Cisco ASA 5512-X - Throughput Question

[Daedroth 491]

I work in a school and we need to reconfigure an old Cisco ASA 5512-X for routing and firewall purposes. Despite the ASA having 1GbE ports, it's throughput is limited depending on what it is doing. According to Cisco's specifications, it's throughput for different services are:

 

ASA IPS throughput:250 Mbps (extra hardware not required)

Next-generation firewall throughput (multiprotocol):200 Mbps

Triple Data Encryption Standard/Advanced Encryption Standard (3DE/AES) VPN thoughput:200 Mbps

 

We have a 200Mb up/200Mb down Internet connection and do perform web-filtering (performed on a separate device) that decrypts, inspects and re-encypts the data on the fly.

 

I want the ASA configured purely as a router and firewall so that only certain required ports are open and others can be configured if/when required.

 

My question: Is this ASA actually going to throttle the connection to 200Mbs, rather than the combined 400Mbs we receive?

[+BudMan 3,544]

looking at the spec sheet

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html

 

You can see that its "stateful" throughput is listed as 500mbps for stuff like tcp.. Read the the notes for 2, the max is note one which says only UDP traffic.

 

 

So if your not going to use any of its other higher end features - and just as a stateful firewall.. Then it should be able to handle your 200/200 connection.  Which doesn't equal 400 btw   Its 200 down and 200 up..

[Daedroth 491]

25 minutes ago, BudMan said:

looking at the spec sheet

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html

 

You can see that its "stateful" throughput is listed as 500mbps for stuff like tcp.. Read the the notes for 2, the max is note one which says only UDP traffic.

 

 

So if your not going to use any of its other higher end features - and just as a stateful firewall.. Then it should be able to handle your 200/200 connection.  Which doesn't equal 400 btw   Its 200 down and 200 up..

Cheers or the info! Are any of these other higher end features going to be required for my setup or are they just niceties?

 

I wasn't sure about how 200/200 was calculated in this respect. So I can both download and upload at 200Mbs at the same time, right? Or is it 'up to 200Mb' in each direction? So if I'm downloading at 150Mb, my upload will be limited to 50Mb and visa versa? (Internet technologies is usually out of my wheelhouse, but we have no money to get anyone in so it falls to me I guess! I just need to make sure I get everything right!)

[+BudMan 3,544]

Keep in mind that when you download your going to eat up part of your upload with ACKS.. And same your uploading part of your download pipe is going to be eaten up with acks coming from the other end.. This basic of how tcp works.

 

You would have to do the math on how much upload would be "required" in acks to hit 200Mbps down, etc.

 

So depending on how hard they limit you or how close you actually get to 200 on what your total upload/download at the same time could be, etc.

 

That 5512 has lots of bells and whistles - and many of them require special licensing, etc.  But there shouldn't be any "requirement" to use them, etc.

 

Pretty sure those devices are all end of sale, etc.  Where did you get this box - how do you have it licensed, etc. "Firepower" services require licensing..

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Licensing_the_Firepower_System.html

The following topics explain how to license the Firepower System.

About Firepower Feature Licenses

Service Subscriptions for Firepower Features

Classic Licensing for the Firepower System

Assign Licenses to Managed Devices

Firepower License and Service Subscription Expiration

[Daedroth 491]

7 minutes ago, BudMan said:

Keep in mind that when you download your going to eat up part of your upload with ACKS.. And same your uploading part of your download pipe is going to be eaten up with acks coming from the other end.. This basic of how tcp works.

 

You would have to do the math on how much upload would be "required" in acks to hit 200Mbps down, etc.

 

So depending on how hard they limit you or how close you actually get to 200 on what your total upload/download at the same time could be, etc.

 

That 5512 has lots of bells and whistles - and many of them require special licensing, etc.  But there shouldn't be any "requirement" to use them, etc.

 

Pretty sure those devices are all end of sale, etc.  Where did you get this box - how do you have it licensed, etc. "Firepower" services require licensing..

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Licensing_the_Firepower_System.html

The following topics explain how to license the Firepower System.

About Firepower Feature Licenses

Service Subscriptions for Firepower Features

Classic Licensing for the Firepower System

Assign Licenses to Managed Devices

Firepower License and Service Subscription Expiration

Ah, OK.

 

The 5512 is EOL, it was purchased back in 2015 by a third party who ripped out our old wired network and fitted a new one. At the time, the ASA was needed. A couple of years later, we changed ISP and they provided their own Juniper router instead. Now we've moved ISP again and they don't provide a router as part of their contract. Luckily we kept the ASA in storage. It's unlikely we got any of the extra features licensed at the time, even if we did, I would imagine that the licenses would have expired by now (I know for certain that they haven't been renewed in the past couple of years).

[+BudMan 3,544]

So you know something as small as a sg1100 would prob work for you

https://www.netgate.com/solutions/pfsense/sg-1100.html

 

I can say for a FACT!!!! that would be a 1000x easier to configure

 

And for sure could easy handle 200/200 without any concerns at all.

 

 

 

 

[Mindovermaster 2,357]

6 minutes ago, BudMan said:

So you know something as small as a sg1100 would prob work for you

https://www.netgate.com/solutions/pfsense/sg-1100.html

 

I can say for a FACT!!!! that would be a 1000x easier to configure

 

And for sure could easy handle 200/200 without any concerns at all.

 

I second this. He told me all about it... (will get this next month)

[Daedroth 491]

5 minutes ago, BudMan said:

So you know something as small as a sg1100 would prob work for you

https://www.netgate.com/solutions/pfsense/sg-1100.html

 

I can say for a FACT!!!! that would be a 1000x easier to configure

Interesting. I have a feeling that the third party we had in were having us on at the time.

 

So would a device like that handle the 200/200 line or the up to 500 concurrent devices we may have accessing at any one time?

[+BudMan 3,544]

Sure it would.. Contact their sales if you have specific concerns.. They do sell bigger boxes, say the 3100 for a couple 100 more..

 

You could also just put pfsense on your own hardware

[sc302 1,740]

The 5512-x without IPS will handle 500Mb/s no problem.  With IPS it chokes.  

 

The ASA isn't quite dead yet, but it doesn't have much longer to live (support wise).  I have two 5512-x's in place today and am looking at replacing them with firepower 2110 devices.  

 

If you know ASA, the 5512-x isn't too hard to configure.  If you don't know ASA, it is a steep learning curve.

[Daedroth 491]

On 4/1/2019 at 8:58 PM, sc302 said:

The 5512-x without IPS will handle 500Mb/s no problem.  With IPS it chokes.  

 

The ASA isn't quite dead yet, but it doesn't have much longer to live (support wise).  I have two 5512-x's in place today and am looking at replacing them with firepower 2110 devices.  

 

If you know ASA, the 5512-x isn't too hard to configure.  If you don't know ASA, it is a steep learning curve.

Cheers. I don't know ASA, so it was interesting. I managed to configure my default routes, NAT rules and access rules. When we switched our services over to the new provider using the ASA. Internet access was working fine (including filtering), however access to internal resources such as email (AD FS), RDS and a web server weren't. I did all I could to get it working to no avail. Since this is a live system, we had to get it sorted as soon as possible. I had to involve a third party IT solutions/support company who had expertise in this sort of thing. They managed to get it sorted and it turns out that the routing that is in place on my core switch was causing problems for the ASA. They made some amendments and now it's all working. I'm glad we got them in, even it's meant we have to pay out a few hundred because it's not something I would have been able to sort by myself.