ASA 5505 or 5506-x with Security Plus License?

monukoshy · ‎02-01-2017

Hi all,

I am planning to upgrade my pfsense firewall at home to Cisco brand firewalls.

I realize the best protection comes with a yearly license. But again, this is for home use.

If i go with just the Security Plus license which is a lifetime license, do i even need to consider going with asa 5506-x?

I am just trying not to buy an overkill hardware if i am unable to use it due to a different license based engagement. Will the 5505 with Security Plus license be equal to a 5506-x with the same license, or does it provide a tad more protection.

Oh, and i realize the switch limitation on the 5506-x, i already own a Cisco Catalyst 3560E-48TD Gigabit Switch for home network.

Please guide.

Karsten Iwen · ‎02-01-2017

The switchport limitations were removed with the newest release, but if you want to use your Catalyst, that"s not relevant.

The 5505 is not only completely outdated, it's nearly unusable without the SecPlus license. Don't buy this device any more.

Licensing on the 5506 is different. The restrictions of the Base-License are very likely not relevant for a home setup. But the 5506 gives NextGen firewalling with Firepower. Here you find the best protection for your network, but this is the subscription and it's quite complex to configure.

You could also consider the Cisco Meraki MX64 with the Security license. This device gives you also a very good protection but is very easy to configure. For Meraki you always need a subscription.

monukoshy · ‎02-02-2017

Thanks for your replies, greatly appreciated.

So with Cisco brands, one cannot attain decent amount of firewalling unless you are ready to invest in a yearly subscription? Infact that's exactly what i dont want.

Karsten Iwen · ‎02-02-2017

I think it's not only Cisco. For up-to-date protection, you need permanent feedback from the vendor for malware-info, IPS-signatures, CnC-info and so on. All vendors of NextGeneration Firewalls sell that as a subscription.

monukoshy · ‎02-02-2017

Sophos UTM is free for home use. PFsense will also have a tone more features than that ASA. There are a few others as well. Firepower is similar to the UTM features

Thoughts?

Karsten Iwen · ‎02-02-2017

Well, Cisco has no free offering for home-use ... (*)

With the free software, these typically don't get the updated IPS signatures as fast as the commercial software. But it could be enough for your needs.

It's more the personal choice. Also with open-source you can build a great home-firewall. If you consider using pfSense (which is great, I run it myself too), you should also evaluate OPNsense if that fits your needs better than pfSense.

(*) Another idea for home-use: Take the ASA 5506-X with Base-License and sign up for the free home-subscription of OpenDNS. This gives you also a good protection without an extra cost.

monukoshy · ‎02-03-2017

How good is a home-subscription of opendns with base license for asa 5506? does the home subscription protect get the signatures and other info as its released?

Karsten Iwen · ‎02-03-2017

OpenDNS knows much about malicious systems on the internet and when a user asks for something malicious, openDNS returns a modified answer for this request. But there are no signatures as it's not an IPS. A NGFW like FirePower will give you more control and security, but with openDNS you can increase the security of your setup in an easy and cheap way. OpenDNS is also independent of the firewall, you can use it with an ASA or any other firewall.

Flaming Badger · ‎10-03-2017

UTM9 is free but is limited to 50 IP's (a bit like the old PIX license) and something like 32000 connections. Sophos' next iteration, Sophos XG is a mashup of UTM9 and Cyberoam. It has most of the IPS/Web protection of UTM9 but a much more sensible home licensing option where it is limited to 4 cores and 6GB of RAM. It's still free (for home use) by the way.

It would be great if Cisco would or could do something similar for ASA and Firepower. One of the best ways to learn in my experience is with practical hands on every day use and we don't all have access to firewalls with these license options at work.

*edit for typos.

Kias · ‎10-03-2017

Hi,

The choice of license depends on the features you require at home:

1. VPN (ipsec & site to site) - Base License

2. HA (Security Plus Lic)

3. DMZ (Security Plus Lic)

4. VLAN Trunk (Security Plus Lic)

5. More Concurrent connections (Security Plus Lic)

Based on your requirements, you could decide on Cisco security plus bundle or Cisco 5505 or any open source UTMS are available.

Regards,

Kias

Kias
Fonicom Limited
raiseaticket Malta

scawlding1 · ‎09-30-2021

So if I have 2 x Cisco ASA-5506X, one has a Base Licence and one has a Security Plus Licence, I'm unable to use them in Active/Standby HA solution?

Rob Ingram · ‎09-30-2021

@scawlding1

5506-X requires the Security Plus License for HA

https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/general/asa-910-general-config/ha-failover.html#ID-2107-00000379

Model

License Requirement

ASA 5506-X  and ASA 5506W-X

Active/Standby—Security Plus License.
Active/Active—No Support.

Note

Each unit must have the same encryption license.