DIGIPASS Authentication For Cisco ASA 5500 Series 7 Cisco ASA SSL/VPN test. Cisco ASA 5505. Cisco ASA 5510. Cisco ASA 5520 5 Cisco A. Fir3net - Keeping you in the know.
In computer networking, Cisco ASA 5500 Series Adaptive Security Appliances, or simply Cisco ASA, is Cisco's line of network security devices introduced in May 2005,[1] that succeeded three existing lines of popular Cisco products:
- Cisco PIX, which provided firewall and network address translation (NAT) functions ended sale on 28 July 2008.[2]
- Cisco IPS 4200 Series, which worked as intrusion prevention systems (IPS).
- Cisco VPN 3000 Series Concentrators, which provided virtual private networking (VPN).
The Cisco ASA is a unified threat management device, combining several network security functions in one box.[3]
Reception and criticism[edit]
Cisco ASA has become one of the most widely used firewall/VPN solutions for small to medium businesses.[4] Early reviews indicated the Cisco GUI tools for managing the device were lacking.[5]
A security flaw was identified when users customized the Clientless SSLVPN option of their ASA's but was rectified in 2015.[6]Another flaw in a WebVPN feature was fixed in 2018.[7]
In 2017 The Shadow Brokers revealed the existence of two privilege escalation exploits against the ASA called EPICBANANA[8] and EXTRABACON.[9][10] A code insertion implant called BANANAGLEE, was made persistent by JETPLOW.[11]
Features[edit]
The 5506W-X has a WiFi point included.
Architecture[edit]
The ASA software is based on Linux. It runs a single Executable and Linkable Format program called lina. This schedules processes internally rather than using the Linux facilities.[12] In the boot sequence a boot loader called ROMMON (ROM monitor) starts, loads a Linux kernel, which then loads the lina_monitor, which then loads lina. The ROMMON also has a command line that can be used to load or select other software images and configurations. The names of firmware files includes a version indicator, -smp means it is for a symmetrical multiprocessor (and 64 bit architecture), and different parts also indicate if 3DES or AES is supported or not.[12]
The ASA software has a similar interface to the Cisco IOS software on routers. There is a command line interface (CLI) that can be used to query operate or configure the device. In config mode the configuration statements are entered. The configuration is initially in memory as a running-config but would normally be saved to flash memory.[12]
| software versions[12] | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| major release | 7.0 | 7.1 | 7.2 | 8.0 | 8.1 | 8.2 | 8.3 | 8.4 | 8.5 | 8.6 | 8.7 | 9.0 | 9.1 | 9.2 | 9.3 | 9.4 | 9.5 | 9.6 | 9.7 | 9.8 | 9.9 |
| released[13] | 31 May 2005 | 6 Feb 2006 | 31 May 2006 | 18 Jun 2007 | 1 Mar 2008 | 6 May 2009 | 8 Mar 2010 | 31 Jan 2011 | 8 Jul 2011 | 28 Feb 2012 | 16 Oct 2012 | 29 Oct 2012 | 3 Dec 2012 | 24 Apr 2014 | 24 Jul 2014 | 30 Mar 2015 | 12 Aug 2015 | 21 Mar 2016 | 4 Apr 2017 | 15 May 2017 | 4 Dec 2017 |
| end of life | × | × | × | × | × | × | × | × | × | × | × | × | × | × | |||||||
| for 5505-5550 | Y | Y | Y | Y | Y | Y | Y | Y | Y | ||||||||||||
| for 5512-5585-X | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | |||||||||
Options[edit]
The 5512-X, 5515-X, 5525-X, 5545-X and 5555-X can have an extra interface card added.[14]
The 5585-X has options for SSP. SSP stands for security services processor.[15] These range in processing power by a factor of 10, from SSP-10 SSP-20, SSP-40 and SSP-60. The ASA 5585-X has a slot for an I/O module. This slot can be subdivided into two half width modules.[16]
On the low end models, some features are limited, and uncrippling happens with installation of a Security Plus License. This enables more VLANs, or VPN peers, and also high availability.[14] Cisco AnyConnect is an extra licensable feature which operates IPSec or SSL tunnels to clients on PCs, iPhones or iPads.[17]
Models[edit]
The 5505 introduced in 2010 was a desktop unit designed for small enterprises or branch offices. It included features to reduce the need for other equipment, such as an inbuilt switch, and power over Ethernet ports.[18]The 5585-X is a higher powered unit for datacenters introduced in 2010.[19] It runs in 32 bit mode on an Intel architecture Atom chip.[12]
| Model | 5505[20] | 5510 | 5520[20] | 5540[20] | 5550[20] | 5580-20[20] | 5580-40[20] | 5585-X SSP10[20] | 5585-X SSP20[20] | 5585-X SSP40[20] | 5585-X SSP60[20] |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Cleartextthroughput, Mbit/s | 150 | 300 | 450 | 650 | 1,200 | 5,000 | 10,000 | 3,000 | 7,000 | 12,000 | 20,000 |
| AES/Triple DES throughput, Mbit/s | 100 | 170 | 225 | 325 | 425 | 1,000 | 1,000 | 1,000 | 2,000 | 3,000 | 5,000 |
| Max simultaneous connections | 10,000 (25,000 with Sec Plus License) | 50,000 (130,000 with Sec Plus License) | 280,000 | 400,000 | 650,000 | 1,000,000 | 2,000,000 | 1,000,000 | 2,000,000 | 4,000,000 | 10,000,000 |
| Max site-to-site and remote access VPN sessions | 10 (25 with Sec Plus License) | 250 | 750 | 5,000 | 5,000 | 10,000 | 10,000 | 5,000 | 10,000 | 10,000 | 10,000 |
| Max number of SSL VPN user sessions | 25 | 250 | 750 | 2,500 | 5,000 | 10,000 | 10,000 | 5,000 | 10,000 | 10,000 | 10,000 |
| Model | 5505 | 5510 | 5520 | 5540 | 5550 | 5580-20 | 5580-40 | 5585-X SSP10 | 5585-X SSP20 | 5585-X SSP40 | 5585-X SSP60 |
Cisco determined that most of the low end devices had too little capacity to include the features needed, such as anti-virus, or sandboxing, and so introduced a new line called next generation firewall. These run in 64 bit mode.[12]
Models as of 2018.[14]
| Model | 5506-X | 5506W-X | 5506H-X | 5508-X | 5512-X | 5515-X | 5516-X | 5525-X | 5545-X | 5555-X | 5585-X |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Throughput Gb/s | 0.25 | 0.25 | 0.25 | 0.45 | 0.3 | 0.5 | 0.85 | 1.1 | 1.5 | 1.75 | 4-40 |
| GB ports | 8 | 8 | 4 | 8 | 6 | 6 | 8 | 8 | 8 | 8 | 6-8 |
| Ten GB ports | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 2-4 |
| Form factor | desktop | desktop | desktop | 1 RU | 1 RU | 1 RU | 1 RU | 1RU | 1RU | 1RU | 2RU |
References[edit]
- ^Cisco press releaseArchived 2012-12-04 at the Wayback Machine quote: 'Las Vegas (Interop) May 3, 2005 – Cisco Systems, Inc., today announced the availability of the Cisco ASA 5500 Series Adaptive Security Appliance s'
- ^Davis, David (19 February 2008). 'Converting from old to new with the PIX to ASA Migration Tool'. TechRepublic.
- ^Davis, David (30 June 2005). 'Get to know Cisco's new security appliance: ASA 5500'. TechRepublic. Retrieved 21 March 2018.
- ^'What is Cisco ASA? Cisco ASA Overview'. Retrieved 28 December 2012.
- ^'Cisco hits on firewall/VPN, misses on ease of use'. Retrieved 28 December 2012.
- ^Saarinen, Juha (February 20, 2015). 'Unpatched Cisco ASA firewalls targeted by hackers'. iTnews. Retrieved March 20, 2018.
- ^Saarinen, Juha (30 January 2018). 'Cisco ASA VPN feature allows remote code execution'. iTnews.
- ^'NVD - CVE-2016-6367'. nvd.nist.gov. Retrieved 2020-07-13.
- ^'NVD - CVE-2016-6366'. nvd.nist.gov. Retrieved 2020-07-13.
- ^'The Shadow Brokers EPICBANANA and EXTRABACON Exploits'. Cisco Blogs. 2016-08-17. Retrieved 2020-07-13.
- ^'Equation Group Firewall Operations Catalogue'. musalbas.com.
- ^ abcdef'Intro to the Cisco ASA'. www.nccgroup.trust.
- ^'Cisco ASA New Features by Release'. Cisco.
- ^ abc'Cisco ASA with FirePOWER Services Data Sheet'. Cisco. 9 February 2018. Retrieved 20 March 2018.
- ^Moraes, Alexandre M. S. P. (2011). Cisco Firewalls. Cisco Press. ISBN9781587141119.
- ^'Cisco ASA 5585-X Stateful Firewall Data Sheet'. Cisco. 7 June 2017.
- ^Carroll, Brandon (January 5, 2011). 'Cisco AnyConnect vs. IPsec VPN: Licensing considerations'. TechRepublic.
- ^'Cisco Expands Security'. Network Computing. 9 July 2006.
- ^'Cisco's High-Performance ASA Appliance, New Version Of Anyconnect'. Network Computing. 5 October 2010.
- ^ abcdefghij'Cisco ASA Model Comparison page'. Retrieved 2008-05-15.
External links[edit]
The ASA 5500-X Series was redesigned to address higher performance requirements and increase flexibility when adding new services while maintaining the compact 1-RU form factor.Customers migrating from ASA 5500 Series platforms need to consider these changes at the time of migration to the newer hardware. In this article it describes the best practices to follow while migrating to the new ASA 5500-X Series midrange appliances.
The Cisco ASA 5500 Series midrange appliance portfolio comprises four security appliances (ASA 5510, ASA 5520, ASA 5540, and ASA 5550). In March 2012, Cisco added five new midrange appliances to the ASA family. The new appliances carry the `-X’ suffix to distinguish them and are named as follows: ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X. Cisco ASA 5500-X Seriesdelivers next-generation security services.
The Cisco ASA 5500-X Seriesis designed to support next-generation security services while meeting the higher performance requirements of today’s networks. It is based on a multicore, 64-bit architecture and uses separate dedicated multicore chipsets for crypto and pattern matching operations. Hardware and software changes have been introduced without sacrificing the compact form factor.
Cisco ASA 5500-X Series Hardware Migration Path
The Cisco ASA 5500 Series portfolio comprises four platforms that are based on a single-CPU, 32-bit architecture. Due to architectural limitations, they are not capable of supporting next-generation security services. The table lists the suggested hardware migration path to the ASA 5500-X Series. Suggested sizing approach is a conservative estimate.
Hardware Migration Path from ASA 5500 Series to ASA 5500-X Series
| ASA 5500 Series Appliance | Equivalent ASA 5500-X Series Appliance |
| ASA 5510 | ASA 5512-X |
| ASA 5510 with SecPlus License | ASA 5515-X or ASA 5512-X with SecPlus License |
| ASA 5520 | ASA 5525-X |
| ASA 5540 | ASA 5545-X |
| ASA 5550 | ASA 5555-X |
Cisco ASA 5500-X Series Software Migration Path
Software support for the Cisco ASA 5500-X Series is available in ASA Software Release 8.6 and later. Earlier ASA Software releases will fail to load on the new appliances.
Planning for a Successful Migration
To ease the migration process, the following pre-migration checks should be performed to meet the minimum hardware and software requirements.
• Licenses do not migrate automatically. All required licenses should be acquired and applied to the new appliance before starting the migration process.
• ASA 5500-X Series appliances requires ASA Software Release 8.6 or later. They do not support earlier software versions. The new appliance should be loaded with the latest ASA Software release available on Cisco.com.
• Upgrade ASA Software on existing 5500 Series appliances to ASA Software Release 8.4. With this upgrade, configuration will be updated to reflect licensing, NAT, and real IP address migration of ACL enhancements introduced in ASA Software Release 8.3.If ASA 5500 is running a pre-8.4 release, the preferred way is to upgrade iteratively over major revisions e.g., if the appliance is running ASA Software Release 7.2, then do following transitions: 7.2 to 7.4 to 8.0 to 8.2 to 8.4. With this approach, deprecated features are taken care of automatically during upgrades.
• Back up the configuration from the existing ASA 5500 Series appliance on a remote machine. This can be done using the CLI `copy’ command or using Cisco Adaptive Security Device Manager (ASDM).
Pix To Asa Migration Tool 8.4 Software
• If the IPS Security Services Module (SSM) is present, back up the IPS configuration using IDM/IME or the CLI.
• During configuration backup, make sure to export certificates and keys from the old platform for reuse.
Feature License Migration
Cisco ASA feature licenses are linked to the hardware serial number. License information is not included in the configuration; as a result, licenses do not migrate when a configuration is moved from an older appliance to a newer one. All requisite licenses currently in use on an older ASA 5500 Series appliance should be acquired for the new ASA 5500-X Series appliance before proceeding with the migration process.
Cisco ASA Software Requirements for Migration
All new midrange ASA 5500-X Series appliances require ASA Software Release 8.6 or later. Earlier versions (ASA 5500 Series: 5510, 5520, 5540, and 5550) are unsupported and will not load on the new platforms.
Pix To Asa Migration Tool
Minimum Software Requirements for Migration from ASA 5500 to ASA 5500-X Appliances
Pix To Asa Migration Tool 8.4 Free
| ASA Appliance | Minimum Software Version | Notes |
| ASA 5500 Series (5510, 5520, 5540, and 5550) | ASA Software Release 8.4.2 | Release 8.6 is not supported on these platforms. |
| ASA 5500-X Series (5512-X, 5515-X, 5525-X, 5545-X, and 5555-X) | ASA Software Release 8.6 |
ASA 5500 Series appliances should be upgraded to ASA Software Release 8.4.2 before attempting migration to the ASA 5500-X Series. Upgrade steps are explained in detail at https://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html.
Pix To Asa Migration Tool 8.4 Pro
Offline upgrade of ASA 5500 Series appliances to ASA Software Release 8.4 is possible using an internal migration tool hosted at https://gypsy.cisco.com/migration.html. More information on this tool is provided in the next section.
More info of migrating from Cisco ASA 5500 Series to ASA 5500-X Series Midrange Appliances
Pix To Asa Migration Tool Download
You can visit: https://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps6120/guide_c07-727453.html
Pix To Asa Migration Tool 8.4 Download
More Related Topics of Cisco ASA: