco VPN

Which new Cisco ASA Topics Are You Interested in-Vote Below

February 14, 2013 22 Comments

I have published “Cisco ASA Firewall Fundamentals” in 2008 and have already updated the ebook to 2nd Edition a few years after its initial launch. However, Cisco is continuously evolving the ASA Firewall line both in terms of hardware capabilities and software features as well. I’m planning therefore to update my ebook and create a 3rd Edition of “Cisco ASA Firewall Fundamentals” in the near future. I would like to ask for your feedback regarding the topics you would like to see in … [Continue reading]

Filed Under: Cisco ASA Firewall ebook

Cisco VPN Configuration Guide – By Harris Andrea

January 12, 2013 28 Comments

I wanted to let you know about my new eBook “Cisco VPN Configuration Guide” which I have launched recently. This ebook (PDF Format) consists of 240 pages filled with raw practical concepts, step-by-step configuration tutorials, around 40 colorful network diagrams to explain the scenarios, troubleshooting instructions, 20 complete configurations on actual devices etc. There is no fluff or redundant information. There is a little bit (2-3 pages) of basic theory (especially on IPSEC … [Continue reading]

Filed Under: Cisco VPN Configuration Guide Book

Cisco Spanning Tree Protocol Discussion

January 10, 2013 Leave a Comment
spanning tree protocol

Spanning Tree Protocol (STP) ensures a loop-free topology in a local area network (LAN) made up of switches. It is desirable to have redundant links in a switched LAN so that a single link failure cannot interrupt normal operation of the network. But redundant links may also introduce physical switching loops that are undesirable. STP allows to have physical redundancy while preventing loops and associated drawbacks. Spanning Tree Protocol is standardized as IEEE 802.1D. Cisco introduced several … [Continue reading]

Filed Under: Cisco Switches

How to Configure DDNS on Cisco Routers

November 28, 2012 Leave a Comment
dynamic dns - ddns

The Internet uses IP addresses to refer to all resources but IP addresses are difficult to remember for humans. We instead use easy-to-remember domain names such as www.networkstraining.com to refer to Internet resources. Domain Name System (DNS) is the Internet directory service that automatically translates domain names to corresponding IP addresses. Dynamic Domain Name System (DDNS) is a method to update a Domain Name System (DNS) in real time to point to a changing IP address of a resource … [Continue reading]

Filed Under: Cisco Routers

IPsec Tunnel vs Transport Mode

November 17, 2012 Leave a Comment
ipsec tunnel vs transport

IP Security (IPsec) is a framework of open standards developed by the Internet Engineering Task Force (IETF). IPsec provides security for transmission of sensitive information over unprotected networks such as the Internet. IPsec acts at the network layer, protecting and authenticating IP packets between participating IPsec devices also known as IPsec peers. IPsec has two modes of operation: Tunnel mode: The entire original IP packet is protected (encrypted, authenticated, or both) in tunnel … [Continue reading]

Filed Under: Cisco VPN

Cisco ASA Firewall Version 9.0 Released

November 10, 2012 Leave a Comment

Cisco released a new Cisco ASA software version 9.0 recently and I wanted to inform you about the most notable new features of this release and also about some other important changes you need to keep in mind before upgrading. Upgrade Notes If you upgrade to version 9.0 from any previous ASA version (8.x) then you can’t go back to your previous configuration since there are some important changes on Access Control Lists (ACL) after upgrading to 9.0 software. You MUST backup the original … [Continue reading]

Filed Under: Cisco Firewalls

How to Configure IPv6 Address on Cisco Routers

October 27, 2012 Leave a Comment
cisco ipv6 configuration

IP version 6 (IPv6) is a new version of the Internet Protocol (IP), intended to replace the older IPv4 which is still employed on the vast majority of Internet hosts. IPv6 increases the IP address size from 32 bits to 128 bits to support a much greater number of addressable hosts. IPv4 can support 232 = 4,294,967,296 or over four billion unique addresses but this address space has almost exhausted due to immense expansion in the size of the Internet over the years. IPv6 on the other hand can … [Continue reading]

Filed Under: Cisco General

Configuring Access Lists on Cisco Routers

October 22, 2012 Leave a Comment
cisco access list configuration

An access list is simply a list of conditions or statements that can match or categorize packets in a number of different ways. Access lists are also known as access control lists (ACLs) while individual entries or statements in an access lists are called access control entries (ACEs). Access lists are primarily used for traffic filtering but they also have several other uses like management access control, route advertisement filtering, debug output filtering, and traffic identification for … [Continue reading]

Filed Under: Cisco IOS

Configuring OSPF on Cisco Routers

October 14, 2012 2 Comments
ospf-configuration

Open Shortest Path First (OSPF) is a routing protocol developed by Internet Engineering Task Force (IETF). OSPF is standards-based which means it is available on routers by Cisco as well as other vendors, making it a vendor-neutral routing protocol. This is in contrast to Enhanced Interior Gateway Protocol (EIGRP) that is Cisco proprietary, and hence available only on Cisco routers. OSPF divides its routing domain into smaller sub-divisions called areas. These OSPF areas are numbered and each … [Continue reading]

Filed Under: Cisco Routers
«Older Posts