The Cisco ASA 5500 Firewalls are now End of Life

Cisco have stopped selling the ASA (Adaptive Security Appliance) 5500 firewalls – End of Life (EoL) and End of Support (EoS) dates have been announced for all ASA5500 models.

The Cisco ASA became one of the most widely used Firewall/VPN solutions for small to medium businesses, but they are now considered legacy and end of life. Cisco have introduced the FPR NGFW range of firewalls as a replacement and existing ASA5500 firewall should be considered for migration.

The decision to move away from the ASA5500 has been made for you, the next step is to decide if you wish to stick with Cisco or move to another firewall provider.

ASA MIGRATION OPTIONS
Need help with your ASA migration?
FPR1000-Range

ASA5500 Replacement Options

Time to move on from Cisco Firewalls?

Cisco have not been a leader in the Gartner® Magic Quadrant™ for Network Firewalls since 2019.

The top 3 (2023) leading firewall providers, according to Gartner® are Fortinet, Palo Alto and Checkpoint Software Technologies.

Source Fortinet

Hwever, Cisco is still a leading network Firewall provider, and was named as 2023 Best Next Generation Firewall by SE labs.

Source Cisco

In addition to hardware costs, you need to consider migration expenses,  software support and licensing and compatibility with your existing environment.

The decision to move on from the ASA5500 has been made for you, if you can’t update the OS then at some point it will stop being compatible with other systems, or will suffer from an unpatchable vulnerability.

With end of support dates of 2025 and 2026, now is the time to plan and execute a migration. The only decision left is which device you migrate to.

If you have Cisco software such as Any Connect (Cisco Secure Mobile Client) then migrating to another vendor will likely involve migration to another software product.

If you decide to stay with Cisco then the FRP1000 is the recommended replacement for your ASA 5500.

If your ASA is running without the ASA Firepower Module (ASA SFR)  or the Firepower services are not implemented, and assuming you have other systems performing NGFW functions, then simply replace your ASA with an FPR1000 running the ASA image.

Replace your ASA 5500 with an FPR1000 ASA

It is possible to simply replace your ASA 5500 with an FPR running the ASA Image. There are very few differences between the devices and in most cases the ASA config can be pasted directly into the FPR.

ASA5500-X Max Performance FRP1000 Model Max Performance
750Mbs
FPR1010-ASA-K9
Statefull FW 2 Gbps
1 Gbps
FPR1120-ASA-K9
Statefull FW 4.5 Gbps
ASA5512-X
1 Gbps
FPR1120-ASA-K9
Statefull FW 4.5 Gbps
ASA5515-X
1.8 Gbps
FPR1140-ASA-K9
Statefull FW 6 Gbps
1.8 Gbps
FPR1140-ASA-K9
Statefull FW 6 Gbps
2 Gbps
FPR1150-ASA-K9
Statefull FW 7.5 Gbps
3 Gbps
FPR1150-ASA-K9
Statefull FW 7.5 Gbps
4 Gbps
FPR1150-ASA-K9
Statefull FW 7.5 Gbps

Correct as at July 2023 – latest specifications are available on cisco.com

Cisco have no plans to cease support or developement of the Secure Firewall ASA code, and you may wish to use the FPR as an ASA if you do not need the advanced capabilities of the threat defense, or if you need an ASA feature that is not available on threat defense.

With very few changes, the configuration from your ASA5500-X can be pasted directly into your ASA imaged FPR1000, and the only requirement is for the essential license be available in your Smart Account.

Swapping the ASA5500 hardware for an FPR1000 running the ASA image will result in increased performance and an extended life for your ASA firewalls.

ASA5500-X to FPR1000 Requirements

As a minimum the FPR1000 requires an essentials feature license to function with the ASA image.

Software Licensing

FPR1000-ASA FPR1000 Essentials License

Your FPR1000 needs to have an essentials license (FPR1000-ASA) available in your Cisco Smart Account to register against the device. Some FPR devices do not have this license so we can obtain it for you and provision it to your Smart Account.

Don’t have a Smart Account? Sign up for one here.

Replace your ASA 5500 with an FPR1000 NGFW

Cisco are viewing the ASA (Adaptive Security Applicance) code and the FTD (Firewall Threat Defense) code as two products that serve different functions, and as such have no plans to cease development or support of the ASA code.

However, the threat defense contains most of the major funtionality of the ASA, plus additional next generation firewall and IPS functionality, we would recommend migrating from ASA to FTD at some point.

The device will run slower with the FTD code as FTD is a combination of ASA code and Firepower Snort, but the FTD adds Layer 7 application inspection and firewalling which is recommended.

The base FTD License includes Application Visibility and Control (AVC) which supports over 4000 applications, as well as geolocations, users and websites.

ASA5500-X Max Performance FRP1000 Model Max Performance
ASA5506-X
750Mbs
FPR1010-NGFW-K9
FW + AVC 890 Mpbs
ASA5508-X
1 Gbps
FPR1120-NGFW-K9
FW + AVC 2.3 Gbps
ASA5512-X
1 Gbps
FPR1120-NGFW-K9
FW + AVC 2.3 Gbps
ASA5515-X
1.8 Gbps
FPR1140-NGFW-K9
FW + AVC 3.3 Gbps
ASA5516-X
1.8 Gbps
FPR1140-NGFW-K9
FW + AVC 3.3 Gbps
ASA5525-X
2 Gbps
FPR1150-NGFW-K9
FW + AVC 5.3 Gbps
ASA5545-X
3 Gbps
FPR1150-NGFW-K9
FW + AVC 5.3 Gbps
ASA5555-X
4 Gbps
FPR1150-NGFW-K9
FW + AVC 5.3 Gbps

Correct as at July 2023 – latest specifications are available on cisco.com

FPR1000 Rack Mounted Models

FPR1120-ASA-K9
Features FPR1120 FPR1140 FPR1150
Throughput
4.5Gbps
6Gbps
7.5Gbs
Connections
200k
400k
600k

FPR1000 NGFW Differences to FPR1000 ASA

The FPR1000-ASA and the FPR1000-NGFW are essentially the same device, the only difference being the image that the device is currently running.

Loading the NGFW image adds application visibility and control and can be licensed to also provide:

0
    0
    Your Cart
    Your cart is emptyReturn to Shop