Cisco ASA

In computer networking, Cisco ASA 5500 Series Adaptive Security Appliances, or simply Cisco ASA, is Cisco's line of network security devices introduced in May 2005.^[1] It succeeded three existing lines of Cisco products:

• Cisco PIX, which provided firewall and network address translation (NAT) functions, ended its sale on July 28, 2008.^[2]
• Cisco's IPS 4200 Series, which worked as an intrusion prevention system (IPS).
• Cisco VPN 3000 Series Concentrators, which provided virtual private networking (VPN).

The Cisco ASA is a unified threat management device which combines several network security functions.^[3]

Reception and criticism

Cisco ASA has become one of the most widely used firewall/VPN solutions for small to medium-sized businesses. Early reviews indicated the Cisco GUI tools for managing the device were lacking.^[4]

A security flaw was identified when users customized the Clientless SSL VPN option of their ASA's but was rectified in 2015.^[5] Another flaw in a WebVPN feature was fixed in 2018.^[6]

In 2017 The Shadow Brokers revealed the existence of two privilege escalation exploits against the ASA called EPICBANANA^[7] and EXTRABACON.^[8][9] A code insertion implant called BANANAGLEE, was made persistent by JETPLOW.^[10]

Features

The Cisco Adaptive Security Appliance (ASA) integrates multiple advanced security features in one platform:

• Firewall and packet inspection: Supports both stateless and stateful firewalling, reflexive and time-based ACLs, and Context-Based Access Control (CBAC) for maintaining session state and preventing spoofing.^[11]

• Intrusion Prevention System (IPS): Built‑in next-generation IPS engine offers inline detection and prevention of threats.^[12]

• Virtual Private Network (VPN): Provides IPsec, SSL VPN, AnyConnect, and clientless VPN capabilities. Supports posture assessment, clustering, and high scalability.^[13]

• Antivirus, anti‑spam, and content inspection: Offers deep packet inspection for HTTP, FTP, and email traffic to block malware and spam.^[12]

• High availability & clustering: Supports active/standby and active/active failover, stateful failover, and multi-node clustering for redundancy and throughput scaling.^[14]

• Advanced routing: Supports static and dynamic routing (OSPF, EIGRP, RIP), and deployable in routed (Layer 3) or transparent (Layer 2) firewall modes.^[11]

• Context-aware and identity‑based security: Integrates with Cisco TrustSec and identity-based firewall policies for user/device-level control.^[12]

• Hardware/software acceleration: Features hardware-assisted encryption (Suite B), ASA Virtual supports Intel QuickAssist (QAT), and application visibility and control services.^[11]

• Certificate enrollment and EST / EdDSA support: Supports EST for automated certificate enrollment and key types including EdDSA in ASA 9.16+ releases.^[15]

• Logging and telemetry: NetFlow Security Event Logging, syslog export, and management via ASDM/CSM for centralized visibility.^[13]

• Virtual security contexts & licensing: Supports multiple virtual contexts (up to 10+ in mid-range models; more on high-end); licensing controls features like VPN peers, IPS, GTP inspection, clustering, and posture assessment.^[14]

• Integration within Cisco Secure ecosystem: Works alongside SecureX, Cloud Web Security, AMP, Firepower Threat Defense, and Cisco Security Intelligence Operations.^[12]

Architecture

The ASA software is based on Linux. It runs a single Executable and Linkable Format program called lina. This schedules processes internally rather than using the Linux facilities.^[16] In the boot sequence a boot loader called ROMMON (ROM monitor) starts, loads a Linux kernel, which then loads the lina_monitor, which then loads lina. The ROMMON also has a command line that can be used to load or select other software images and configurations. The names of firmware files includes a version indicator, -smp means it is for a symmetrical multiprocessor (and 64 bit architecture), and different parts also indicate if 3DES or AES is supported or not.^[16]

The ASA software has a similar interface to the Cisco IOS software on routers. There is a command line interface (CLI) that can be used to query operate or configure the device. In config mode the configuration statements are entered. The configuration is initially in memory as a running-config but would normally be saved to flash memory.^[16]

			software versions[16]
major release	7.0	7.1	7.2	8.0	8.1	8.2	8.3	8.4	8.5	8.6	8.7	9.0	9.1	9.2	9.3	9.4	9.5	9.6	9.7	9.8	9.9
released[17]	31 May 2005	6 Feb 2006	31 May 2006	18 Jun 2007	1 Mar 2008	6 May 2009	8 Mar 2010	31 Jan 2011	8 Jul 2011	28 Feb 2012	16 Oct 2012	29 Oct 2012	3 Dec 2012	24 Apr 2014	24 Jul 2014	30 Mar 2015	12 Aug 2015	21 Mar 2016	4 Apr 2017	15 May 2017	4 Dec 2017
end of life	×	×	×	×	×	×	×	×	×	×	×	×			×		×
for 5505-5550			Y	Y	Y	Y	Y	Y				Y	Y	Y
for 5512-5585-X										Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y

Options

The 5512-X, 5515-X, 5525-X, 5545-X and 5555-X can have an extra interface card added.^[18]

The 5585-X has options for SSP. SSP stands for security services processor.^[19] These range in processing power by a factor of 10, from SSP-10 SSP-20, SSP-40 and SSP-60. The ASA 5585-X has a slot for an I/O module. This slot can be subdivided into two half width modules.^[20]

On the low end models, some features are limited, and uncrippling happens with installation of a Security Plus License. This enables more VLANs, or VPN peers, and also high availability.^[18] Cisco AnyConnect is an extra licensable feature which operates IPSec or SSL tunnels to clients on PCs, iPhones or iPads.^[21]

Models

The 5505 introduced in 2010 was a desktop unit designed for small enterprises or branch offices. It included features to reduce the need for other equipment, such as an inbuilt switch, and power over Ethernet ports.^[22] The 5585-X is a higher powered unit for datacenters introduced in 2010.^[23] It runs in 32-bit mode on an Intel architecture Atom chip.^[16]

Model	5505[24]	5510	5520[24]	5540[24]	5550[24]	5580-20[24]	5580-40[24]	5585-X SSP10[24]	5585-X SSP20[24]	5585-X SSP40[24]	5585-X SSP60[24]
Cleartext throughput, Mbit/s	150	300	450	650	1,200	5,000	10,000	3,000	7,000	12,000	20,000
AES/Triple DES throughput, Mbit/s	100	170	225	325	425	1,000	1,000	1,000	2,000	3,000	5,000
Max simultaneous connections	10,000 (25,000 with Sec Plus License)	50,000 (130,000 with Sec Plus License)	280,000	400,000	650,000	1,000,000	2,000,000	1,000,000	2,000,000	4,000,000	10,000,000
Max site-to-site and remote access VPN sessions	10 (25 with Sec Plus License)	250	750	5,000	5,000	10,000	10,000	5,000	10,000	10,000	10,000
Max number of SSL VPN user sessions	25	250	750	2,500	5,000	10,000	10,000	5,000	10,000	10,000	10,000
Model	5505	5510	5520	5540	5550	5580-20	5580-40	5585-X SSP10	5585-X SSP20	5585-X SSP40	5585-X SSP60

Cisco determined that most of the low end devices had too little capacity to include the features needed, such as anti-virus, or sandboxing, and so introduced a new line of next-generation firewalls called Firepower. These run in 64-bit mode.^[16]

Models as of 2018^[18]

Model	5506-X	5506W-X	5506H-X	5508-X	5512-X	5515-X	5516-X	5525-X	5545-X	5555-X	5585-X
Throughput Gb/s	0.25	0.25	0.25	0.45	0.3	0.5	0.85	1.1	1.5	1.75	4-40
GB ports	8	8	4	8	6	6	8	8	8	8	6-8
Ten GB ports	0	0	0	0	0	0	0	0	0	0	2-4
Form factor	desktop	desktop	desktop	1 RU	1 RU	1 RU	1 RU	1RU	1RU	1RU	2RU