Although Cisco created a new series of ASA appliances (5500-X series), there are hundreds of thousands of older Cisco ASA 5500 models installed and working in networks all over the world.
If you are one of those professionals who are considering to upgrade your older ASA5500 appliances with the new “X” models, I have prepared a comparison article for you with the most important similarities and differences between the two ASA generations.
First, let’s see what Cisco recommends as replacement models for the older ASA5500:
Older ASA5500 Models
Suggested Replacement 5500-X Model
ASA 5505 (no new model)
ASA 5512-X or ASA 5515-X
Next let’s discuss the similarities between the two ASA generations.
The major similarity between ASA5500 and ASA5500-X generation is on core firewall functionality and configuration. That is, the major firewall features (NAT, Access Control Lists, VPN configuration, routing, failover configuration, traffic inspection, modular policies, file system management, VLAN and subinterfaces, authentication etc) are configured exactly the same on both ASA5500 and ASA5500-X models. In fact, the new software version 9.X runs on both ASA series.
So, if you have an existing ASA5500 model which works as a regular firewall and you don’t need any new fancy features (called “Next Generation Firewall” features) then you can stay with your current model for now. You should consider though that Cisco has announced the End-of-Sale for the 5500 models which is September 16, 2013. The last date of support for the 5500 generation is September 30, 2018.
Of course with every new generation of appliances, almost always the new models are improved in terms of both hardware and software capabilities. Let’s see the major differences in bullet form.
- The new 5500-X models provide around 4 times more firewall throughput than the older 5500 models. Also, they offer 60% higher VPN throughput.
- The new 5500-X are running on multicore 64-bit processors compared with single core 32-bit processors on older ASA models.
- The new 5500-X models support Next-Generation Firewall Services either as cloud-based services (such as Cloud Web Security and Web Security Essentials) or as software based modules which do not need additional hardware (only a license to use the software module). You should note however that the “Next-Generation Firewall Services” cost extra money in addition to the core firewall appliance. You will either need to purchase Cloud Subscription or purchase software licenses (for the IPS software module for example).
- For Intrusion Prevention functionality (IPS) you don’t need an additional hardware module like the older 5500 generation. You can enable an embedded IPS on any 5500-X model by purchasing a software license.
- More network interfaces available on the 5500-X models (up to 14 Gigabit Ethernet ports).
- On ASA5500-X models the management interface port is shared between the Firewall and the embedded IPS module. Also, the management port on ASA5500-X cannot be used as a data port. Remember that on the older 5500 models you could use the management port as a data port as well (as a regular interface). This is not supported on 5500-X models. Management port is only for management of the appliance.
These are the main differences between the two ASA generations. My new ebook which I’m working on right now (“Cisco ASA Firewall Fundamentals-3rd Edition”) will be applicable for both ASA5500 and ASA5500-X (regarding the core firewall functionality of the appliances), and will cover also the newest ASA version 9.X.
I hope you found my article useful. Talk to you soon.
- Password Recovery for the Cisco ASA 5500 Firewall (5505,5510,5520 etc)
- Cisco ASA 5505, 5510 Base Vs Security Plus License Explained
- Cisco ASA 5500-X Firewall Security Levels Explained
- How to Block HTTP DDoS Attack with Cisco ASA Firewall
- How to Block Access to Websites with a Cisco ASA Firewall (with FQDN)