Cisco Secure Firewall ASA Compatibility

This document lists the Secure Firewall ASA software and hardware compatibility and requirements.

ASA and ASDM Compatibility Per Model

This section lists ASA and ASDM compatibility per model.


Note


For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories.


ASA 9.22

Releases in bold are the recommended versions.


Note


  • ASA 9.20(x) was the final version for the Firepower 2100 series.

  • ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.22(1) can manage an ASA 5516-X on ASA 9.10(1).

  • New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.20 with ASA 9.22. For ASA maintenance releases and interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.22(1.2) with ASDM 7.22(1). If an ASA maintenance release has significant new features, then usually there will be a new ASDM version required.


Table 1. ASA and ASDM Compatibility: 9.22

ASA

ASDM

ASA Model

ASA Virtual

Firepower 1010

Firepower 1010E

1120

1140

1150

Secure Firewall 1210CE

Secure Firewall 1210CP

Secure Firewall 1220CX

Secure Firewall 3105

3110

3120

3130

3140

Firepower 4112

4115

4125

4145

Secure Firewall 4215

Secure Firewall 4225

Secure Firewall 4245

Firepower 9300

ISA 3000

9.22(1.1)

7.22(1)

YES

YES

YES

YES

YES

YES

YES

YES

ASA 9.20 and 9.19

Releases in bold are the recommended versions.


Note


  • ASA 9.20(x) was the final version for the Firepower 2100 series.

  • ASA 9.18(x) was the final version for the Firepower 4110, 4120, 4140, 4150, and Security Modules SM-24, SM-36, and SM-44 for the Firepower 9300.

  • ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.19(1) can manage an ASA 5516-X on ASA 9.10(1). See the following exceptions:

    • For the Firepower 1010E, ASDM 7.19(1) is not supported. You must use 7.19(1.90)+ or 7.18(2.1).

  • New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.18 with ASA 9.19. For ASA maintenance releases and interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.20(1.5) with ASDM 7.20(1). If an ASA maintenance release has significant new features, then usually there will be a new ASDM version required.


Table 2. ASA and ASDM Compatibility: 9.20 and 9.19

ASA

ASDM

ASA Model

ASA Virtual

Firepower 1010

1120

1140

1150

Firepower 1010E

Firepower 2110

2120

2130

2140

Secure Firewall 3105

3110

3120

3130

3140

Firepower 4112

4115

4125

4145

Secure Firewall 4215

Secure Firewall 4225

Secure Firewall 4245

Firepower 9300

ISA 3000

9.20(3)

7.20(2)

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.20(2)

7.20(2)

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.20(1)

7.20(1)

YES

9.19(1)

7.19(1)

YES

YES

YES

YES

YES

YES

YES

ASA 9.18 to 9.17

Releases in bold are the recommended versions.


Note


  • ASA 9.16(x) was the final version for the ASA 5506-X, 5506H-X, 5506W-X, 5508-X, and 5516-X.

  • ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.17(1) can manage an ASA 5516-X on ASA 9.10(1). See the following exceptions:

    • For the Firepower 1010E, ASDM 7.19(1) is not supported. You must use 7.19(1.90)+ or 7.18(2.1).

  • New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.17 with ASA 9.18. For ASA maintenance releases and interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.17(1.2) with ASDM 7.17(1). If an ASA maintenance release has significant new features, then usually there will be a new ASDM version required.

  • ASA 9.17(1.13) and 9.18(2) and later requires ASDM 7.18(1.152) or later. The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image than 7.18(1.152) with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. (CSCwb05291, CSCwb05264)


Table 3. ASA and ASDM Compatibility: 9.18 to 9.17

ASA

ASDM

ASA Model

ASA Virtual

Firepower 1010

1120

1140

1150

Firepower 1010E

Firepower 2110

2120

2130

2140

Secure Firewall 3110

3120

3130

3140

Firepower 4110

4112

4115

4120

4125

4140

4145

4150

Firepower 9300

ISA 3000

9.18(4)

7.19(1)95

YES

YES

YES

YES

YES

YES

YES

YES

9.18(3)

7.18(1.152)

YES

YES

YES

YES

YES

YES

YES

YES

9.18(2.218)

7.18(2.1)

YES

9.18(2)

7.18(1.152)

YES

YES

YES

YES

YES

YES

YES

9.18(1)

7.18(1)

YES

YES

YES

YES

YES

YES

YES

9.17(1.13)

7.18(1.152)

YES

YES

YES

YES

YES

YES

YES

9.17(1)

7.17(1.155)

YES

YES

YES

YES

YES

YES

YES

ASA 9.16 to 9.15

Releases in bold are the recommended versions.


Note


  • ASA 9.16(x) was the final version for the ASA 5506-X, 5506H-X, 5506W-X, 5508-X, and 5516-X.

  • ASA 9.14(x) was the final version for the ASA 5525-X, 5545-X, and 5555-X.

  • ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.15(1) can manage an ASA 5516-X on ASA 9.10(1).

  • New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.15 with ASA 9.16. For ASA maintenance releases and interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.16(1.15) with ASDM 7.16(1). If an ASA maintenance release has significant new features, then usually there will be a new ASDM version required.

  • ASA 9.16(3.19) and later requires ASDM 7.18(1.152) or later. The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image than 7.18(1.152) with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. (CSCwb05291, CSCwb05264)


Table 4. ASA and ASDM Compatibility: 9.16 to 9.15

ASA

ASDM

ASA Model

ASA 5506-X

5506H-X

5506W-X

5508-X

5516-X

ASAv

Firepower 1010

1120

1140

1150

Firepower 2110

2120

2130

2140

Firepower 4110

4112

4115

4120

4125

4140

4145

4150

Firepower 9300

ISA 3000

9.16(4)

7.18(1.152)

YES

YES

YES

YES

YES

YES

YES

9.16(3.19)

7.18(1.152)

YES

YES

YES

YES

YES

YES

YES

9.16(3)

7.16(1.150)

YES

YES

YES

YES

YES

YES

YES

9.16(2)

7.16(1.150)

YES

YES

YES

YES

YES

YES

YES

9.16(1)

7.16(1)

YES

YES

YES

YES

YES

YES

YES

9.15(1)

7.15(1)

YES

YES

YES

YES

YES

YES

YES

ASA 9.14 to 9.13

Releases in bold are the recommended versions.


Note


  • ASA 9.14(x) was the final version for the ASA 5525-X, 5545-X, and 5555-X.

  • ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM.

  • ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.13(1) can manage an ASA 5516-X on ASA 9.10(1). ASDM 7.13(1) and ASDM 7.14(1) did not support ASA 5512-X, 5515-X, 5585-X, and ASASM; you must upgrade to ASDM 7.13(1.101) or 7.14(1.48) to restore ASDM support.

  • New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.13 with ASA 9.14. For ASA maintenance releases and interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.14(1.2) with ASDM 7.14(1). If an ASA maintenance release has significant new features, then usually there will be a new ASDM version required.

  • ASA 9.14(4.14) and later requires ASDM 7.18(1.152) or later. The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image than 7.18(1.152) with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. (CSCwb05291, CSCwb05264)


Table 5. ASA and ASDM Compatibility: 9.14 to 9.13

ASA

ASDM

ASA Model

ASA 5506-X

5506H-X

5506W-X

5508-X

5516-X

ASA 5525-X

5545-X

5555-X

ASAv

Firepower 1010

1120

1140

1150

Firepower 2110

2120

2130

2140

Firepower 4110

4112

4115

4120

4125

4140

4145

4150

Firepower 9300

ISA 3000

9.14(4.14)

7.18(1.152)

YES

YES

YES

YES

YES

YES

YES

YES

9.14(4)

7.14(1)

YES

YES

YES

YES

YES

YES

YES

YES

9.14(3)

7.14(1)

YES

YES

YES

YES

YES

YES

YES

YES

9.14(2)

7.14(1)

YES

YES

YES

YES

YES

YES

YES

YES

9.14(1.30)

7.14(1)

YES

YES

YES

YES

YES

YES

YES

YES

9.14(1.6)

7.14(1.48)

YES (+ASAv100)

9.14(1)

7.14(1)

YES

YES

YES

YES

YES

YES

YES

YES

9.13(1)

7.13(1)

YES

YES

YES

YES

YES

YES (except 4112)

YES

YES

ASA 9.12 to 9.5

Releases in bold are the recommended versions.


Note


  • ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM.

  • ASDM versions are backwards compatible with all previous ASA versions, unless otherwise stated. For example, ASDM 7.12(1) can manage an ASA 5515-X on ASA 9.10(1).

  • New ASA versions require the coordinating ASDM version or a later version; you cannot use an old version of ASDM with a new version of ASA. For example, you cannot use ASDM 7.10 with ASA 9.12. For ASA maintenance releases and interims, you can continue to use the current ASDM version, unless otherwise stated. For example, you can use ASA 9.12(1.15) with ASDM 7.12(1). If an ASA maintenance release has significant new features, then usually there will be a new ASDM version required.

  • ASA 9.8(4.45) and 9.12(4.50) and later require ASDM 7.18(1.152) or later. The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image than 7.18(1.152) with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. (CSCwb05291, CSCwb05264)


Table 6. ASA and ASDM Compatibility: 9.12 to 9.5

ASA

ASDM

ASA Model

ASA 5506-X

5506H-X

5506W-X

5508-X

5516-X

ASA 5512-X

5515-X

5525-X

5545-X

5555-X

ASA 5585-X

ASAv

ASASM

Firepower 2110

2120

2130

2140

Firepower 4110

4120

4140

4150

Firepower 4115

4125

4145

Firepower 9300

ISA 3000

9.12(4.50)

7.18(1.152)

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.12(4)

7.12(2)

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.12(3)

7.12(2)

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.12(2)

7.12(2)

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.12(1)

7.12(1)

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.10(1)

7.10(1)

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.9(2)

7.9(2)

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.9(1)

7.9(1)

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.8(4.45)

7.18(1.152)

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.8(4)

7.8(2)

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.8(3)

7.8(2)

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.8(2)

7.8(2)

YES

YES

YES

YES

YES

YES

YES

YES

YES

9.8(1.200)

No support

YES

9.8(1)

7.8(1)

YES

YES

YES

YES (+ASAv50)

YES

YES

YES

YES

9.7(1.4)

7.7(1)

YES

YES

YES

YES

YES

YES

YES

YES

9.6(4)

7.9(1)

YES

YES

YES

YES

YES

YES

YES

YES

9.6(3.1)

7.7(1)

YES

YES

YES

YES

YES

YES

YES

YES

9.6(2)

7.6(2)

YES

YES

YES

YES

YES

YES

YES

YES

9.6(1)

7.6(1)

YES

YES

YES

YES

YES

YES (except 4150)

YES

YES

9.5(3.9)

7.6(2)

YES

YES

YES

YES

YES

YES

9.5(2.200)

7.5(2.153)

YES

9.5(2.2)

7.5(2)

YES

9.5(2.1)

7.5(2)

YES

9.5(2)

7.5(2)

YES

YES

YES

YES

YES

YES

9.5(1.200)

7.5(1)

YES

9.5(1.5)

7.5(1.112)

YES

YES

YES

YES

YES

9.5(1)

7.5(1)

YES

YES

YES

YES

YES

Firepower 4100/9300 Compatibility with ASA and Threat Defense

For the Firepower 4100/9300, you must maintain compatibility between FXOS and all ASA and threat defense logical devices. Upgrade FXOS before you upgrade the sofware. The bold versions the the following table are specially-qualified (enhanced testing) companion releases. Use these combinations whenever possible.

Note that for other device models, the FXOS compatibility work is done for you. In most cases, upgrading the software automatically upgrades FXOS. For the Secure Firewall 3100/4200 in multi-instance mode, the management center guides you through upgrading FXOS and then threat defense.

To upgrade:

  • FXOS: From FXOS 2.2.2 and later, you can upgrade directly to any higher version. When upgrading from versions earlier than 2.2.2, you need to upgrade to each intermediate version. Note that you cannot upgrade FXOS to a version that does not support your current logical device version. You will need to upgrade in steps: upgrade FXOS to the highest version that supports your current logical device; then upgrade your logical device to the highest version supported with that FXOS version. For example, if you want to upgrade from FXOS 2.2/ASA 9.8 to FXOS 2.13/ASA 9.19, you would have to perform the following upgrades:

    1. FXOS 2.2→FXOS 2.11 (the highest version that supports 9.8)

    2. ASA 9.8→ASA 9.17 (the highest version supported by 2.11)

    3. FXOS 2.11→FXOS 2.13

    4. ASA 9.17→ASA 9.19

  • Threat Defense: Interim upgrades may be required for threat defense, in addition to the FXOS requirements above. For the exact upgrade path, refer to the management center upgrade guide for your version.

  • ASA: ASA lets you upgrade directly from your current version to any higher version, noting the FXOS requirements above.


Note


FXOS 2.8(1.125)+ and later versions do not support ASA 9.14(1) or 9.14(1.10) for ASA SNMP polls and traps; you must use 9.14(1.15)+. Other releases, such as 9.13 or 9.12, are not affected.


Table 7. Firepower 4100/9300 Compatibility with ASA and Threat Defense

FXOS Version

Model

ASA Version

Threat Defense Version

2.16

Firepower 4112

9.22 (recommended)

9.20

9.19

9.18

9.17

7.6 (recommended)

7.4

7.3

7.2

7.1

Firepower 4145

Firepower 4125

Firepower 4115

9.22 (recommended)

9.20

9.19

9.18

9.17

7.6 (recommended)

7.4

7.3

7.2

7.1

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

2.14(1)

Firepower 4112

9.20 (recommended)

9.19

9.18

9.17

9.16

9.14

7.4 (recommended)

7.3

7.2

7.1

7.0

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.20 (recommended)

9.19

9.18

9.17

9.16

9.14

7.4 (recommended)

7.3

7.2

7.1

7.0

6.6

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

2.13

Firepower 4112

9.19 (recommended)

9.18

9.17

9.16

9.14

7.3 (recommended)

7.2

7.1

7.0

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.19 (recommended)

9.18

9.17

9.16

9.14

7.3 (recommended)

7.2

7.1

7.0

6.6

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

2.12

Firepower 4112

9.18 (recommended)

9.17

9.16

9.14

7.2 (recommended)

7.1

7.0

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.18 (recommended)

9.17

9.16

9.14

9.12

7.2 (recommended)

7.1

7.0

6.6

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.18 (recommended)

9.17

9.16

9.14

9.12

7.2 (recommended)

7.1

7.0

6.6

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.11

Firepower 4112

9.17 (recommended)

9.16

9.14

7.1 (recommended)

7.0

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.17 (recommended)

9.16

9.14

9.12

7.1 (recommended)

7.0

6.6

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.17 (recommended)

9.16

9.14

9.12

9.8

7.1 (recommended)

7.0

6.6

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.10

Note

 

For compatibility with 7.0.2+ and 9.16(3.11)+, you need FXOS 2.10(1.179)+.

Firepower 4112

9.16 (recommended)

9.14

7.0 (recommended)

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.16 (recommended)

9.14

9.12

7.0 (recommended)

6.6

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.16 (recommended)

9.14

9.12

9.8

7.0 (recommended)

6.6

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.9

Firepower 4112

9.14

6.6

Firepower 4145

Firepower 4125

Firepower 4115

9.14

9.12

6.6

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.14

9.12

9.8

6.6

6.4

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.8

Firepower 4112

9.14

6.6

Note

 

6.6.1+ requires FXOS 2.8(1.125)+.

Firepower 4145

Firepower 4125

Firepower 4115

9.14 (recommended)

9.12

Note

 

Firepower 9300 SM-56 requires ASA 9.12(2)+

6.6 (recommended)

Note

 

6.6.1+ requires FXOS 2.8(1.125)+.

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.14 (recommended)

9.12

9.8

6.6 (recommended)

Note

 

6.6.1+ requires FXOS 2.8(1.125)+.

6.4

6.2.3

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.6(1.157)

Note

 

You can now run ASA 9.12+ and FTD 6.4+ on separate modules in the same Firepower 9300 chassis

Firepower 4145

Firepower 4125

Firepower 4115

9.12

Note

 

Firepower 9300 SM-56 requires ASA 9.12.2+

6.4

Firepower 9300 SM-56

Firepower 9300 SM-48

Firepower 9300 SM-40

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.12 (recommended)

9.8

6.4 (recommended)

6.2.3

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.6(1.131)

Firepower 9300 SM-48

Firepower 9300 SM-40

9.12

Not supported

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.12 (recommended)

9.8

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.3(1.73)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.8

Note

 

9.8(2.12)+ is required for flow offload when running FXOS 2.3(1.130)+.

6.2.3 (recommended)

Note

 

6.2.3.16+ requires FXOS 2.3.1.157+

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.3(1.66)

2.3(1.58)

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.8

Note

 

9.8(2.12)+ is required for flow offload when running FXOS 2.3(1.130)+.

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

2.2

Firepower 4150

Firepower 4140

Firepower 4120

Firepower 4110

9.8

Threat Defense versions are EoL

Firepower 9300 SM-44

Firepower 9300 SM-36

Firepower 9300 SM-24

Firepower 1000/2100 and Secure Firewall 3100/4200 ASA and FXOS Bundle Versions

Firepower 1000/2100 and Secure Firewall 3100/4200 platforms utilize FXOS as an underlying operating system that is included in the ASA unified image bundles. The following table lists the ASA and FXOS versions in each released bundle.


Note


You cannot install ASA or FXOS separately; you must install them both as part of the bundle.


Table 8. ASA Firepower 1000/2100 and Secure Firewall 3100/4200 ASA and FXOS Bundle Versions

ASA Bundle Version

FXOS Version

9.22(1)

2.16(0.128)

9.20(3)

2.14(2.106)

9.20(2)

2.14(1.131)

9.20(1) (Secure Firewall 4200 only)

2.14(0.11)

9.19(1)

2.13(0.198)

9.18(3)

2.12(0.468)

9.18(2)

2.12(0.438)

9.18(1)

2.12(0.31)

9.17(1)

2.11(1.154)

9.16(3)

2.10(1.189)

9.16(2)

2.10(1.162)

9.16(1)

2.10(1.159)

9.15(1)

2.9(1.131)

9.14(3)

2.8(1.157)

9.14(2)

2.8(1.134)

9.14(1.30)

2.8(1.129)

9.14(1)

2.8(1.105)

9.13(1)

2.7(1.107)

9.12(4)

2.6(1.198)

9.12(3)

2.6(1.156)

9.12(2)

2.6(1.141)

9.12(1)

2.6(1.113)

9.10(1)

2.4(1.92)

9.9(2)

2.3(1.77)

9.9(1)

2.3(1.54)

9.8(4)

2.2(2.119)

9.8(3)

2.2(2.90)

9.8(2)

2.2(2.52)

ASA Virtual Hypervisor Compatibility

You can deploy the ASA virtual on the following hypervisors.


Note


ASA virtual deployment on a platform using nested or multi-level hypervisor is not supported.


Table 9. ASA Virtual Hypervisor Compatibility

Hypervisor

Version and Details

ASA Virtual OS

Amazon Web Services

ASA 9.17 and later

Amazon Web Services supports the following instance types:

  • c5a.large, c5a.xlarge, c5a.2xlarge, c5a.4xlarge

  • c5d.large, c5d.xlarge, c5d.2xlarge, c5d.4xlarge

  • c5ad.large, c5ad.xlarge, c5ad.2xlarge, c5ad.4xlarge

  • m5n.large, m5n.xlarge, m5n.2xlarge, m5n.4xlarge

  • m5zn.large, m5zn.xlarge, m5zn.2xlarge

ASA 9.14 and later

Amazon Web Services supports the following instance types:

  • c5.4xlarge

  • c5n.large, c5n.xlarge, c5n.2xlarge, c5n.4xlarge

ASA 9.13 and later

  • ASAv50 support added.

  • ASA Virtual Flexible Licensing allows any ASA Virtual license to be used on any supported ASA Virtual vCPU/memory configuration. You can deploy the ASA Virtual on a wide variety of Amazon Web Services instances types such as:

    • c5.large, c5.xlarge, c5.2xlarge, c4.2xlarge, c3.2xlarge, m4.2xlarge

ASA 9.12 and earlier

Amazon Web Services supports the ASAv10 and ASAv30 models on the following instance types:

  • c3.large, c4.large, and m4.large instances (ASAv10)

  • c3.xlarge, c4.xlarge, and m4.xlarge instances (ASAv30)

Note

 

The ASAv100 is not supported on Amazon Web Services.

ASA 9.20

ASA 9.19

ASA 9.18

ASA 9.17

ASA 9.16

ASA 9.15

ASA 9.14

ASA 9.13

ASA 9.12

ASA 9.10

ASA 9.9

ASA 9.8

ASA 9.7

ASA 9.6

ASA 9.5

ASA 9.4(1.200), 9.4(2), 9.4(3), 9.4(4)

Kernel-based Virtual Machine (KVM)

  • qemu-kvm, libvirt-bin, bridge-utils, virt-manager, genisoimage, virtinst, and virsh tools (part of KVM installation).

  • Linux Ubuntu 18.04 LTS host.

    The ASA Virtual has been extensively tested on an Ubuntu 18.04 LTS host, but you can use other Linux distributions.

ASA 9.14

  • ASAv100 support added.

ASA 9.13

  • ASA Virtual Flexible Licensing allows any ASA Virtual license to be used on any supported ASA Virtual vCPU/memory configuration. You have greater flexibility when you deploy the ASA Virtual in a KVM private cloud environment.

ASA 9.8

  • ASAv50 support added.

ASA 9.20

ASA 9.19

ASA 9.18

ASA 9.17

ASA 9.16

ASA 9.15

ASA 9.14

ASA 9.13

ASA 9.12

ASA 9.10

ASA 9.9

ASA 9.8

ASA 9.7

ASA 9.6

ASA 9.5

ASA 9.4

ASA 9.3(2.200), 9.3(3)

Microsoft Azure

ASA 9.17 and later

Microsoft Azure supports the following instance types:

  • Standard_D8s_v3

  • Standard_D16s_v3

  • Standard_F8s_v2

  • Standard_F16s_v2

ASA 9.15 and later

Microsoft Azure supports the following instance types:

  • D5, DS5, D5_v2, DS5_v2, D16_v3

  • F16, F16s

ASA 9.13 and later

  • ASA Virtual Flexible Licensing allows any ASA Virtual license to be used on any supported ASA Virtual vCPU/memory configuration. You can deploy the ASA Virtual on a wide variety of Microsoft Azure instances types such as.

    • DS3, DS3_v2, D4, D4_v2, DS4, DS4_v2, D8_v3

    • F4, F4s, F8, F8s

  • ASAv50 support added.

ASA 9.12 and earlier

Microsoft Azure supports the ASAv5, ASAv10, and ASAv30 models on the following instance types:

  • Standard D3 instance

  • Standard D3_v2 instance

Note

 

The ASAv100 is not supported on Microsoft Azure.

ASA 9.20

ASA 9.19

ASA 9.18

ASA 9.17

ASA 9.16

ASA 9.15

ASA 9.14

ASA 9.13

ASA 9.12

ASA 9.10

ASA 9.9

ASA 9.8

ASA 9.7

ASA 9.6(2), 9.6(3), 9.6(4)

ASA 9.5(2.200), 9.5(3)

Google Cloud Platform (GCP)

Google Cloud Platform (GCP) supports the ASA Virtual on the following GCP machine types:

  • c2-standard-4 (ASAv5, ASAv10, and ASAv30)

  • c2-standard-8 (ASAv50)

  • c2-standard-16 (ASAv100)

ASA 9.20

ASA 9.19

ASA 9.18

ASA 9.17

ASA 9.16

ASA 9.15

OpenStack

OpenStack supports the ASA Virtual:

  • Enabling OpenStack platform support for ASA Virtual allows you to run ASA Virtual on open source cloud platforms.

  • OpenStack uses a KVM hypervisor to manage virtual resources.

  • ASA Virtual devices are already supported on the KVM hypervisor. Therefore, there is no extra addition of kernel packages or drivers to enable OpenStack support.

ASA 9.20

ASA 9.19

ASA 9.18

ASA 9.17

ASA 9.16

Oracle Cloud Infrastructure (OCI)

Oracle Cloud Infrastructure (OCI) supports the ASA Virtual on the following OCI shape types:

  • VM.Standard2.4 (ASAv5, ASAv10, and ASAv30)

  • VM.Standard2.8 (ASAv50 and ASAv100)

ASA 9.20

ASA 9.19

ASA 9.18

ASA 9.17

ASA 9.16

ASA 9.15

VMware vSphere

8.0:

  • ESXi Server

  • (Optional) vCenter Server

  • vSphere Web Client, vSphere Client, or OVFTool for Windows or Linux

See the VMware documentation for more information about vSphere and hardware requirements:

http://www.vmware.com/support/pubs/

Note

 

You cannot deploy the ASA Virtual using vCloud Director.

ASA 9.22

ASA 9.20

7.0:

  • ESXi Server

  • (Optional) vCenter Server

  • vSphere Web Client, vSphere Client, or OVFTool for Windows or Linux

See the VMware documentation for more information about vSphere and hardware requirements:

http://www.vmware.com/support/pubs/

Note

 

You cannot deploy the ASA Virtual using vCloud Director.

ASA 9.20

ASA 9.19

ASA 9.18

ASA 9.17

ASA 9.16

6.0, 6.5, 6.7:

  • ESXi Server

  • (Optional) vCenter Server

  • vSphere Web Client, vSphere Client, or OVFTool for Windows or Linux

See the VMware documentation for more information about vSphere and hardware requirements:

http://www.vmware.com/support/pubs/

Note

 

You cannot deploy the ASA Virtual using vCloud Director.

ASA 9.14

  • ASAv100 support added.

ASA 9.13 and later

  • ASAv Flexible Licensing allows any ASA Virtual license to be used on any supported ASA Virtual vCPU/memory configuration. You have greater flexibility when you deploy the ASA Virtual in a VMware private cloud environment.

ASA 9.8

  • ASAv50 support added.

ASA 9.20

ASA 9.19

ASA 9.18

ASA 9.17

ASA 9.16

ASA 9.15

ASA 9.14 (ASAv100 support added)

ASA 9.13

ASA 9.12

ASA 9.10

ASA 9.9

ASA 9.8 (ASAv50 support added)

ASA 9.7

ASA 9.6

ASA 9.5

ASA 9.4

ASA 9.3

ASA 9.2

5.x:

  • ESXi Server

  • vCenter Server

  • vSphere Web Client or vSphere Client for Windows or Linux

See the VMware documentation for more information about vSphere and hardware requirements:

http://www.vmware.com/support/pubs/

Note

 

You cannot install the ASA Virtual directly on an ESXi host without using vCenter.

Note

 

You cannot deploy the ASA Virtual using vCloud Director.

ASA 9.13

ASA 9.12

ASA 9.10

ASA 9.9

ASA 9.8

ASA 9.7

ASA 9.6

ASA 9.5

ASA 9.4(1.200), 9.4(2), 9.4(3), 9.4(4)

  • You can now install the ASA Virtual directly on an ESXi host without using vCenter.

  • OVFTool support

ASA 9.20

ASA 9.19

ASA 9.18

ASA 9.17

ASA 9.16

ASA 9.15

ASA 9.14 (ASAv100 support added)

ASA 9.13

ASA 9.12

ASA 9.10

ASA 9.9

ASA 9.8 (ASAv50 support added)

ASA 9.7

ASA 9.6

ASA 9.5

ASA 9.4(1.200), 9.4(2), 9.4(3), 9.4(4)

Microsoft Hyper-V

The Microsoft Hyper-V hypervisor supports the ASAv5, ASAv10, and ASAv30 models.

Note

 

The ASAv50 and ASAv100 are not supported on Microsoft Hyper-V.

ASA 9.13 and later

  • ASA Virtual Flexible Licensing allows any ASA Virtual license to be used on any supported ASA Virtual vCPU/memory configuration. You have greater flexibility when you deploy the ASA Virtual in a Microsoft Hyper-V private cloud environment.

ASA 9.20

ASA 9.19

ASA 9.18

ASA 9.17

ASA 9.16

ASA 9.15

ASA 9.14

ASA 9.13

ASA 9.12

ASA 9.10

ASA 9.9

ASA 9.8

ASA 9.7

ASA 9.6

ASA 9.5(1.200), 9.5(2), 9.5(3)

Cisco Defense Orchestrator (CDO) Compatibility with the ASA

CDO can manage all platforms running ASA 8.4 and later (see ASA and ASDM Compatibility Per Model), except for the ASA Services Module (ASASM), which is not supported by CDO.

CDO can onboard an ASA running ASA 8.3 but cannot deploy changes to it or manage it in any other way. Support is "read-only."

CDO does not support management of the ASA FirePOWER module, which runs a different operating system from ASA. You can still use the ASA FirePOWER module in your system, but you need to manage it separately with Firepower Management Center or ASDM.

There may be a CDO feature that does not support all versions of ASA, such as ASA upgrades from pre-9.12 versions. In those cases, the CDO documentation will list any version exceptions with the prerequisites for that feature.

ASA REST API Compatibility

This section lists ASA REST API and ASA compatibility.


Note


The REST API is not supported on newer hardware models and is no longer being developed. We recommend that you instead use the ASA HTTP interface for automation. See Cisco Secure Firewall ASA HTTP Interface for Automation.


The ASA REST API is supported only on the following models starting with 9.3(2) and ending with 9.16:

  • ASA Virtual

  • Firepower 9300

  • ISA 3000

  • Firepower 4110, 4120, 4140, 4150

  • ASA 5585-X

  • ASA 5525-X, 5545-X, 5555-X

  • ASA 5512-X, 5515-X

  • ASA 5506-X, 5506H-X, 5506W-X, 5508-X, 5516-X


    Note


    The ASA 5506-X series does not support the REST API if you are running the FirePOWER module Version 6.0 or later. Disable the ASA REST API using the no rest-api agent command.


Secure Firewall 3100 Network Module Compatibility

Table 10. Secure Firewall 3100 Network Module Compatibility

Modules Supported

Model

ASA OS

2-port 100-Gb QSFP+ network module (FPR3K-XNM-2X100G)

  • Secure Firewall 3130

  • Secure Firewall 3140

9.20(2) and later

  • 6-port 1G SFP Hardware Bypass Network Module, SX (multimode) (FPR3K-XNM-6X1SXF)

  • 6-port 10G SFP Hardware Bypass Network Module, SR (multimode) (FPR3K-XNM-6X10SRF)

  • 6-port 10G SFP Hardware Bypass Network Module, LR (single mode) (FPR3K-XNM-6X10LRF)

  • 8-port 1G Copper Hardware Bypass Network Module, RJ45 (copper) (FPR3K-XNM-8X1GF)

  • Secure Firewall 3110

  • Secure Firewall 3120

  • Secure Firewall 3130

  • Secure Firewall 3140

9.18(2) and later

Note

 

The ASA does not support the hardware bypass functionality of these modules, but you can use them as regular interfaces.

  • 6-port 25G SFP Hardware Bypass Network Module, SR (multimode) (FPR3K-XNM-6X25SRF)

  • 6-port 25G Hardware Bypass Network Module, LR (single mode) (FPR3K-XNM-6X25LRF)

  • Secure Firewall 3130

  • Secure Firewall 3140

9.18(2) and later

Note

 

The ASA does not support the hardware bypass functionality of these modules, but you can use them as regular interfaces.

  • 8-port 1-Gb copper hardware bypass network module, RJ45 copper (FPR3K-XNM-8X1GF)

  • 8-port 1/10-Gb SFP+ network module (FPR3K-XNM-8X10G)

  • 8-port 1/10/25-Gb ZSFP network module (FPR3K-XNM-8X25G)

  • Secure Firewall 3110

  • Secure Firewall 3120

  • Secure Firewall 3130

  • Secure Firewall 3140

9.17 and later

4-port 40-Gb QSFP+ network module (FPR3K-XNM-4X40G)

  • Secure Firewall 3130

  • Secure Firewall 3140

9.17 and later

Secure Firewall 4200 Network Module Compatibility

Table 11. Secure Firewall 4200 Network Module Compatibility

Modules Supported

Model

ASA OS

4-port 200G QSFP+ network module (FPR4K-XNM-4X200G)

  • Secure Firewall 4215

  • Secure Firewall 4225

  • Secure Firewall 4245

9.20 and later

  • 8-port 1/10-Gb SFP+ network module (FPR4K-XNM-8X10G)

  • 8-port 1/10/25-Gb ZSFP network module (FPR4K-XNM-8X25G)

  • 4-port 40-Gb QSFP+ network module (FPR4K-XNM-4X40G)

  • 2-port 100-Gb QSFP+ network module (FPR4K-XNM-2X100G)

  • 6-port 1G SFP Hardware Bypass Network Module, SX (multimode) (FPR4K-XNM-6X1SXF)

  • 8-port 1-Gb copper hardware bypass network module, RJ45 copper (FPR4K-XNM-8X1GF)

  • 6-port 10G SFP Hardware Bypass Network Module, SR (multimode) (FPR4K-XNM-6X10SRF)

  • 6-port 10G SFP Hardware Bypass Network Module, LR (single mode) (FPR4K-XNM-6X10LRF)

  • 6-port 25G SFP Hardware Bypass Network Module, SR (multimode) (FPR4K-XNM-6X25SRF)

  • 6-port 25G Hardware Bypass Network Module, LR (single mode) (FPR4K-XNM-6X25LRF)

  • Secure Firewall 4215

  • Secure Firewall 4225

  • Secure Firewall 4245

9.20 and later

Note

 

The ASA does not support the hardware bypass functionality of these modules, but you can use them as regular interfaces.

Firepower 2100 Network Module Compatibility


Note


If a network module is listed for multiple Firepower models, and the part number only differs in the model number (FPRXK-NM-module), then that module is compatible with the other Firepower models. For example, the FPR9K-NM-6X10SR-F module is compatible on the Firepower 2100 (FPR2K-NM-6X10SR-F) and Firepower 4100 (FPR4K-NM-6X10SR-F). See the FXOS compatibility guide for information about Firepower 4100 and 9300 network modules.


Table 12. Firepower 2100 Network Module Compatibility

Modules Supported

Model

ASA OS

  • Firepower 6-port 1G SX FTW Network Module single-wide (FPR2K-NM-6X1SX-F)

  • Firepower 6-port 10G SR FTW Network Module single-wide (FPR2K-NM-6X10SR-F)

  • Firepower 6-port 10G LR FTW Network Module single-wide (FPR2K-NM-6X10LR-F)

Firepower 2130

Firepower 2140

ASA 9.10 and later

Note

 

The ASA does not support the hardware bypass functionality of these modules, but you can use them as regular interfaces.

Firepower 8-port 1G Network Module single-wide (FPR2K-NM-8X1G)

Firepower 2130

Firepower 2140

ASA 9.10 and later

Firepower 8-port 10G Network Module single-wide (FPR2K-NM-8X10G)

Firepower 2130

Firepower 2140

ASA 9.9 and later

ASA 9.8(2), 9.8(3)

ASA and Threat Defense Clustering External Hardware Support

Clustering will work with both Cisco and non-Cisco switches from other major switching vendors with no known interoperability issues if they comply with the following requirements and recommendations. Clustering is compatible with technologies such as vPC (Nexus), VSS (Catalyst), and StackWise & StackWise Virtual (Catalyst).

Switch Requirements

  • All third party switches must be compliant to the IEEE standard (802.3ad) Link Aggregation Control Protocol.

  • EtherChannel bundling must be completed within 45 seconds when connected to Firepower devices and 33 seconds when connected to ASA devices.

  • On the cluster control link, the switch must provide fully unimpeded unicast and broadcast connectivity at Layer 2 between all cluster members.

  • On the cluster control link, the switch must not impose any limitations on IP addressing or the packet format above Layer 2 headers.

  • On the cluster control link, the switch interfaces must support jumbo frames and be configurable for an MTU above 1600.

Switch Recommendations

  • The switch should provide uniform traffic distribution over the EtherChannel's individual links.

  • The switch should have an EtherChannel load-balancing algorithm that provides traffic symmetry.

  • The EtherChannel load balance hash algorithm should be configurable using the 5-tuple, 4-tuple, or 2-tuple to calculate the hash.


Note


For the Firepower 9300 cluster, intra-chassis clustering can operate with any switch because Firepower 9300-to-switch connections use standard interface types.



Note


Some switches, such as the Nexus series, do not support LACP rate fast when performing in-service software upgrades (ISSUs), so we do not recommend using ISSUs with clustering.


ASA and Cisco Application Policy Infrastructure Controller (APIC) Compatibility

The platforms supported include:

  • ASA 5525-X, 5545-X, and 5555-X (8.6(x)—9.14(x))

  • ASA 5512-X, 5515-X (8.6(x)—9.12(x))

  • ASA 5585-X (8.4(x)—9.12(x))

  • ASAv (9.2(x) and newer)

  • Firepower 4100 and 9300 (9.6(x) and newer)

  • Firepower 2100 (9.8(x) and newer)

The following table lists the supported ASA device packages, ASA versions, and APIC versions.

Table 13. ASA Device Package, ASA, and APIC Compatibility

ASA Device Package Version

Integration Model

APIC Version

ASA Version

1.3(12.4)

Cloud Orchestrator

Policy Orchestration

Fabric Insertion

3.1(1*)—5.0(2*)

8.4(x)—9.16(x)

1.3(12.3)

Cloud Orchestrator

Policy Orchestration

Fabric Insertion

3.1(1*)—4.1(1*)

8.4(x)—9.12(x)

1.3(11.22)

Cloud Orchestrator

Policy Orchestration

Fabric Insertion

3.1(1*)—4.0(1*)

8.4(x)—9.10(x)

1.3(10.24)

Cloud Orchestrator

Policy Orchestration

Fabric Insertion

3.1(1*)

8.4(x)—9.8(x)

1.2(12.3)

Policy Orchestration

Fabric Insertion

3.0(2*) and older

8.4(x)—9.16(x)

1.2(12.2)

Policy Orchestration

Fabric Insertion

3.0(2*) and older

8.4(x)—9.12(x)

1.2(11.16)

Policy Orchestration

Fabric Insertion

3.0(2*) and older

8.4(x)—9.10(1)

1.2(10.26)

Policy Orchestration

Fabric Insertion

3.0(2*)

8.4(x)—9.8(x)

1.2(9.18)

Policy Orchestration

Fabric Insertion

3.0(1*)

8.4(x)—9.8(x)

1.2(8.9)

Policy Orchestration

Fabric Insertion

2.2(2*)

8.4(x)—9.7(x)

1.2(7.x)

Policy Orchestration

Fabric Insertion

2.1(1*)

8.4(x)—9.6(2)

1.2(6.15)

Policy Orchestration

2.0(1*)

8.4(x)—9.5(2)

1.2(5.21)

Policy Orchestration

1.3(1*)

8.4(x)—9.5(1)

1.2(5.5)

Policy Orchestration

1.2(2*)

8.4(x)—9.4(x)


Note


We do not recommend using any ASA device package older than 2016.



Note


Policy Orchestration = Service Policy Mode = Fully Managed Mode.



Note


Fabric Insertion = Customized ASA device package for L2-3 automation only.