Introducing the Cisco ASA 5585-X

This chapter describes the Cisco ASA 5585-X and includes the following sections:

note.gif

Noteblank.gif Read through the entire guide before beginning any of the installation procedures.

warn.gif

Warningblank.gif Only trained and qualified personnel should install, replace, or service this equipment. Statement 49

caut.gif
Caution blank.gif Read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco ASA 5585-X Adaptive Security Appliance document and follow proper safety procedures when performing the steps in this guide.

Product Overview

The ASA 5585-X adaptive security appliance featuring MultiScale™ is a two-rack-unit (2RU), two-slot chassis. Supporting one of the highest performance-density firewalls on the market, the design of the ASA 5585-X provides high scalability not only in terms of throughput, but also high connection speed and maximum connections. Connection speed and maximum connection requirements are growing much faster than throughput in most customer data center networks. The capabilities of the ASA 5585-X help you simultaneously meet scalability challenges in throughput, connection capacity, and connection speed in the data center.

In addition to world-class performance, the ASA 5585-X deploys encrypted traffic inspection, port density (up to 20 interfaces depending on the model), and feature performance matching; that is, performance parity between firewall and IPS functions.

note.gif

Noteblank.gif Dual firewall mode is only supported in certain versions of ASA software. For more information, refer to the Cisco ASA Compatibility document found at this URL:
http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html

All ASA 5585-X series adaptive security appliances ship with a core Security Services Processor (SSP); you can install an additional core SSP, IPS SSP, CX SSP, or FirePOWER SSP, or up to two network modules. You must have the core SSP to run the other modules. The core SSP resides in slot 0 (the bottom slot).

The ASA 5585-X is available with four core SSP versions:

  • ASA 5585-X with Security Services Processor-10
  • ASA 5585-X with Security Services Processor-20
  • ASA 5585-X with Security Services Processor-40
  • ASA 5585-X with Security Services Processor-60

Starting with ASA version 5.4.0.1, there is support for mixed level SSPs.

  • ASA SSP-10/ASA FirePOWER SSP-40
  • ASA SSP-20/ASA FirePOWER SSP-60
  • ASA SSP-40/ASA FirePOWER SSP-60
note.gif

Noteblank.gif For the SSP40/60 combination, you might see an error message that this combination is not supported. You can ignore the message.

For a matrix describing which module configurations are allowed, see the ASA Module Compatibility table.

Each ASA 5585-X chassis accommodates up to two AC power supply modules, each of which contains an integrated fan; you can alternatively install a fan module in the second bay. Optional redundant, hot-swappable power supply modules are available, as well as hot-swappable fan modules in case of a fan failure.

The core SSP provides environmental monitoring, which tracks the operational status of the fan and power supply modules. In addition, it tracks the temperatures of the CPUs and the ambient temperature of the system.

note.gif

Noteblank.gif Online insertion and removal (OIR) of SSPs and network modules is not supported at this time. Small form-factor pluggable (SFP/SFP+) transceiver, power-supply module, and fan module OIR is supported.

ASDM

The ASA software supports Cisco Adaptive Security Device Manager (ASDM), which delivers world-class security management and monitoring through an intuitive, easy-to-use web-based management interface. Bundled with the adaptive security appliance, ASDM accelerates adaptive security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services that complement the advanced integrated security and networking features offered by the adaptive security appliance. Its secure, web-based design enables anytime, anywhere access to adaptive security appliances.

ASA 5585-X SSP-10

The ASA 5585-X SSP-10 provides firewall and VPN support, and 10 interfaces (two SFP/SFP+ and eight copper Gigabit Ethernet). The SSP-10 has one power supply module and one fan module. You can replace the fan module with another power supply module for a redundant power supply configuration. The SSP-10 has one CPU, three DIMM modules, one embedded crypto-accelerator, and one dual-port 10-GB uplink for the SFP/SFP+ interfaces.

ASA 5585-X SSP-20

The ASA 5585-X SSP-20 provides firewall and VPN support, and 10 interfaces (two SFP/SFP+ and eight copper Gigabit Ethernet). The SSP-20 has one power supply module and one fan module. You can replace the fan module with another power supply module for a redundant power supply configuration. The SSP-20 has one CPU, six DIMM modules, two embedded crypto-accelerators, and one dual-port 10-GB uplink for the SFP/SFP+ interfaces.

ASA 5585-X SSP-40

The ASA 5585-X SSP-40 provides firewall and VPN support, and 10 interfaces (four SFP/SFP+ and six copper Gigabit Ethernet). The SSP-40 has one power supply module and one fan module. You can replace the fan module with another power supply module for a redundant power supply configuration. The SSP-40 has two CPUs, six DIMM modules, three embedded crypto-accelerators, and two dual-port 10-GB uplinks for the SFP/SFP+ interfaces.

ASA 5585-X SSP-60

The ASA 5585-X SSP-60 provides firewall and VPN support, and 10 interfaces (four SFP/SFP+ and six copper Gigabit Ethernet). The SSP-60 ships with two power supply modules; however, the SSP-60 can function with only one power supply module. Although the SSP-60 with an additional SSP can also operate with only one power supply module, we recommend that you install two power supply modules for extended reliability since the power supply modules operate in load-sharing mode. If one fails in this configuration, the other power supply module can still handle the full load until the failed power supply module is replaced. The SSP-60 has two CPUs, 12 DIMM modules, four embedded crypto-accelerators, and two dual-port 10-GB uplinks for the SFP/SFP+ interfaces.

caut.gif
Caution blank.gif If you remove a power supply or fan module, replace it immediately to prevent disruption of service.

You optionally can install an additional core SSP, an IPS SSP, a CX SSP, or a FirePOWER SSP in the upper slot (slot 1). For a matrix describing which module configurations are allowed, see the ASA Module Compatibility table.

note.gif

Noteblank.gif Feature limitations may apply to dual SSPs. Refer to your configuration guide for more information.

Chassis Features

This section describes the ASA 5585-X chassis features and indicators.

Grounding Lug

Figure 1-1 shows the grounding lug on the rear of the chassis.

Figure 1-1 ASA 5585-X Chassis, Rear View

 

304043.eps
1

Grounding lug
 

 

Figure 1-2 shows the front view of the ASA 5585-X SSP-10 with an IPS SSP-10 in the top slot. The appearance with one of the other available SSP-10 and SSP-20 modules in the top slot is very similar. All port numbers are numbered from right to left beginning with 0.

Front Panel: ASA 5585-X SSP-10 With Add-on SSP-10

Figure 1-2 ASA 5585-X SSP-10 With IPS SSP-10, Front Panel View

 

253899.eps

 

1

SSP or network module (slot 1)
2

Core SSP (slot 0)
3

Module removal screws
4

Reserved hard-disk drive bays in bottom slot; add-on module hard-disk drives in top slot1
5

TenGigabitEthernet 0/9 (core SSP in slot 0)
TenGigabitEthernet 1/9 (add-on module in Slot 1)
(10-Gb fiber, SFP, or SFP+)

6

TenGigabitEthernet 0/8 (core SSP in slot 0)
TenGigabitEthernet 1/8 (add-on module in slot 1)
(10-Gb fiber, SFP, or SFP+)
7

GigabitEthernet 0/0 through 0/7(core SSP in slot 0)
GigabitEthernet 1/0 through 1/7 (add-on module in slot 1)
(from right to left, 1-Gb copper, RJ45)

8

Management 0/1 (core SSP in slot 0)
Management 1/1 (add-on module in slot 1)
(GigabitEthernet RJ45)
9

Management 0/0 (SSP in slot 0)
Management 1/0 (add-on module in slot 1)
(GigabitEthernet RJ45)

10

USB port
11

USB port

12

Front panel indicators
13

Auxiliary port (RJ45)2

14

Console port (RJ45)
15

Eject3

 

 

1.Hard-disk drives are currently only supported by the CX and FirePOWER SSPs, one of which can reside in the top slot.

2.The RJ-45 Auxiliary port (labeled AUX on the chassis) is reserved for internal use at Cisco. The port is not functional in shipping versions of the chassis; therefore, customers cannot connect to this port to run the adaptive security appliance CLI.

3.Reserved for future OIR use.

Front Panel: ASA 5585-X SSP-40 With Add-on SSP-40

Figure 1-3 shows the front view of ASA 5585-X SSP-40 with an IPS SSP-40 in the top slot. The appearance with one of the other available SSP-40 and SSP-60 modules in the top slot is very similar.

Figure 1-3 ASA 5585-X SSP-40 With IPS SSP-40, Front Panel View

 

254853.eps

 

1

Add-on SSP or network module (slot 1)

2

Core SSP (slot 0)
3

Add-on module removal screws

4

Reserved bays for hard-disk drives4
5

TenGigabitEthernet 0/9 (core SSP in slot 0)
TenGigabitEthernet 1/9 (add-on module in slot 1)
(10-Gb fiber, SFP, or SFP+)

6

TenGigabitEthernet 0/8 (core SSP in slot 0)
TenGigabitEthernet 1/8 (add-on module in slot 1)
(10-Gb fiber, SFP, or SFP+)
7

TenGigabitEthernet 0/7 (core SSP in slot 0)
TenGigabitEthernet 1/7 (add-on module in slot 1)
(10-Gb fiber, SFP, or SFP+)

8

TenGigabitEthernet 0/6 (core SSP in slot 0)
TenGigabitEthernet 1/6 (add-on module in slot 1)
(10-Gb fiber, SFP, or SFP+)
9

GigabitEthernet 0/0 through 0/5 (core SSP in slot 0)
GigabitEthernet 1/0 through 1/5 (add-on module in slot 1)
(from right to left, 1-Gb copper, RJ45)

10

Management 0/1 (core SSP in slot 0)
Management 1/1 (add-on module in slot 1)
(GigabitEthernet RJ45)
11

Management 0/0 (core SSP in slot 0)
Management 1/0 (add-on module in slot 1)
(GigabitEthernet RJ45)

12

USB port
13

USB port

14

Front panel indicators
15

Auxiliary port (RJ45)5

16

Console port (RJ45)
17

Eject6

 

 

4.Hard-disk drives are currently only supported by the CX and FirePOWER SSPs, one of which can reside in the top slot.

5.The RJ-45 Auxiliary port (labeled AUX on the chassis) is reserved for internal use at Cisco. The port is not functional in shipping versions of the chassis; therefore, customers cannot connect to this port to run the adaptive security appliance CLI.

6.Reserved for future OIR use.

Front Panel: Ethernet Port Indicator Lights

Table 1-1 describes the Ethernet port indicator lights.

 

Table 1-1 Ethernet Port Indicator Lights

Indicator
Description

Gigabit Ethernet (RJ45)
  • Left side:

blank.gif Green—Physical activity.

blank.gif Flashing green—Network activity.

  • Right side:

blank.gif Unlit—10 Mbps.

blank.gif Green—100 Mbps.

blank.gif Amber—1000 Mbps.

10-Gigabit Ethernet Fiber (SFP+)/1-Gigabit Ethernet Fiber (SFP)
  • Left side:

blank.gif Unlit—No 10-Gigabit Ethernet physical link.

blank.gif Green—10-Gigabit Ethernet physical link.

blank.gif Flashing green7—Network activity.

  • Right side:

blank.gif Unlit—No 1-Gigabit Ethernet physical link.

blank.gif Green—1-Gigabit Ethernet physical link.

blank.gif Flashing green 1 —Network activity.

Management port
  • Left side:

blank.gif Green—Physical activity.

blank.gif Flashing green—Network activity.

  • Right side:

blank.gif Unlit—10 Mbps.

blank.gif Green—100 Mbps.

blank.gif Amber—1000 Mbps.

7.Rate of flashing is proportional to the percentage of number of packets or bytes received.

Front Panel Indicator Lights

Figure 1-4 shows the front panel indicator lights.

Figure 1-4 ASA 5585-X Front Panel Lights

 

253904.eps

 

Table 1-2 describes the front panel indicator lights on the ASA 5585-X.

 

Table 1-2 ASA 5585-X Front Panel Indicator Lights
Figure Label
Indicator
Description
1

PWR

Whether the system is off or on:

  • Unlit—No power.
  • Green—System has power.
2

BOOT

Status of the power-up diagnostics:

  • Flashing green—Power-up diagnostics are running, or the system is booting.
  • Green—System has passed power-up diagnostics.
  • Amber—Power-up diagnostics failed.
3

ALARM

Component failure:

  • Unlit—No alarm.
  • Amber—Critical alarm:

Major failure of hardware component or software module, temperature over the limit, power out of tolerance, or time to remove the module.8

Note May appear red on some units.
4

ACT

Role of a high-availability (HA) pair:

  • Green—The active-mode unit.
  • Amber—The standby unit.
5

VPN

Whether a VPN tunnel has been established:

  • Green—VPN tunnel established.
6

PS1

State of the power-supply module installed on the right:

  • Unlit—No power supply module present, or no AC input.
  • Green—Power supply module present, on, and good.
  • Amber—Power or fan module off, or failed.
7

PS0

State of the power module installed on the left:

  • Unlit—No power supply module present, or no AC input.
  • Green—Power supply module present, on, and good.
  • Amber—Power or fan module off, or failed.
8

HDD1

Indicates activity on the first hard-disk drive:9

  • Unlit—No hard-disk drive present.
  • Flashing green—Hard-disk drive activity.
  • Amber—Hard-disk drive failure.
9

HDD2

Indicates activity on the second hard-disk drive: 2

  • Unlit—No hard-disk drive present.
  • Flashing green—Hard-disk drive activity.
  • Amber—Hard-disk drive failure.

8.OIR is not available at this time.

9.The hard-disk drives are only supported on the ASA CX and FirePOWER SSPs.

Back Panel: ASA 5585-X

Figure 1-5 shows the back panel features.

Figure 1-5 ASA 5585-X Back Panel Features

 

253900.eps

 

1

Power supply module (corresponds to PS1 indicator)
2

Power supply module/fan module removal screws
3

Power supply module plug
4

On/Off rocker switch for power supply module
5

Power supply module indicators
6

Power supply module or fan module handle
7

Fan module
8

Fan module indicator

Back Panel: Power Supply and Fan Modules

Figure 1-6 shows the power supply module indicator lights.

Figure 1-6 ASA 5585-X Power Supply Module and Fan Module Indicator Lights

 

253905.eps

 

Table 1-3 describes the power supply module and fan module indicator lights.

 

Table 1-3 Power Supply Module and Fan Module Indicators
Indicator
Description
1

IN OK

Status of power supply module:

  • Unlit—No AC power cord connected, or AC power switch off.
  • Green—AC power cord connected and AC power switch on.
2

FAN OK

Status of fan module:

  • Unlit—Fan module failure, or AC power switch off.
  • Green—AC power cord connected, AC power switch on, and internal fan is running.
3

OUT FAIL
  • Red—Output voltage failure.10

10.The power supply module has three output voltages—3.3V, 12V, and 50V.

Specifications

Table 1-4 lists the specifications for the ASA 5585-X.

 

Table 1-4 ASA-5585-X Specifications

Dimensions and Weight

 

Height

3.47 in (8.8 cm).

Width

19 in (48.3 cm).

Depth

26.5 in (67.3 cm).

Weight
  • 64 lb (29 kg)—ASA5585-S20-K8 with one SSP-20 and one AC power supply module
  • 70.85 lb (32 kg)—ASA5585-S60-2A-K9 with one SSP-60 and two AC power supply modules
  • 71.20 lb (32 kg)—ASA5585-S20F20XK9 with one SSP-20, one FirePower SSP-20, and two AC power supply modules
  • 72.8 lb—ASA5585-S60F60-K9 with one firewall SSP-60, one FirePOWER SSP-60, and two AC power supply modules

Form factor

2 RU, standard 19-inch rack-mountable.
Power
 
AC Input

 

Rated input voltage
(per power supply module)

100 to 240 VAC.

Rated input frequency

50 to 66 Hz.

Rated input power
(per power supply module)

1161 W @ 100 VAC.
1598 W @ 200 VAC.

Rated input current
(per power supply module)

12A (100 VAC).
8A (200 VAC).

Typical heat dissipation

1280 BTU/hr (1 SSP).
2200 BTU/hr (2 SSPs).

Power supply output steady state (typical)

Maximum peak

320 W (1 SSP).
670 W (1 SSP and 1 IPS SSP).

370 W (1 SSP).
770 W (1 SSP and 1 IPS SSP).
DC Input

 

Rated input voltage
(per power supply module)

-48 VDC to -60 VDC.

Rated input power
(per power supply module)

1353 W @ -48 VDC.
1403 W @ -60 VDC.

Rated input current
(per power supply)

33 A.

Maximum heat dissipation

5450 BTU/hr.

Power supply output steady state (typical)

Maximum peak

320 W (1 SSP).
670 W (1 SSP and 1 IPS SSP).

370 W (1 SSP).
770 W (1 SSP and 1 IPS SSP).
Environment
 

Temperature

Operating 32 to 104°F (0 to 40°C).
Non-operating -40°F to 158°F (-40°C to 70°C).

Airflow

Front to back.

Relative humidity (non-condensing)

Operating 10% to 90%.
Non-operating 5% to 95%.

Altitude

Operating 0 to 10,000 ft (3,050 m).
Non-operating 0 to 30,000 ft (9,144 m).

Noise

65 dBa max.

Memory Configurations

The ASA 5585-X has up to six DIMM modules per CPU; DIMM population is platform-dependent. Table 1-5 shows the memory configurations.

 

Table 1-5 ASA 5585-X Memory Configurations

Model
SSP Memory
IPS SSP Memory

ASA 5585-X with SSP-10

6-GB DRAM

6-GB DRAM

ASA 5585-X with SSP-20

12-GB DRAM

12-GB DRAM

ASA 5585-X with SSP-40

12-GB DRAM

24-GB DRAM

ASA 5585-X with SSP-60

24-GB DRAM

48-GB DRAM
note.gif

Noteblank.gif The add-on core SSP, IPS SSP, CX SSP, or FirePOWER SSP must be of the same designation level as the originally installed SSP model. For example, if you have the ASA 5585-X SSP-10, you can only install another core SSP-10, an IPS SSP-10, a CX SSP-10, or a FirePOWER SSP-10.

Power Supply Module Requirements

Table 1-6 lists the power supply module requirements for the AC and DC power supply modules.

 

Table 1-6 Power Supply Module Requirements

AC Power Supply Module
50 V
12 V
3.3 V_STBY
Output Voltage

 

 

 

Maximum

52.0 V

12.2 V

3.45 V

Nominal

50.0 V

12.0 V

3.35 V

Minimum

48.0 V

11.8 V

3.25 V
Output Current @ 200 VAC

 

 

 

Maximum

17.3 A

27.0 A

1.5 A

Minimum

0

0

0
Output Current @ 100 VAC

 

 

 

Maximum

17.3 A

27.0 A

1.5 A

Minimum

0

0

0
DC Power Supply Module

50 V
12 V
3.3 V_STBY
Output Voltage

 

 

 

Maximum

52.0 V

12.45 V

3.45 V

Nominal

50.0 V

12.0 V

3.35 V

Minimum

48.0 V

12.05 V

3.25 V
Output Current @ -48 VDC

 

 

 

Maximum

17.3 A

23.0 A

1.5 A

Minimum

0

0

0
Output Current @ -60 VDC

 

 

 

Maximum

17.3 A

23.0 A

1.5 A

Minimum

0

0

0

SFP/SFP+ Modules

The SFP/SFP+ module is a hot-swappable optical interface that plugs into the SFP/SFP+ ports and provides Gigabit Ethernet connectivity. The SFP and SFP+ modules are optional and not included with the ASA 5585-X; you can purchase them separately. For 1-Gb connectivity, you need the SFP; for 10-Gb connectivity, you need the SFP+. The two ports are the same, but you can only use 10-Gb with lower-model SSPs if you buy the appropriate license; otherwise, the ports are restricted to 1-Gb. The ports are always 10-Gb-enabled for higher-model SSPs (level 40 and above). The interfaces are called TenGigabitEthernet 0/ x for the core SSP, and TenGigabitEthernet 1/ x for the add-on SSP, whether they are 10-Gb-enabled or not.

Table 1-7 lists the SFP/SFP+ modules that the ASA 5585-X supports.

 

Table 1-7 SFP/SFP+ Modules

1G SFP Module

GLC-SX-MM

1000 Base-SX SFP module

GLC-SX-MMD

1000BASE-SX short wavelength with DOM

GLC-LH-SM

1000 Base-LX/LH SFP module

GLC-LH-SMD

1000BASE-LX/LH long-wavelength with DOM.

GLC-EX-SMD

1000 Base-EX SFP module, SMF, 1310nm, with DOM

GLC-T

1000BASE-T standard
10G SFP+ Module

SFP-10G-ER

10G ER SFP+ module

SFP-10G-SR

10G SR SFP+ module

SFP-10G-LRM

10G LRM SFP+ module

SFP-10G-LR

10G LR SFP+ module

SFP-10G-SR-S

10G SR-S SFP+ module

SFP-10G-LR-S

10G LR-S SFP+ module

SFP-10G-ER-S

10G ER-S SFP+ module

SFP-10G-ZR-S

10G ZR-S SFP+ module

SFP-H10GB-ACU7M

10GBASE-CU SFP+ Cable 7 Meter, active

SFP-H10GB-ACU10M

10GBASE-CU SFP+ Cable 10 Meter, active

SFP-H10GB-CU1M

10GBASE-CU SFP+ cable 1 meter, passive

SFP-H10GB-CU3M

10GBASE-CU SFP+ cable 3 meter, passive

SFP-H10GB-CU5M

10GBASE-CU SFP+ cable 5 meter, passive