Cisco ASA 5585-X Stateful Firewall specification

Today’s enterprise networks struggle to keep up with a mobile workforce. Users expect on-demand access from their many devices, even as applications multiply and push performance levels. And of course security remains a priority. How do you scale and still preserve the integrity of the network? Start with the Cisco® ASA 5585-X Firewall, a compact yet high-density firewall that delivers tremendous scalability, performance, and security in a two-rack-unit (2RU) footprint.

Cisco ASA 5585-x hardware

Firewall Features

Support for Layer 3 and Layer 4 stateful firewall inspection features, including access control and network address translation, enables organizations to keep existing stateful inspection policies that are essential for compliance regulations and securing critical data center resources.

In addition to comprehensive stateful inspection capabilities, Layer 7 next-generation policies act intelligently on contextual information. Cisco AnyConnect® technology provides information on the type and location, and endpoint posture of a mobile device before it accesses the network, so that administrators can maintain high levels of network visibility, protection and control. Threat intelligence feeds from Cisco Collective Security Intelligence (CSI) use the global footprint of Cisco security deployments to analyze approximately one-third of the world’s Internet traffic for near-real-time protection from new and emerging threats.

Flexible Deployment Options

The Cisco ASA 5585-X supports two hardware blades in a single 2RU chassis. The bottom slot (slot 0) hosts the ASA stateful inspection firewall module, while the top slot (slot 1) can be used for adding up to two Cisco ASA 5585-X I/O modules for high interface density for mission-critical data centers that require exceptional flexibility and security.


Using Cisco ASA Software Release 9.0 and later, customers can combine up to 16 Cisco ASA 5585-X firewall modules in a single cluster for up to 640 Gbps of throughput, 2 million connections per second, and more than 100 million concurrent connections. This “pay as you grow” model enables organizations to purchase what they need today and dynamically add more when their performance needs grow. To protect high-performance data centers from internal and external threats, the cluster can be augmented by adding IPS modules.

Cisco ASA software clustering delivers a consistent scaling factor, irrespective of the number of units in the cluster, for a linear and predictable increase in performance. Complexity is reduced, as no changes are required to existing Layer 2 and Layer 3 networks. Support for data center designs based on the Cisco Catalyst® 6500 Series Virtual Switching System (VSS) and the Cisco Nexus virtual PortChannel (vPC) as well as the Link Aggregation Control Protocol (LACP) provides high availability (HA) with better network integration.

For operational efficiency, Cisco ASA clusters are easy to manage and troubleshoot as a single entity. Policies pushed to the master node are replicated across all the units within the cluster. The health, performance, and capacity statistics of the entire cluster, as well as individual units within the cluster, can be assessed from a single management console. Hitless software upgrades are supported for ease of device updates.

Clustering supports HA in both active/active and active/passive modes. All units in the cluster actively pass traffic, and all connection information is replicated to at least one other unit in the cluster to support N+1 HA. In addition, single and multiple contexts are supported, along with routed and transparent modes. A single configuration is maintained across all units in the cluster using automatic configuration sync. Clusterwide statistics are provided to track resource usage.

Cisco TrustSec Integration

Using Cisco ASA Software Release 9.0 and later, the Cisco ASA 5585-X provides context awareness through the integration of identity-based firewall security and Cisco TrustSec® security group tags for enhanced visibility and control. Identity-based firewall security provides more flexible access control to enforce policies based on user and group identities and the point of access. Administrators can write policies that correspond to business rules, a process that increases security, enhances ease of use, and requires fewer policies to manage. Similarly, Cisco TrustSec integration enables security group tags to be embedded into the network, providing administrators with the ability to develop and enforce better, more precise policies.

Cut Costs While Improving Performance and Security

The Cisco ASA 5585-X Next-Generation Firewall delivers superior scalability, performance, and security to handle high data volumes without sacrificing performance. Most firewalls require up to 16RUs and 5100 watts to scale to the level of performance that the Cisco ASA 5585-X achieves with only 2RUs and 785 watts. This performance helps enterprises meet the increasing demands for network connectivity without the need to invest in additional data center space and incur the corresponding maintenance costs.

Based on tests conducted by Cisco, the Cisco ASA 5585-X significantly reduces initial procurement costs by 80 percent, power consumption costs by 85 percent, and rack space requirements by 88 percent in addition to significant reductions in overall integration and management complexity and costs. In addition, you can install up to two firewall modules in a single Cisco ASA 5585-X chassis, providing scalability to 80 Gbps.

Cisco ASA 5585-X I/O Modules

Mission-critical data centers running Cisco ASA Software Release 8.4.4 and later can use the top slot of the Cisco ASA 5585-X to add up to two Cisco ASA 5585-X I/O modules for exceptional flexibility and security. With two Cisco ASA 5585-X I/O modules, a single Cisco ASA 5585-X can support up to twenty 10 Gigabit Ethernet ports or up to fifty 1 Gigabit Ethernet ports. Using the Cisco ASA 5585-X Divider, the top slot is partitioned into two half-slots, with each I/O module occupying one half-slot. When only one I/O module is installed, a half-slot blank cover is required to cover the empty half-slot.

Optional DC Power Supplies

Service providers and data centers that require data-center-powered equipment can purchase Cisco ASA 5585-X data center power supply modules with built-in fans. These power supplies deliver up to 1150 watts of data center power for Cisco ASA 5585-X Next-Generation Firewalls. Two data center power supplies are required for each Cisco ASA 5585-X chassis. The minimum software required is Cisco ASA Software Release 8.4.5.

Service and Support

Cisco services help you protect your network investment, improve network operations, and prepare your network for new applications to extend network intelligence and the power of your business.

Included in the "Operate" phase of the service lifecycle are the Cisco Security IntelliShield® Alert Manager Service, Cisco SMARTnet™ services, the Cisco SP Base, and Cisco Services for IPS. These services are suitable for enterprise, commercial, and service provider customers.

Cisco Security IntelliShield Alert Manager Service provides a customizable, web-based threat and vulnerability alert service that allows organizations to easily access timely, accurate, and credible information about potential vulnerabilities in their environment.

Cisco Services for IPS supports modules, platforms, and bundles of platforms and modules that feature Cisco IPS capabilities. Cisco SMARTnet and Cisco SP Base support other products in this family.