ASA 1000V and ASA 5500

I hope someone can help me to answer this question:

Currently, we have redundant FWSM and consider a migration of standalone ASA 5500 series firewalls. However, we have a complete VMWare environment and look at the Nexus 1000V. I understand the Nexus 1000V and ESR architecture and implementation, and I don't understand that the ASA 1000V is designed for cloud environments. But I have a question about the ASA 1000V.

Is it possible that a firewall series ASA 5500 be replaced by ASA 1000V? Basically, can an ASA 1000V to be a single firewall solution, or are that ASA 5500 is always necessary?

Is there a datasheet anywhere that compares the ASA 1000V and ASA 5500 series?

Thanks for your help.


Depending on what you are using the ASA5500 series for now. If you use the ASA5500 for the remote access vpn and AnyConnect VPN, he will not rely on the first version of the ASA1000V yet.

Here's the Q & A on ASA1000V which includes more information:

Hope that answers your question.

Tags: Cisco Security

Similar Questions

  • Back on the cisco ASA 5500 series and PIX 500 series


    I fund a site www (only in German). I have read that it is possible to make a denial of service on cisco PIX 500 series and series 5500 ASA, when the TTL value is enabled.

    How can I check that? or solve the problem?

    I thank you,


    What version of the code you run the Pix or ASA. Refer to the "Products affected" section for more information on versions and the products concerned. This should point you in the right direction.

    Also, listed in the URL is bypasses and fixed Versions that you may want to check.

    Kind regards


  • ASA 5500 and static NAT 1-to-1

    We currently have a pair of s ASA 5500 failover providing firewall & nat with inside, outside and the dmz interfaces. We do PAT interface for most of the internal to the external and static connections 1-to-1 NAT for specific hosts that need to accept connections from the outside inside. The space of the static nat is a 27 which includes the address of the external interface. It's that everything is working properly.

    However, we are out of space for the static NAT to this/27. I would like to be able to add a different network, probably another 27, for the more static NAT but I'm a hard time to find the best way to do it. Is this possible with a network that does not include the external interface on the ASA?

    Here are some of our current NAT config:

    Global interface 10 (external)

    NAT (inside) 10

    (dmz1, outside) static dmz1-net-net dmz1 netmask

    static (inside, dmz1) netmask

    static (inside, dmz1) netmask

    static (inside, outside) xx.yy.164.15 netmask

    static (inside, outside) xx.yy.164.8 netmask

    static (inside, outside) xx.yy.164.14 netmask

    static (inside, outside) xx.yy.164.13 netmask

    Thank you very much...


    The correct syntax for the proxyarp activation will be

    No outside sysopt noproxyarp

  • Version 7.0 of the PIX and ASA 5500

    Hi all

    Is ASA 5500 series identical a PIX 515 or 525 or 535 with version 7.0... I still see some areas where it confused between version 7.0 of the PIX and ASA 5500 series... If not, what are the benefits of ASA 5500 on the PIX 7.0?

    ASA is not the same as PIX, ASA is different hardware architecture. Although both can run the same code. One of the benefits of the SAA is that you can have an IPS module in it to make the prevention of intrusions.

    Search for comprarison on CCO.

  • Cisco ASA 5500 Series 4-Port GE SSM

    Currently, we have 2 asa 5510 firewall and need to add the

    Cisco ASA 5500 Series 4 - Port GE SSM extension module. Can it be added when the device is turned on and running or the firewall must be turned off to install the plug-in?


    You could try to ask this question of the team of firewall, as this page from the community for the physical security and video surveillance.  The team of firewall is located here:

  • AIP - SSM recreate the image in secondary ASA 5500 (failover) with virtual contexts

    Hello guys,.

    The scenario is as follows:

    2 ASA 5500 with virtual contexts for failover.

    The ASA elementary school has the work of the AIP-SSM20.

    ASA school (which is in active / standby) has its SSM20 AIP to work now and everything is in production.

    Someone tried to configure this 2nd AIP - SSM, changed the password and lost, so I tried to re - the image (without authorized passage recovery), but the connection fails on the TFTP server, where is the image of the AIP - SSM.

    Now questions, documentation Cisco re-imaging view orders under ASA #.

    but as this scenario has several virtual contexts the ASA # shell contains no IP address as you know (which I suppose is the reason why the ASA cannot download the image from the TFTP server) and switch to another context (ASA / admin #) re-imaging commands do not work (hw-module module 1... etc...).

    What is the solution? Is there documentation for it (with security contexts)?

    Thank you very much for reading ;) comment on possible solutions.


    Some things to keep in mind.

    (1) run 'debug module start' on the SAA before running the command "hw-module module 1 recover boot. This will show you the ROMMON of the MSS output as it tries to make the new image and you can look for any errors.

    (2) before trying to download from the SSM, first use a machine separate download tftp from your laptop. This will ensure the TFTP on your laptop works and confirm what directory (if any) that you can use as the file location.

    (3) if the tftp download does not SSM, then the SSM is unable to properly connect to your laptop. You need a crossover cable to connect your laptop to the SSM. If you have a crossover cable, then you could try to connect the MSS and your laptop to a small hub, or configure a new vlan on your switch with only 2 ports and connect the MSS and your computer laptop this vlan 2 port.

    (4) also try the download first at the end of the gateway to since your laptop and the SSM will be on the same subnet. If this does not work then you can try a non-existent address as gateway.

    (5) understand that the IP address that you specify for the MSS using the command "configure the hw-module module 1 recover" is just temporary for download. Once an image is installed, then sitting at the module and run the "setup" command in order to configure the permanent address you want ure on external port of the SSM. This address in the "setup" command can the same as that used in the command 'get the 1 hw-module module configure' or a completely new (as in your case). Just make sure that you connect to the network just to what address you give.

  • ASA 5500 model


    Can what ASA 5500 model I use to replace my PIX515E companies with 6 interfaces.

    Hello o.oresotu,

    Looks like the Pix 515E Flyway is the ASA 5510.

    Take a look at the following links.

    Cisco ASA 5500 Series Migration quick look

    Licenses for features and specifications

    Hope that helps! If Yes, please rate.

    Thank you

  • ASA 5500 x new anyconnect VPN license structure

    I wonder if anyone can give me some insight on the new ASA VPN (SSL VPN) structure of license.  Currently, I have anyconnect premium license installed on the ASA 5500 series but want to buy the same type of license for x ASA 5500 series.  I understand the premium license is required for SSL VPN and webvpn.  Can someone find out if the premium anyconnect and anyconnect essentials license has been replaced by the Cisco Anyconnect Apex licence?

    The new AnyConnect Apex maps old Premium licenses. They are now focused on the term (1, 3-5 years) and have been approved by a single user (regardless of the number of devices) vs. concurrent users on the old regime.

    Apex (or the old premium) is required for clientless SSL VPN. Regular-based on the SSL VPN client AnyConnect requires no Apex but can be done by using only more licenses.

    The new AnyConnect Plus is the old Essentials plus mobile licenses. There is an option of perpetual and based on the duration.

    By single user licensing is a terms and conditions / EULA stuff and not enforced by technical means at the moment.

  • Step how to configure ASA 5500 Series Security Services Module-10 (model: ASA-SSM-10)

    Dear support,

    I need to configure Security Services Module-10 (model: ASA-SSM-10) on my ASA 5510 firewall. Could you provide configuration step and how to connect to the module?

    Here is the information on the module

    ciscoasa (config) # sh Details of module 1
    The details of the Service module, please wait...
    ASA 5500 Series Security Services Module-10
    Model: ASA-SSM-10
    Hardware version: 1.0
    Serial number: JAF1115066U
    Firmware version: 1.0 (11) 2
    Software version: 1.0000 E1
    MAC address range: 001a.e268.5aa9 to 001a.e268.5aa9
    App name: IPS
    App status. : to the top
    App status. / / Desc:
    App version: 1.0000 E1
    Data of aircraft status: Up
    Status: to the top
    Mgmt IP addr:
    Web to MGMT ports: 443
    Mgmt TLS enabled: true

    your help is very appreciate.

    Thank you

    Best regards

    Hi Sothengse,

    Please find the samlpe on AIP SSM module configurations. You can go through this to begin with.



  • Client VPN to ASA 5500

    I can't get my Cisco VPN client to negotiate successfully with my ASA 5500. I went through several configs and have had no luck. I write my config info and current router debug in the hope that someone sees something obvious. It is not at the initial stage.

    Thank you very much for your help.

    Always difficulties, try to add...

    part of pre authentication policy ISAKMP 65535

    ISAKMP 65535 3des encryption strategy

    ISAKMP policy 65535 sha hash

    65535 2 ISAKMP policy group

    ISAKMP strategy life 65535 86400

  • VPN with ASA 5500 VPN with PIX 515E vs

    I wonder what are the differences between the use of an exisitng PIX 515E for VPN remote users as appossed to acquire an ASA 5500 VPN remote users? Information or advice are appreciated to help me lean toward one or the other.


    According to the version of the code that you run on the PIX on the PIX or ASA VPN features must be the same. So if the choice is not based on differences in features, what else would help guide the choice? You can consider if the existing PIX has sufficient resources to add the extra processing VPN load or if you should put that on another box. You might consider that the PIX is an older product range, and his end is near, while the ASA is the product that is the strategic replacement for the PIX. Given a choice I probably prefer to use a technology newer than the old technology. I also believe that the ASA will give you more choice of technology to go forward (a way of better growth) while the PIX provides current capacity but no path of growth.

    On the other hand, there is the aspect of consider that using the existing PIX does not need not to buy something new and ASA would be an expense you have to cover in the budget. And for some people the budget constraint is an important consideration.



  • ASA 5500 SSL VPN Failover license


    I have a partner who request assistance with SSL VPN licenses on the ASA 5500 firewall sharing:

    His question is:

    Both SSL, provided with the firewall of the SAA, licenses can be shared across a couple active / standby?  I would therefore have a total of (4) licenses of SSL VPN to use?

    This would also be true for two security contexts that are included with the firewall?

    For example, I buy two base ASA 5520 firewall, running active / standby, that each machine is supplied with SSL VPN licenses (2) and (2) licensing of security contexts? In version 8.3, the licenses are cumulative by failover pairs, so I should a total SSL VPN (4) and (4) security contexts?

    Here is my response to his request:

    Based on this link (

    It was mentioned that:

    "You can have one active license type, either the AnyConnect Essentials license or the AnyConnect Premium license. By default, the Adaptive security apparatus includes an AnyConnect Premium license for 2 sessions. If you install the AnyConnect Essentials license, it is used by default. See not anyconnect-essentials control or in ASDM Configuration > remote access VPN > network (Client) access > advanced > component AnyConnect Essentials to activate the Premium license instead. »

    It will be able to share the included license on the ASA 5500 4. It will be able to share these licenses, but I'm not sure the security context. My answer would be, it can use only 2 context Security licenses since only the VPN licenses are shared on the version 8.3 and other licenses not characteristic. My understanding is correct? or there are other explanations on my customer survey?

    Thanks in advance!

    Ice Flancia

    Cisco partner Helpline Tier 2 team

    Only from ASA 8.3 version and following, the license can be combined on a failover pair active / standby.

    2 SSL included license on SAA in failover pair is combined as 4 license SSL.

    2 license of background on ASA in failover pair is combined as license frame 4.

    Here's the URL on ASA combined license failover:

    Hope that helps.

  • Cisco ASA 5500 CSC-SSM-20 Series

    How many subscribers maximum, sessions, licenses are allowed using Cisco ASA 5500 Series CSC-SSM-20 on ASA5540 module

    Use the following command 'See - activation key' to get maximum subscribers, sessions, details County licenses.

  • ASA 5500 10 GB

    ASA 5500 series safety devices does support 10 GB?


    10 GB is currently not an option:



  • Configuration of the Cisco ACS 5.3 AnyConnect VPN and management of a Cisco ASA 5500.

    We have configured a Cisco ASA 5505 as a VPN endpoint for one of our user groups.  It works, but it works too well.

    We have a group called XXX we need to have access to the Cisco AnyConnect Client.  We have selected this group of our Active Directory and added to our ACS configuration.  We've also added a group called YYY that will manage the ASA. However, this group has no need to access the VPN.

    We added XXX movies for the elements of the policy of access to the network-> authorization profiles.  We also have a profile of YYY.

    She continues to knock on our default Service rule that says allow all.

    We have also created a default network access rule. for this.

    I am at a loss.  I'm sure I missed a checkbox or something.

    Any help would be really appreciated.


    We use Protocol Management GANYMEDE ASA and Ray for VPN access?

    For administration, you must change the device by default admin access strategy and create a permission policy. Even by the way, you can change the network access by default for vpn access and create a respective policy for that too.

    On the SAA, you must configure Ganymede and Ray both as a server group.

    For the administration, you can set Ganymede as an external authentication under orders aaa Server

    AAA-server protocol Ganymede GANYMEDE +.

    Console HTTP authentication AAA GANYMEDE

    Console Telnet AAA authentication RADIUS LOCAL

    authentication AAA ssh console LOCAL GANYMEDE

    Console to enable AAA authentication RADIUS LOCAL

    For VPN, you must set the authentication radius under the tunnel-group.

    I hope this helps.

    Kind regards


    The rate of useful messages-

Maybe you are looking for