cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1641
Views
10
Helpful
9
Replies

ASA 5506-x

NETAD
Level 4
Level 4

Hi, 

I'm preparing a CCIE security lab and I'm thinking about buying the 5506-x to practice with it so I will need some insight from you guys about the product. I have some questions about it: 

1-Is the CX context aware supported on this model. Do I have to install the cx software on it and do I need an SSD card for this task? 

2-Can the 5506-x be added to Cisco Prime Security Manager

3-Does it come with the firepower software package or do I have to also download it and install it? 

4-Can it be managed with the FireSight? 

5-Overall how do you rate this product and do you recommend it for practicing CCIE security topics especially the NG and sourcefire stuff? 

Thanks 

2 Accepted Solutions

Accepted Solutions

Philip D'Ath
VIP Alumni
VIP Alumni

CX has effectively been deprecated.  Everything is FirePower now.

You would need to buy an ASA 5506 Firepower bundle, to get all the right hardware.  Then you need to buy FirePower licences to activate it.  It can be managed with Firesight, but the 5506 does offer basic onboard management.  Note that Firesight is another product you would have to buy.  Normally it runs on VMWare.

Buying a SmartNet with the 5506 would be a good idea to give you access to different software, and to Cisco TAC to ask questions.

If you are mostly interested in NG and FirePower then it will be fine.  As far as I am aware, FirePower on the 5506 is the same as FirePower on the much bigger ASA's.

View solution in original post

Marvin Rhoads
Hall of Fame
Hall of Fame

Neither the CX nor the FirePOWER NGIPS are on the CCIE Security V4 (or 4.1) blueprint. The CX is covered in the CCNP Security SITCS exam.

For better or worse, the CCIE Security blueprint still includes the old school (and also discontinued) classic Cisco IPS types (IPS appliance and IOS-based IPS).

https://learningnetwork.cisco.com/community/certifications/ccie_security/written_exam/study-material

The FirePOWER line is only currently covered in product-specific exams (e.g. SSFIPS 500-285 and SSFAMP 500-275). Those are not on any of the career certification tracks (CCNP or CCIE) and primarily currently used by customers wanting training on their equipment and Cisco and partner field engineers (FEs).

That aside, a 5506 is fine for practicing all of the base ASA concepts while giving you the opportunity to be exposed to the new FirePOWER system (even though that latter bit isn't in the CCIE Security). If cost is a concern and you don't care about the bits not in the V4 exam, then you can probably get a used 5505 or 5510 for a lot less.

View solution in original post

9 Replies 9

Philip D'Ath
VIP Alumni
VIP Alumni

CX has effectively been deprecated.  Everything is FirePower now.

You would need to buy an ASA 5506 Firepower bundle, to get all the right hardware.  Then you need to buy FirePower licences to activate it.  It can be managed with Firesight, but the 5506 does offer basic onboard management.  Note that Firesight is another product you would have to buy.  Normally it runs on VMWare.

Buying a SmartNet with the 5506 would be a good idea to give you access to different software, and to Cisco TAC to ask questions.

If you are mostly interested in NG and FirePower then it will be fine.  As far as I am aware, FirePower on the 5506 is the same as FirePower on the much bigger ASA's.

Thanks Philip. Is Firepower a part of the code now or do I still have to buy licenses for it? 

Both - it is part of the code, but you have to buy licences for it to turn it on.

Marvin Rhoads
Hall of Fame
Hall of Fame

Neither the CX nor the FirePOWER NGIPS are on the CCIE Security V4 (or 4.1) blueprint. The CX is covered in the CCNP Security SITCS exam.

For better or worse, the CCIE Security blueprint still includes the old school (and also discontinued) classic Cisco IPS types (IPS appliance and IOS-based IPS).

https://learningnetwork.cisco.com/community/certifications/ccie_security/written_exam/study-material

The FirePOWER line is only currently covered in product-specific exams (e.g. SSFIPS 500-285 and SSFAMP 500-275). Those are not on any of the career certification tracks (CCNP or CCIE) and primarily currently used by customers wanting training on their equipment and Cisco and partner field engineers (FEs).

That aside, a 5506 is fine for practicing all of the base ASA concepts while giving you the opportunity to be exposed to the new FirePOWER system (even though that latter bit isn't in the CCIE Security). If cost is a concern and you don't care about the bits not in the V4 exam, then you can probably get a used 5505 or 5510 for a lot less.

Thanks Marvin this clarified it for me. As for the firepower license is it needed or can I use a free evaluation or something. I'm saying just because it will be for my personal use/practice. 

I think you can get a 60 day eval licence from the licencing centre for the ASA.

http://www.cisco.com/go/licencing

I'm not sure there is any demo for the VMWare appliance.

The FirePOWER license is completely optional and only needed if you want to actually use the features of that module. The base ASA does not depend on it at all and only directs traffic to it if there is a service-policy applied referencing a policy map that instructs the ASA to send traffic to the module for inspection.

Adding to what Philip said, it's a free 45 day license that's available for the ASA 5506 models (the base, hardened or wireless variations). the license is the full IPS, URL Filtering and Malware (aka AMP) version also referred to as "TAMC". You can get it from the self-service licensing portal at www.cisco.com/go/license which redirects you to https://tools.cisco.com/SWIFT/LicensingUI/Quickstart . Select "Get Other Licenses > Demo and Evaluation"

Hmm I just thought of something. Would I achieve similar results is If I virtualize the NGIPS, ASAv, and Firesight?

ASAv would definitely work, with the caveats that it doesn't support multi-context, clustering and Etherchannel (or any software module - sfr, cx or ips). An unlicensed ASAv is otherwise limited only in throughput (100 Kbps - designed for lab / connectivity testing use). You can even install it on Hyper-V.

NGIPS (FirePOWER appliance) can be virtual but neither it nor the virtual FireSIGHT / FirePOWER Manager are offered with evaluation licenses (unless you work for a partner).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: