Cisco ASA Software Release 9.0 Data Sheet
Available Languages
Cisco® ASA Software is the core operating system that powers the Cisco ASA family of security devices. It delivers enterprise-class firewall and VPN capabilities and integrates with Cisco Intrusion Prevention System (IPS), Cisco Cloud Web Security (formerly ScanSafe), Cisco Identity Services Engine (ISE), and Cisco TrustSec for comprehensive security solutions that meet continuously evolving security needs.
With more than 15 years of proven firewall and network security leadership, Cisco ASA Software is used in more than one million security appliances deployed throughout the world. The same core ASA Software supports a variety of form factors, including a wide range of standalone appliances, hardware blades that integrate with an organization’s existing network infrastructure, and software that can secure and protect public and private clouds.
ASA Software protects corporate networks of all sizes and serves the needs of service providers.
Clustering
With Cisco ASA Software release 9.0, customers can combine up to eight Cisco ASA 5580 or 5585-X Adaptive Security Appliance firewall modules to be joined in a single cluster for up to 128 Gbps of real-world throughput (320 Gbps max) and more than 50 million concurrent connections. Unlike competitive offerings, which experience significant declines in performance when placed into a cluster, the ASA Software clustering solution delivers a consistent scaling factor, irrespective of the number of units on the cluster. Unlike clustering on competitive platforms, which requires moderate to high changes to existing layer 2 and layer 3 networks, ASA Software uses the existing Cisco Virtual Switching System (VSS) and Cisco Virtual PortChannel (VPC) based data center design and is built on standard Link Aggregation Control Protocol (LACP).
To protect high performance data centers from internal and external threats, the eight-unit cluster can be augmented by adding eight IPS modules for up to 60 Gbps of IPS throughput.
Table 1. Firewall Performance Data for Cisco ASA Cluster[1]
| Platform |
Single-Unit |
2-Unit Cluster |
4-Unit Cluster |
8-Unit Cluster |
| Cisco ASA 5585X with SSP-10 |
2 Gbps |
3.2 Gbps |
6.4 Gbps |
12.8 Gbps |
| Cisco ASA 5585X with SSP-20 |
5 Gbps |
8 Gbps |
16 Gbps |
32 Gbps |
| Cisco ASA 5585X with SSP-40 |
10 Gbps |
16 Gbps |
32 Gbps |
64 Gbps |
| Cisco ASA 5585X with SSP-60 |
20 Gbps |
32 Gbps |
64 Gbps |
128 Gbps |
In addition to the performance benefits, the cluster is easy to manage and troubleshoot. Policies pushed to the primary node gets replicated across all the units within the cluster, and the health, performance, and capacity statistics of the entire cluster, as well as individual units within the cluster, can be assessed from a single management console.
Cisco TrustSec® Integration
ASA Software provides context awareness through the integration of identity-based firewall security and Cisco TrustSec® security group tags for enhanced visibility and control. Identity-based firewall security provides more flexible access control to enforce policies based on user and group identities and the point of access. It also simplifies policy configuration: Administrators can write policies that correspond to business rules, which increases security, enhances ease of use, and requires fewer policies to manage. Similarly, Cisco TrustSec integration enables security group tags to be embedded into the Cisco DNA of the network, providing administrators with the ability to develop and enforce better, more granular policies.
Cloud Web Security Integration
ASA Software integrates with Cisco Cloud Web Security to enable organizations to gain a centralized content security solution combined with localized network security. Unlike all-in-one approaches employed by many competitive offerings, the architectural approach employed by Cisco ASA Software provides much better performance and efficacy. Administrators can choose to perform deep content scanning on a subset of traffic based on network address, Microsoft Active Directory user or group name, or hosts residing inside a specific security context. As a result, ASA Software can deliver uncompromising security with superior performance.
Secure Remote Access
ASA Software enables an IPv4 and IPv6 dual stack inside SSL tunnels, as well as on the public interface when used in conjunction with Cisco AnyConnect® 3.1 or greater. IPv6 clientless support is also provided. While most competitive offerings experience an average of an 80 percent degradation in performance when transitioning from an IPv4 to an IPv6 traffic pattern, ASA Software supports IPv6 remote access connections with less than a 15 percent performance impact.
ASA Software also provides comprehensive next-generation encryption capabilities, which includes the Suite B cryptographic standards for remote access and site-to-site connections using an IPsec tunnel.
Features and Benefits
Table 2. Features and Benefits
| Feature |
Description |
Key Benefits |
ASA Models Supported |
| Clustering |
Enables multiple hardware appliances to deliver up to:
● 128 Gbps of real-world throughput
● 50 million concurrent connections
|
● Linear and predictable scale and throughput increase (e.g., if a 2-unit cluster supports 32 Gbps, a 4-unit cluster will support 64 Gbps for the same traffic profile)
● Up to an 8-unit cluster can be configured and monitored using a single instance of the Cisco Application Security Device Manager (ASDM)
● State sync across cluster member. No single point of failure
|
ASA 5580 and ASA 5585-X appliances |
| Cisco Cloud Web Security (Scansafe) Integration |
Integrates with Cisco Cloud Web security to enable customers to redirect web traffic to the Cisco web security cloud for Web security and malware protection. |
● Unlike checkbox security products, the integration delivers comprehensive web security (URL filtering, Web application visibility and control [AVC], and malware protection) with minimal performance and capacity degradation
● Web traffic can be redirected to the Cisco Cloud Web Security Tower for additional analysis based on user name, user group, source, or destination
● Enables traffic redirection for optimized performance. Customers can segment the traffic into three broad categories: VPN traffic going to headquarters or a branch location, allowed-listed traffic going directly to the Internet, and traffic marked for deep scanning to the Cisco Cloud Web Security Tower
|
All ASA 5500 and 5500-X Series appliances and the Cisco Catalyst 6500 Series ASA Services Module |
| Trustsec |
Integrates ASA Software into the Cisco TrustSec architecture, augmenting the ASA Software 5-tuple and identity based firewall policy elements with security group tags (SGTs) and security group names. |
● Enables security devices to use Security Group Tags (SGTs) as a consistent enforcement element
● Enables customers to use ASA Software to create and enforce policies based on SGTs
● Empowers ASA Software to take appropriate policy action
(e.g., allow, deny, restrict access) Based on a change in posture or compliance on the end point
|
All ASA 5500 and 5500-X Series appliances and the Cisco Catalyst 6500 Series ASA Services Module |
| Next Gen Encryption |
Supports the Suite-B set of cryptographic algorithms including Elliptical Curve, SHA-2 (256, 384 and 512-bit hashes). It also includes IPSecv3 and enhanced IPSecv3 features, which are defined as ESPv3 |
● Delivers superior confidentiality and integrity, with a smaller key size via NSA approved Suite-B encryption specifications
|
ASA 5500-X Series and ASA 5585-X appliances |
| Multi-Context Enhancements |
Enhances the current ASA Multicontext capability to include support for Site-to-site VPN and Dynamic Routing Protocols. Also adds support for mixed routed and transparent mode multi-context configuration. |
● Enables each firewall context to maintain its own routing table for static and dynamic routes
● Allows customers to mix and match routing protocols on a per-context basis.
● Supports IKEv1 and IKEv2.
● Maintains single mode site-to-site VPN features in multiple modes.
● Allows flexible VPN resource allocations in system context
|
All ASA 5500 and 5500-X appliances (with the exception of the ASA 5505) and the Cisco Catalyst 6500 Series ASA Services Module |
| IPv6 |
Allows ASA to be deployed in a mixed IPv4/IPv6 deployment, and prepares customers for this imminent migration. |
● Enables customers to prepare for migrating to IPv6 by delivering critical v4 to v6 translation features, including:
◦ Stateful NAT64 and NAT66
◦ DHCPv6 relay, DNS64
◦ Unified ACL to simplify policy configuration in a mixed v4 and v6 environment
● Delivers IPv6 remote access connections with less than a 15 percent performance impact, compared with IPv4 traffic. In contrast, competitive offerings experience an average of an 80 percent degradation in performance when transitioning from an IPv4 to an IPv6 traffic pattern
|
All ASA 5500 and 5500-X Series appliances and the Cisco Catalyst 6500 Series ASA Services Module |
| Citrix Interoperability with Clientless VPN |
Provides the ability for end users to access Citrix Xen infrastructure through the Clientless portal. |
● Enables customers to access XenDesktop and XenApp through the web interface using the Clientless portal
● Provides single sign-on support for the XenDesktop (5.0) and XenApp (6.0)
● Enables the Citrix Mobile Receiver to be terminated directly from the ASA to the Xen infrastructure
|
All ASA 5500 and 5500-X Series appliances and the Cisco Catalyst 6500 Series ASA Services Module |
| Clientless VPN Enhancements |
Templates and tools for Auto Sign-On configuration Java based file browser Proxy support for Java Plugins |
● Enables easier and faster configuration of the Clientless portal for single sign-on with various applications
● Provides various standardized templates for multiple applications
● Enables customers to access shared files through the clientless portal using the new java based fill browser
● Enables customers to access TCP/IP applications using the Java Plug-ins, even when the end user is behind a proxy server
|
All ASA 5500 and 5500-X Series appliances and the Cisco Catalyst 6500 Series ASA Services Module |
Download the Software
Visit the Cisco Software Center to download Cisco ASA Software.
Cisco services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business.
Included in the “Operate” phase of the service lifecycle are Cisco Security IntelliShield Alert Manager Service, Cisco SMARTnet®, Cisco Service Provider Base, and Cisco Services for IPS. These services are suitable for enterprise, commercial, and service provider customers.
Cisco Security IntelliShield Alert Manager Service provides a customizable, web-based threat and vulnerability alert service that allows organizations to easily access timely, accurate, and credible information about potential vulnerabilities in their environment.
Cisco Services for IPS supports modules, platforms, and bundles of platforms and modules that feature IPS capabilities. Cisco SMARTnet and Service Provider Base support other products in this family.
For more information, please visit the following links:
● Cisco ASA 5500 Series Adaptive Security Appliances: http://www.cisco.com/en/US/products/ps6120/index.html
● Cisco Cloud Web Security: http://www.cisco.com/en/US/products/ps11720/index.html
● Cisco TrustSec: http://www.cisco.com/en/US/netsol/ns1051/index.html
● Cisco AnyConnect Secure Mobility Solution: http://www.cisco.com/en/US/netsol/ns1049/index.html
● Cisco Security Manager: http://www.cisco.com/en/US/products/ps6498/index.html
● Cisco Adaptive Security Device Manager: http://www.cisco.com/en/US/products/ps6121/index.html
● Cisco Security Services: http://www.cisco.com/en/US/products/svcs/ps2961/ps2952/serv_group_home.html
● Cisco ASA 5500 Series Adaptive Security Appliance Licensing Information: http://www.cisco.com/en/US/products/ps6120/products_licensing_information_listing.html
Feedback