First Published: January 1, 2010

Cisco Secure Firewall ASA Compatibility

This document lists the Secure Firewall ASA software and hardware compatibility and requirements.

ASA and ASDM compatibility per model

This section lists ASA and ASDM compatibility per model.

On the Cisco Support & Download site, the suggested release is marked with a gold star. For example:

Note

For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories.

ASA 9.24

Releases in bold are the recommended versions.

Note

ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.22(1) can manage an ASA 5516-X on ASA 9.10(1).
New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.23 with ASA 9.24. For ASA maintenance releases and interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.24(1.2) with ASDM 7.24(1). If an ASA maintenance release has significant new features, then usually there will be a new ASDM version required.

Table 1. ASA and ASDM Compatibility: 9.24
ASA	ASDM	ASA Model
ASA	ASDM	ASA Virtual	Secure Firewall 220	Firepower 1010 1010E 1120 1140 1150	Secure Firewall 1210CE 1210CP 1220CX	Secure Firewall 1230 1240 1250	Secure Firewall 3105 3110 3120 3130 3140	Firepower 4112 4115 4125 4145	Secure Firewall 4215 4225 4245	Secure Firewall 6160 6170	Firepower 9300	ISA 3000
9.24(1)	7.24(1)	YES	YES	YES	YES	YES	YES	YES	YES	YES	YES	YES

ASA 9.23 and 9.22

Releases in bold are the recommended versions.

Note

ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.22(1) can manage an ASA 5516-X on ASA 9.10(1).
New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.20 with ASA 9.22. For ASA maintenance releases and interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.22(1.2) with ASDM 7.22(1). If an ASA maintenance release has significant new features, then usually there will be a new ASDM version required.

Table 2. ASA and ASDM Compatibility: 9.23 and 9.22
ASA	ASDM	ASA Model
ASA	ASDM	ASA Virtual	Firepower 1010 1010E 1120 1140 1150	Secure Firewall 1210CE 1210CP 1220CX	Secure Firewall 1230 1240 1250	Secure Firewall 3105 3110 3120 3130 3140	Firepower 4112 4115 4125 4145	Secure Firewall 4215 4225 4245	Firepower 9300	ISA 3000
9.23(1)	7.23(1)	YES	YES	YES	YES	YES	YES	YES	YES	YES
9.22(2)	7.22(1)	YES	YES	YES	—	YES	YES	YES	YES	YES
9.22(1.1)	7.22(1)	YES	YES	YES	—	YES	YES	YES	YES	YES

ASA 9.20 and 9.19

Note

ASA 9.20(x) was the final version for the Firepower 2100 series.
ASA 9.18(x) was the final version for the Firepower 4110, 4120, 4140, 4150, and Security Modules SM-24, SM-36, and SM-44 for the Firepower 9300.
ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.19(1) can manage an ASA 5516-X on ASA 9.10(1). See the following exceptions:
- For the Firepower 1010E, ASDM 7.19(1) is not supported. You must use 7.19(1.90)+ or 7.18(2.1).
New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.18 with ASA 9.19. For ASA maintenance releases and interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.20(1.5) with ASDM 7.20(1). If an ASA maintenance release has significant new features, then usually there will be a new ASDM version required.

Table 3. ASA and ASDM Compatibility: 9.20 and 9.19
ASA	ASDM	ASA Model
ASA	ASDM	ASA Virtual	Firepower 1010 1120 1140 1150	Firepower 1010E	Firepower 2110 2120 2130 2140	Secure Firewall 3105 3110 3120 3130 3140	Firepower 4112 4115 4125 4145	Secure Firewall 4215 4225 4245	Firepower 9300	ISA 3000
9.20(4)	7.20(4)	YES	YES	YES	YES	YES	YES	YES	YES	YES
9.20(3)	7.20(2)	YES	YES	YES	YES	YES	YES	YES	YES	YES
9.20(2)	7.20(2)	YES	YES	YES	YES	YES	YES	YES	YES	YES
9.20(1)	7.20(1)	—	—	—	—	—	—	YES	—	—
9.19(1)	7.19(1)	YES	YES	—	YES	YES	YES	—	YES	YES

ASA 9.18 to 9.17

Note

ASA 9.16(x) was the final version for the ASA 5506-X, 5506H-X, 5506W-X, 5508-X, and 5516-X.
ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.17(1) can manage an ASA 5516-X on ASA 9.10(1). See the following exceptions:
- For the Firepower 1010E, ASDM 7.19(1) is not supported. You must use 7.19(1.90)+ or 7.18(2.1).
New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.17 with ASA 9.18. For ASA maintenance releases and interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.17(1.2) with ASDM 7.17(1). If an ASA maintenance release has significant new features, then usually there will be a new ASDM version required.
ASA 9.17(1.13) and 9.18(2) and later requires ASDM 7.18(1.152) or later. The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image than 7.18(1.152) with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. (CSCwb05291, CSCwb05264)

Table 4. ASA and ASDM Compatibility: 9.18 to 9.17
ASA	ASDM	ASA Model
ASA	ASDM	ASA Virtual	Firepower 1010 1120 1140 1150	Firepower 1010E	Firepower 2110 2120 2130 2140	Secure Firewall 3110 3120 3130 3140	Firepower 4110 4112 4115 4120 4125 4140 4145 4150	Firepower 9300	ISA 3000
9.18(4)	7.19(1)95	YES	YES	YES	YES	YES	YES	YES	YES
9.18(3)	7.18(1.152)	YES	YES	YES	YES	YES	YES	YES	YES
9.18(2.218)	7.18(2.1)	—	—	YES	—	—	—	—	—
9.18(2)	7.18(1.152)	YES	YES	—	YES	YES	YES	YES	YES
9.18(1)	7.18(1)	YES	YES	—	YES	YES	YES	YES	YES
9.17(1.13)	7.18(1.152)	YES	YES	—	YES	YES	YES	YES	YES
9.17(1)	7.17(1.155)	YES	YES	—	YES	YES	YES	YES	YES

ASA 9.16

Note

ASA 9.16(x) was the final version for the ASA 5506-X, 5506H-X, 5506W-X, 5508-X, and 5516-X.
ASA 9.14(x) was the final version for the ASA 5525-X, 5545-X, and 5555-X.
ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.15(1) can manage an ASA 5516-X on ASA 9.10(1).
New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.15 with ASA 9.16. For ASA maintenance releases and interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.16(1.15) with ASDM 7.16(1). If an ASA maintenance release has significant new features, then usually there will be a new ASDM version required.
ASA 9.16(3.19) and later requires ASDM 7.18(1.152) or later. The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image than 7.18(1.152) with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. (CSCwb05291, CSCwb05264)

Table 5. ASA and ASDM Compatibility: 9.16
ASA	ASDM	ASA Model
ASA	ASDM	ASA 5506-X 5506H-X 5506W-X 5508-X 5516-X	ASAv	Firepower 1010 1120 1140 1150	Firepower 2110 2120 2130 2140	Firepower 4110 4112 4115 4120 4125 4140 4145 4150	Firepower 9300	ISA 3000
9.16(4)	7.18(1.152)	YES	YES	YES	YES	YES	YES	YES
9.16(3.19)	7.18(1.152)	YES	YES	YES	YES	YES	YES	YES
9.16(3)	7.16(1.150)	YES	YES	YES	YES	YES	YES	YES
9.16(2)	7.16(1.150)	YES	YES	YES	YES	YES	YES	YES
9.16(1)	7.16(1)	YES	YES	YES	YES	YES	YES	YES

ASA 9.12

Note

ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM.
ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.12(1) can manage an ASA 5515-X on ASA 9.10(1).
New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.10 with ASA 9.12. For ASA maintenance releases and interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.12(1.15) with ASDM 7.12(1). If an ASA maintenance release has significant new features, then usually there will be a new ASDM version required.
ASA 9.8(4.45) and 9.12(4.50) and later require ASDM 7.18(1.152) or later. The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image than 7.18(1.152) with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. (CSCwb05291, CSCwb05264)

Table 6. ASA and ASDM Compatibility: 9.12
ASA	ASDM	ASA Model
ASA	ASDM	ASA 5506-X 5506H-X 5506W-X 5508-X 5516-X	ASA 5512-X 5515-X 5525-X 5545-X 5555-X	ASA 5585-X	ASAv	ASASM	Firepower 2110 2120 2130 2140	Firepower 4110 4120 4140 4150	Firepower 4115 4125 4145	Firepower 9300	ISA 3000
9.12(4.50)	7.18(1.152)	YES	YES	YES	YES	YES	YES	YES	YES	YES	YES
9.12(4)	7.12(2)	YES	YES	YES	YES	YES	YES	YES	YES	YES	YES
9.12(3)	7.12(2)	YES	YES	YES	YES	YES	YES	YES	YES	YES	YES
9.12(2)	7.12(2)	YES	YES	YES	YES	YES	YES	YES	YES	YES	YES
9.12(1)	7.12(1)	YES	YES	YES	YES	YES	YES	YES	YES	YES	YES

ASA and VPN compatibility

For ASA and VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.

Firepower 4100/9300 Compatibility with ASA and Firewall Threat Defense

For the Firepower 4100/9300, you must maintain compatibility between FXOS and all ASA and Firewall Threat Defense logical devices. Upgrade FXOS before you upgrade the sofware. The bold versions the the following table are specially-qualified (enhanced testing) companion releases. Use these combinations whenever possible.

Note that for other device models, the FXOS compatibility work is done for you. In most cases, upgrading the software automatically upgrades FXOS. For the Secure Firewall 3100/4200 in multi-instance mode, the Firewall Management Center guides you through upgrading FXOS and then Firewall Threat Defense.

To upgrade:

FXOS: From FXOS 2.2.2 and later, you can upgrade directly to any higher version. (FXOS 2.0.1–2.2.1 can upgrade as far as 2.8.1. For versions earlier than 2.0.1, you need to upgrade to each intermediate version.) Note that you cannot upgrade FXOS to a version that does not support your current logical device version. You will need to upgrade in steps: upgrade FXOS to the highest version that supports your current logical device; then upgrade your logical device to the highest version supported with that FXOS version. For example, if you want to upgrade from FXOS 2.2/ASA 9.8 to FXOS 2.13/ASA 9.19, you would have to perform the following upgrades:
1. FXOS 2.2 → FXOS 2.11 (the highest version that supports 9.8)
2. ASA 9.8 → ASA 9.17 (the highest version supported by 2.11)
3. FXOS 2.11 → FXOS 2.13
4. ASA 9.17 → ASA 9.19
Firewall Threat Defense: Interim upgrades may be required for Firewall Threat Defense, in addition to the FXOS requirements above. For the exact upgrade path, refer to the Firewall Management Center upgrade guide for your version.
ASA: ASA lets you upgrade directly from your current version to any higher version, noting the FXOS requirements above.

Note

FXOS 2.8(1.125)+ and later versions do not support ASA 9.14(1) or 9.14(1.10) for ASA SNMP polls and traps; you must use 9.14(1.15)+. Other releases, such as 9.13 or 9.12, are not affected.

Table 7. Firepower 4100/9300 Compatibility with ASA and Firewall Threat Defense

FXOS Version

Model

ASA Version

Firewall Threat Defense Version

2.18

Firepower 4112

9.24 (recommended)

9.23

9.22

9.20

9.19

10.x (recommended)

7.7

7.6

7.4

7.3

Firepower 4145

Firepower 4125

Firepower 4115

9.24 (recommended)

9.23

9.22

9.20

9.19

10.x (recommended)

7.7

7.6

7.4

7.3

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

2.17

Firepower 4112

9.23 (recommended)

9.22

9.20

9.19

9.18

7.7 (recommended)

7.6

7.4

7.3

7.2

Firepower 4145

Firepower 4125

Firepower 4115

9.23 (recommended)

9.22

9.20

9.19

9.18

7.7 (recommended)

7.6

7.4

7.3

7.2

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

2.16

Firepower 4112

9.22 (recommended)

9.20

9.19

9.18

9.17

7.6 (recommended)

7.4

7.3

7.2

7.1

Firepower 4145

Firepower 4125

Firepower 4115

9.22 (recommended)

9.20

9.19

9.18

9.17

7.6 (recommended)

7.4

7.3

7.2

7.1

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

2.14(1)

Firepower 4112

9.20 (recommended)

9.19

9.18

9.17

9.16

9.14

7.4 (recommended)

7.3

7.2

7.1

7.0

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.20 (recommended)

9.19

9.18

9.17

9.16

9.14

7.4 (recommended)

7.3

7.2

7.1

7.0

6.6

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

2.13

Firepower 4112

9.19 (recommended)

9.18

9.17

9.16

9.14

7.3 (recommended)

7.2

7.1

7.0

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.19 (recommended)

9.18

9.17

9.16

9.14

7.3 (recommended)

7.2

7.1

7.0

6.6

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

2.12

Firepower 4112

9.18 (recommended)

9.17

9.16

9.14

7.2 (recommended)

7.1

7.0

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.18 (recommended)

9.17

9.16

9.14

9.12

7.2 (recommended)

7.1

7.0

6.6

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.18 (recommended)

9.17

9.16

9.14

9.12

7.2 (recommended)

7.1

7.0

6.6

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.11

Firepower 4112

9.17 (recommended)

9.16

9.14

7.1 (recommended)

7.0

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.17 (recommended)

9.16

9.14

9.12

7.1 (recommended)

7.0

6.6

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.17 (recommended)

9.16

9.14

9.12

9.8

7.1 (recommended)

7.0

6.6

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.10

Note

For compatibility with 7.0.2+ and 9.16(3.11)+, you need FXOS 2.10(1.179)+.

Firepower 4112

9.16 (recommended)

9.14

7.0 (recommended)

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.16 (recommended)

9.14

9.12

7.0 (recommended)

6.6

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.16 (recommended)

9.14

9.12

9.8

7.0 (recommended)

6.6

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.9

Firepower 4112

9.14

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.14

9.12

6.6

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.14

9.12

9.8

6.6

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.8

Firepower 4112

9.14

6.6

Note

6.6.1+ requires FXOS 2.8(1.125)+.

Firepower 4145

Firepower 4125

Firepower 4115

9.14 (recommended)

9.12

Note

Firepower 9300 SM-56 requires ASA 9.12(2)+

6.6 (recommended)

Note

6.6.1+ requires FXOS 2.8(1.125)+.

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.14 (recommended)

9.12

9.8

6.6 (recommended)

Note

6.6.1+ requires FXOS 2.8(1.125)+.

6.4

6.2.3

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.6(1.157)

Note

You can now run ASA 9.12+ and FTD 6.4+ on separate modules in the same Firepower 9300 chassis

Firepower 4145

Firepower 4125

Firepower 4115

9.12

Note

Firepower 9300 SM-56 requires ASA 9.12.2+

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.12 (recommended)

9.8

6.4 (recommended)

6.2.3

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.6(1.131)

Firepower 9300 SM-48

Firepower 9300 SM-40

9.12

Not supported

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.12 (recommended)

9.8

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.3(1.73)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.8

Note

9.8(2.12)+ is required for flow offload when running FXOS 2.3(1.130)+.

6.2.3 (recommended)

Note

6.2.3.16+ requires FXOS 2.3.1.157+

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.3(1.66)

2.3(1.58)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.8

Note

9.8(2.12)+ is required for flow offload when running FXOS 2.3(1.130)+.

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.2

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.8

Firewall Threat Defense versions are EoL

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

ASA and FXOS bundle versions

ASA platforms utilize FXOS as an underlying operating system that is included in the ASA unified image bundles. The following table lists the ASA and FXOS versions in each released bundle. The Firepower 4100/9300 are the exception; they use FXOS directly as the chassis manager while installing the ASA image as a logical device.

Note

You cannot install ASA or FXOS separately; you must install them both as part of the bundle.

Table 8. ASA and FXOS Bundle Versions
ASA Bundle Version	FXOS Version
9.24.1	2.18(0.520)
9.23(1)	2.17(0.518)
9.22(2)	2.16(0.111)
9.22(1)	2.16(0.128)
9.20(4)	2.14(3.104)
9.20(3)	2.14(2.106)
9.20(2)	2.14(1.131)
9.20(1) (Secure Firewall 4200 only)	2.14(0.11)
9.19(1)	2.13(0.198)
9.18(3)	2.12(0.468)
9.18(2)	2.12(0.438)
9.18(1)	2.12(0.31)
9.17(1)	2.11(1.154)
9.16(3)	2.10(1.189)
9.16(2)	2.10(1.162)
9.16(1)	2.10(1.159)
9.12(4)	2.6(1.198)
9.12(3)	2.6(1.156)
9.12(2)	2.6(1.141)
9.12(1)	2.6(1.113)

ASA Virtual hypervisor compatibility

You can deploy the ASA Virtual on the following hypervisors. For exact support, see the ASA Virtual getting started guide for your version:

Note

ASA virtual deployment on a platform using nested or multi-level hypervisor is not supported.

Table 9. ASA Virtual hypervisor compatibility
Hypervisor	Supported ASA Virtual version
Alibaba Cloud	ASA 9.20 and later For more information, see Alibaba Cloud Supported Instance Types and ASA Virtual Versions in ASA Virtual Getting Started Guide.
AWS	ASA 9.12 and later For more information, see AWS Supported Instance Types and ASA Virtual Versions in ASA Virtual Getting Started Guide.
KVM	ASA 9.12 and later For more information, see Prerequisites section of Deploy the ASA Virtual on KVM chapter in ASA Virtual Getting Started Guide.
Azure	ASA 9.12 and later For more information, see Azure Supported VM Sizes and ASA Virtual Versions in ASA Virtual Getting Started Guide.
GCP	ASA 9.16 and later For more information, see GCP Machine Types and ASA Virtual Versions in ASA Virtual Getting Started Guide.
OpenStack	ASA 9.16 and later For more information, see System Requirements section of Deploy the ASA Virtual on OpenStack chapter in ASA Virtual Getting Started Guide.
OCI	ASA 9.16 and later For more information, see OCI Compute Shapes in ASA Virtual Getting Started Guide.
VMware	ASA 9.12 and later For more information, see ASA Virtual on VMware ESXi System Requirements in ASA Virtual Getting Started Guide.
Hyper-V	ASA 9.12 and later For more information, see Guidelines and Limitations section of Deploy the ASA Virtual on Hyper-V chapter in ASA Virtual Getting Started Guide.
Nutanix	ASA 9.16 and later For more information, see Nutanix Components and Versions in ASA Virtual Getting Started Guide.

Security Cloud Control compatibility with the ASA

Security Cloud Control can manage all platforms running ASA 8.4 and later (see ASA and ASDM compatibility per model), except for the ASA Services Module (ASASM), which is not supported by Security Cloud Control.

Security Cloud Control can onboard an ASA running ASA 8.3 but cannot deploy changes to it or manage it in any other way. Support is "read-only."

Security Cloud Control does not support management of the ASA FirePOWER module, which runs a different operating system from ASA. You can still use the ASA FirePOWER module in your system, but you need to manage it separately with Secure Firewall Management Center or ASDM.

There may be a Security Cloud Control feature that does not support all versions of ASA, such as ASA upgrades from pre-9.12 versions. In those cases, the Security Cloud Control documentation will list any version exceptions with the prerequisites for that feature.

ASA REST API compatibility

This section lists ASA REST API and ASA compatibility.

Note

The REST API is not supported on newer hardware models and is no longer being developed. We recommend that you instead use the ASA HTTP interface for automation. See Cisco Secure Firewall ASA HTTP Interface for Automation.

The ASA REST API is supported only on the following models starting with 9.3(2) and ending with 9.16:

ASA Virtual
Firepower 9300
ISA 3000
Firepower 4110, 4120, 4140, 4150
ASA 5585-X
ASA 5525-X, 5545-X, 5555-X
ASA 5512-X, 5515-X

ASA 5506-X, 5506H-X, 5506W-X, 5508-X, 5516-X

Note

The ASA 5506-X series does not support the REST API if you are running the FirePOWER module Version 6.0 or later. Disable the ASA REST API using the no rest-api agent command.

Network module compatibility

This section lists the ASA software version support for network modules per platform.

Secure Firewall 3100 network module compatibility

Table 10. Secure Firewall 3100 network module compatibility

Modules supported

Model

ASA version

2-port 100-Gb QSFP+ network module (FPR3K-XNM-2X100G)

Secure Firewall 3130
Secure Firewall 3140

9.20(2) and later

6-port 1G SFP Hardware Bypass Network Module, SX (multimode) (FPR3K-XNM-6X1SXF)
6-port 10G SFP Hardware Bypass Network Module, SR (multimode) (FPR3K-XNM-6X10SRF)
6-port 10G SFP Hardware Bypass Network Module, LR (single mode) (FPR3K-XNM-6X10LRF)
8-port 1G Copper Hardware Bypass Network Module, RJ45 (copper) (FPR3K-XNM-8X1GF)

Secure Firewall 3110
Secure Firewall 3120
Secure Firewall 3130
Secure Firewall 3140

9.18(2) and later

Note

The ASA does not support the hardware bypass functionality of these modules, but you can use them as regular interfaces.

6-port 25G SFP Hardware Bypass Network Module, SR (multimode) (FPR3K-XNM-6X25SRF)
6-port 25G Hardware Bypass Network Module, LR (single mode) (FPR3K-XNM-6X25LRF)

Secure Firewall 3130
Secure Firewall 3140

9.18(2) and later

Note

The ASA does not support the hardware bypass functionality of these modules, but you can use them as regular interfaces.

8-port 1-Gb copper hardware bypass network module, RJ45 copper (FPR3K-XNM-8X1GF)
8-port 1/10-Gb SFP+ network module (FPR3K-XNM-8X10G)
8-port 1/10/25-Gb ZSFP network module (FPR3K-XNM-8X25G)

Secure Firewall 3110
Secure Firewall 3120
Secure Firewall 3130
Secure Firewall 3140

9.17 and later

4-port 40-Gb QSFP+ network module (FPR3K-XNM-4X40G)

Secure Firewall 3130
Secure Firewall 3140

9.17 and later

Secure Firewall 4200 network module compatibility

Table 11. Secure Firewall 4200 network module compatibility

Modules supported

Model

ASA version

2-port 200G/400G QSFP-DD network module (FPR4K-XNM-2X400G)

Secure Firewall 4215
Secure Firewall 4225
Secure Firewall 4245

9.22 and later

4-port 200G QSFP+ network module (FPR4K-XNM-4X200G)

Secure Firewall 4215
Secure Firewall 4225
Secure Firewall 4245

9.20 and later

8-port 1/10-Gb SFP+ network module (FPR4K-XNM-8X10G)
8-port 1/10/25-Gb ZSFP network module (FPR4K-XNM-8X25G)
4-port 40-Gb QSFP+ network module (FPR4K-XNM-4X40G)
2-port 100-Gb QSFP+ network module (FPR4K-XNM-2X100G)

6-port 1G SFP Hardware Bypass Network Module, SX (multimode) (FPR4K-XNM-6X1SXF)
8-port 1-Gb copper hardware bypass network module, RJ45 copper (FPR4K-XNM-8X1GF)
6-port 10G SFP Hardware Bypass Network Module, SR (multimode) (FPR4K-XNM-6X10SRF)
6-port 10G SFP Hardware Bypass Network Module, LR (single mode) (FPR4K-XNM-6X10LRF)
6-port 25G SFP Hardware Bypass Network Module, SR (multimode) (FPR4K-XNM-6X25SRF)
6-port 25G Hardware Bypass Network Module, LR (single mode) (FPR4K-XNM-6X25LRF)

Secure Firewall 4215
Secure Firewall 4225
Secure Firewall 4245

9.20 and later

Note

The ASA does not support the hardware bypass functionality of these modules, but you can use them as regular interfaces.

Secure Firewall 6100 network module compatibility

Table 12. Secure Firewall 6100 network module compatibility

Modules supported

Model

ASA version

6-port 1-Gbps SFP hardware bypass network module, SX multimode (CSF6K-XNM-6X1SXF)
6-port 10-Gbps SFP hardware bypass network module, SR multimode (CSF6K-XNM-6X10SRF)
6-port 10-Gbps SFP hardware bypass network module, LR single mode (CSF6K-XNM-6X10LRF)
6-port 25-Gbps SFP hardware bypass network module, SR multimode (CSF6K-XNM-6X25SRF)
6-port 25-Gbps SFP hardware bypass network module, LR single mode (CSF6K-XNM-6X25LRF)
8-port 10/100/1000Base-10 hardware bypass network module (CSF6K-XNM-8X1GF)
8-port 1/10-Gbps SFP+ network module (CSF6K-XNM-8X10G)
8-port 1/10/25-Gbps ZSFP network module (CSF6K-XNM-8X25G)
4-port 40-Gbps QSFP+ network module (CSF6K-XNM-4X40G)
2-port 100-Gbps QSFP+ network module (CSF6K-XNM-2X100G)
4-port 40/100/200-Gbps QSFP+ network module (CSF6K-XNM-4X200G)
2-port 100-Gbps hardware bypass network module, SR-multimode (CSF6K-XNM-2X100SRF)
2-port 40/100/200/400-Gbps QSFP-DD (CSF6K-XNM-2X400G)

Secure Firewall 6160
Secure Firewall 6170

9.24 and later

Note

The ASA does not support the hardware bypass functionality of these modules, but you can use them as regular interfaces.

Firepower 2100 network module compatibility

Note

If a network module is listed for multiple Firepower models, and the part number only differs in the model number (FPRXK-NM-module), then that module is compatible with the other Firepower models. For example, the FPR9K-NM-6X10SR-F module is compatible on the Firepower 2100 (FPR2K-NM-6X10SR-F) and Firepower 4100 (FPR4K-NM-6X10SR-F). See the FXOS compatibility guide for information about Firepower 4100 and 9300 network modules.

Table 13. Firepower 2100 network module compatibility

Modules supported

Model

ASA version

Firepower 6-port 1G SX FTW Network Module single-wide (FPR2K-NM-6X1SX-F)
Firepower 6-port 10G SR FTW Network Module single-wide (FPR2K-NM-6X10SR-F)
Firepower 6-port 10G LR FTW Network Module single-wide (FPR2K-NM-6X10LR-F)

Firepower 2130

Firepower 2140

ASA 9.10 and later

Note

The ASA does not support the hardware bypass functionality of these modules, but you can use them as regular interfaces.

Firepower 8-port 1G Network Module single-wide (FPR2K-NM-8X1G)

Firepower 2130

Firepower 2140

ASA 9.10 and later

Firepower 8-port 10G Network Module single-wide (FPR2K-NM-8X10G)

Firepower 2130

Firepower 2140

ASA 9.9 and later

ASA 9.8(2), 9.8(3)

ASA and ASA FirePOWER module compatibility

The following table shows the ASA, ASDM, and ASA FirePOWER support. If you are using an FMC to manage ASA FirePOWER, you can ignore the ASDM requirements.

Note that:

ASA 9.16/ASDM 7.16/Firepower 7.0 is the final version for the ASA FirePOWER module on the ASA 5508-X, 5516-X, and ISA 3000.
ASA 9.14/ASDM 7.14/Firepower 6.6 is the final version for the ASA FirePOWER module on the ASA 5525-X, 5545-X, and 5555-X.

Note

ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.13(1) can manage an ASA 5516-X on ASA 9.10(1).
ASDM is not supported for FirePOWER module management with ASA 9.8(4.45)+, 9.12(4.50)+, 9.14(4.14)+, and 9.16(3.19)+; you have to use FMC to manage the module with these releases. These ASA releases require ASDM 7.18(1.152) or later, but ASDM support for the ASA FirePOWER module ended with 7.16.
ASDM 7.13(1) and ASDM 7.14(1) did not support ASA 5512-X, 5515-X, 5585-X, and ASASM; you must upgrade to ASDM 7.13(1.101) or 7.14(1.48) to restore ASDM support.

Table 14. ASA and ASA FirePOWER Compatibility
ASA FirePOWER version	ASDM version (for local mgmt)	ASA version	ASA model
ASA FirePOWER version	ASDM version (for local mgmt)	ASA version	5508-X 5516-X	5525-X 5545-X 5555-X	ISA 3000
7.0	ASDM 7.16	ASA 9.16 9.12	YES	—	YES
6.4.0	ASDM 7.12 or later	ASA 9.16 (No 5525-X, 5545-X, 5555-X, 5585-X) 9.12	YES	YES	YES

ASA and Firewall Threat Defense clustering external hardware support

Clustering will work with both Cisco and non-Cisco switches from other major switching vendors with no known interoperability issues if they comply with the following requirements and recommendations. Clustering is compatible with technologies such as vPC (Nexus), VSS (Catalyst), and StackWise & StackWise Virtual (Catalyst).

Switch requirements

All third party switches must be compliant to the IEEE standard (802.3ad) Link Aggregation Control Protocol.
EtherChannel bundling must be completed within 45 seconds when connected to Firepower devices and 33 seconds when connected to ASA devices.
On the cluster control link, the switch must provide fully unimpeded unicast and broadcast connectivity at Layer 2 between all cluster members.
On the cluster control link, the switch must not impose any limitations on IP addressing or the packet format above Layer 2 headers.
On the cluster control link, the switch interfaces must support jumbo frames and be configurable for an MTU above 1600.

Switch recommendations

The switch should provide uniform traffic distribution over the EtherChannel's individual links.
The switch should have an EtherChannel load-balancing algorithm that provides traffic symmetry.
The EtherChannel load balance hash algorithm should be configurable using the 5-tuple, 4-tuple, or 2-tuple to calculate the hash.

Note

For the Firepower 9300 cluster, intra-chassis clustering can operate with any switch because Firepower 9300-to-switch connections use standard interface types.

Note

Some switches, such as the Nexus series, do not support LACP rate fast when performing in-service software upgrades (ISSUs), so we do not recommend using ISSUs with clustering.

ASA and Cisco Application Policy Infrastructure Controller (APIC) compatibility

The platforms supported include:

ASA 5525-X, 5545-X, and 5555-X (8.6(x)—9.14(x))
ASA 5512-X, 5515-X (8.6(x)—9.12(x))
ASA 5585-X (8.4(x)—9.12(x))
ASAv (9.2(x) and newer)
Firepower 4100 and 9300 (9.6(x) and newer)
Firepower 2100 (9.8(x) and newer)

The following table lists the supported ASA device packages, ASA versions, and APIC versions.

Table 15. ASA device package, ASA, and APIC compatibility
ASA device package version	Integration model	APIC version	ASA version
1.3(12.4)	Cloud Orchestrator Policy Orchestration Fabric Insertion	3.1(1)—5.0(2)	8.4(x)—9.16(x)
1.3(12.3)	Cloud Orchestrator Policy Orchestration Fabric Insertion	3.1(1)—4.1(1)	8.4(x)—9.12(x)
1.3(11.22)	Cloud Orchestrator Policy Orchestration Fabric Insertion	3.1(1)—4.0(1)	8.4(x)—9.10(x)
1.3(10.24)	Cloud Orchestrator Policy Orchestration Fabric Insertion	3.1(1*)	8.4(x)—9.8(x)
1.2(12.3)	Policy Orchestration Fabric Insertion	3.0(2*) and older	8.4(x)—9.16(x)
1.2(12.2)	Policy Orchestration Fabric Insertion	3.0(2*) and older	8.4(x)—9.12(x)
1.2(11.16)	Policy Orchestration Fabric Insertion	3.0(2*) and older	8.4(x)—9.10(1)
1.2(10.26)	Policy Orchestration Fabric Insertion	3.0(2*)	8.4(x)—9.8(x)
1.2(9.18)	Policy Orchestration Fabric Insertion	3.0(1*)	8.4(x)—9.8(x)
1.2(8.9)	Policy Orchestration Fabric Insertion	2.2(2*)	8.4(x)—9.7(x)
1.2(7.x)	Policy Orchestration Fabric Insertion	2.1(1*)	8.4(x)—9.6(2)
1.2(6.15)	Policy Orchestration	2.0(1*)	8.4(x)—9.5(2)
1.2(5.21)	Policy Orchestration	1.3(1*)	8.4(x)—9.5(1)
1.2(5.5)	Policy Orchestration	1.2(2*)	8.4(x)—9.4(x)

Note

We do not recommend using any ASA device package older than 2016.

Note

Policy Orchestration = Service Policy Mode = Fully Managed Mode.

Note

Fabric Insertion = Customized ASA device package for L2-3 automation only.

End-of-Life announcements

For a list of all Cisco End-of-Life platforms, see End-of-Sale and End-of-Life Products.

See the following pages for ASA software and hardware End-of-Life announcements:

Additional resources

See the following additional resources:

Cisco’s Next Generation Firewall Product Line Software Release and Sustaining Bulletin

Cisco Secure Firewall ASA Compatibility

Available Languages

Download Options

Bias-Free Language

Cisco Secure Firewall ASA Compatibility

ASA and ASDM compatibility per model

ASA 9.24

ASA 9.23 and 9.22

ASA 9.20 and 9.19

ASA 9.18 to 9.17

ASA 9.16

ASA 9.12

ASA and VPN compatibility

Firepower 4100/9300 Compatibility with ASA and Firewall Threat Defense

ASA and FXOS bundle versions

ASA Virtual hypervisor compatibility

Security Cloud Control compatibility with the ASA

ASA REST API compatibility

Network module compatibility

Secure Firewall 3100 network module compatibility

Secure Firewall 4200 network module compatibility

Secure Firewall 6100 network module compatibility

Firepower 2100 network module compatibility

ASA and ASA FirePOWER module compatibility

ASA and Firewall Threat Defense clustering external hardware support

Switch requirements

Switch recommendations

ASA and Cisco Application Policy Infrastructure Controller (APIC) compatibility

End-of-Life announcements

Additional resources

Was this Document Helpful?

Contact Cisco

This Document Applies to These Products