650 Mbps is the 5540's native max throughput. With the AIP SSM-20 installed this drops a bit to about 500 Mbps, however using an AIP SSM-40 will support up to 650 Mbps throughput as well. This document has more details (see Table 4):
For the Cisco ASA 5540 the advertised throughput for that model is up to 650Mbps.
Does this mean the firewall natively can handle Firewall throughput up to 650Mbps without AIP-SSM modules?
Or is the AIP-SSM modules required to support up to 650Mbps where the firewall (and IPS) workload is off-loaded to the SSM module?
From the datasheet -
Up to 650 Mbps
Maximum Firewall and IPS Throughput
• Up to 500 Mbps with AIP SSM-20
• Up to 650 Mbps with AIP SSM-40
so the 650Mbps is pure firewalling throughput on cleartext traffic. If you want to use combine IPS with your firewall then you can use an AIP SSM card and then the combined firewall/IPS throughput is either 500 or 650Mbps.
The SSM is not used to offload processing and boost throughput. The reason that there are different throughput numbers when using an SSM is because the added packet processing adds a bit of delay to the connection (the packets go through extra security checks by the AIP module, in addition to the ones done by the ASA, and this takes time). Likewise, throughput drops a bit when using VPN/encryption because of the added overhead of encrypting/decrypting the packets for the tunnel.
As I mentioned though, these numbers are only an ideal value. So if you are encrypting/decrypting traffic for a VPN and inspecting it with an SSM, your throughput will likely be much lower than the advertised ideal values. Just be sure that you plan for this in your deployment and choose the hardware and configuration that will give you room to scale in the future.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...