cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2886
Views
10
Helpful
40
Replies

ASK THE EXPERT- CISCO ADAPTIVE SECURITY APPLIANCE (ASA) 5500 SERIES

ciscomoderator
Community Manager
Community Manager

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Michael K. Jones about the Cisco ASA 5500 Series which is a multi-function security/VPN device which delivers a suite of rich, market-proven security and VPN services without compromising features or performance. Michael is the senior product line manager for the Cisco Adaptive Security Appliance (ASA) 5500 and Cisco PIX Security Appliance families.

 

Remember to use the rating system to let Michael know if you have received an adequate response.

 

Michael might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 1. Visit this forum often to view responses to your questions and the questions of other community members.

40 Replies 40

jim_mayfield
Level 1
Level 1

Is the ASA5500 series a replacement for the PIX Firewall?

I am at a decision point, needing to buy a replacement for my PIX520. Should I consider the ASA5500 series or should I stick with something like the PIX525?

I have 750+ users accessing the internet through my existing PIX520, and 40 remote sites via IPSEC/VPN router to PIX through the internet back into the HQ as well as a dozen Cisco VPN clients.

I am in the process of up[grading the internet connection to a Fractional DS3 from a dedicated T-1.

My user base is projected to double over the next few years, but my remote sites via VPN and the number of Cisco VPN clients will remain rather flat.

Hi Jim

Great question. Either solution should be able to handle the environment that you describe. However, the Cisco ASA 5500 Series provides a number of benefits beyond Cisco PIX Security Appliances that you may want to consider. For example, Cisco ASA 5500 Series appliances also have integrated SSL VPN capabilities, which some of your remote users may want to use. The ASA 5520 and 5540 also support IPSec and SSL VPN clustering and load balancing, so you can transparantly increase your headend capacity over time just by adding more devices into the cluster - or you can take advantage of the "VPN Plus" or "VPN Premium" licenses to unlock the full VPN capacity of those systems. Also, the Cisco ASA 5500 Series supports adding other high performance security services to the platform, such as full-featured Intrusion Prevention Services (IPS) - this is part of what makes ASA "adaptive." So I would recommend looking at the Cisco ASA 5520, given what you have described, as this should meet/exceed your needs now, and give you investment protection for the future as your security needs change.

Regards,

Mike Jones

vantagepointisg
Level 1
Level 1

What are the hardware and software requirements to get an ASA 5510 into Active/Standby Failover. I realize that I would have to buy at least one ASA 5510 SEC Plus (ASA5510-SEC-BUN-K9). Do I have to buy an identical one to get the failover, or can I buy a failover chassis like the PIX?

We designed the Cisco ASA 5500 Series to have a simpler licensing model than some of our other security solutions, such as the Cisco PIX Security Appliance family. To create a Cisco ASA 5500 Series failover pair, simply purchase two of the same model. The Cisco ASA 5510 with the Security Plus license supports Active/Standby failover - so in this case purchase two ASA 5510 Sec Plus bundles that you mentioned (ASA5510-SEC-BUN-K9). The Cisco ASA 5520 and 5540 both support Active/Active and Active/Standby in their base model, so purchase two of either model and you can create either an A/A or A/S failover pair. Please note that both units of any failover pair are required to have the same hardware configuration and licenses installed.

If you compare the overall cost for the Cisco ASA failover pair vs. a Cisco PIX failover pair, I think you will see that with ASA you get better price performance (not to mention things like the ability to add high performance intrusion prevention services, 4 ports of integrated Gigabit Ethernet on 5520/5540, etc).

I hope this clears things up for you.

Regards,

Mike Jones

vantagepointisg
Level 1
Level 1

Can the ASA 5500 handle site to site VPNs where there are similar IP address ranges on both internal ends.

For example:

Site_A External IP: 10.1.1.1

Site_A Internal: 192.168.100.0/24

Site_B External IP: 172.16.1.1

Site_B Internal IP: 192.168.100.0/24

I realize that the external IP's are private IP's I'm just using them as an example.

Thanks

Can anybody answer this? This will be a deal-breaker if the ASA cannot handle this.

Thanks

Sorry it took me a few days to get back to you on this one. Yes, we should support this type of scenario. You can use the bi-directional NAT services that our Cisco ASA 5500 Series offers to NAT traffic in both directions.

Regards,

Mike Jones

zoltnagy69
Level 1
Level 1

Hi Michael,

I am in the process to sell an ASA5510 to a customer.

It seems to be a very good product. One key point that does not really match up to the expectations is the lack of WebVPN features. When is it expected to catch up with the VPN 3000 series WebVPN capabilities? It might be a deal braker.

Thanks in advance,

Zoltan Nagy

Hi Zoltan

Thank you, glad to hear you're excited about the new Cisco ASA 5500 Series - we're excited about it as well. We plan on catching up with all VPN 3000 SSL feature content (and providing additional VPN feature content) in an upcoming software release. Alas, I cannot discuss roadmap timeframes in a public forum like this. But rest assured that it is coming.

Regards,

Mike Jones

smsialane
Level 1
Level 1

I'm trying to find out when pricing information for the IPS/IDS, Trend Micro AV Gateway, and SmartNet for the Cisco 5500 series well be released. I'm looking at the Cisco 5520.

Our Cisco reseller does not have pricing.

We're interested in purchasing a pair of 5540s and found that our reseller does not have SmartNet pricing for the ASA 5500s either (might be the same reseller, though).

When will this pricing become available and, more importantly, how will support for the ASAs be handled until then?

Thanks,

Scott

Hi Scott

Thanks for taking time to ask a question. SMARTnet services for the Cisco ASA 5500 Series just became orderable/available two weeks ago. Perhaps your reseller is referring to an older pricelist and should check our latest pricelist. They should be able to quote service pricing, and our teams are ready to provide service for ASA around the globe.

Regards,

Mike Jones

SMARTnet offerings for our Cisco ASA 5500 Series just became orderable two weeks ago, so I would recommend that you check with your reseller again regarding pricing. It's best that you receive pricing from them.

Regarding IPS services, we offer two different models of our Advanced Inspection and Prevention Security Services Module (AIP SSM for short) - the 10 and 20. The AIP SSM-20 provides roughly double the performance of the AIP SSM-10, but the same functionality. They both provide full featured IPS/IDS services at high performance levels. They provide worm protection, spyware protection, directed attack protection (attacks against operating systems, applications, etc), and a range of countermeasures against detection evasion techniques. It incorporates a wide range of technologies to combat these threats including stateful pattern recognition, protocol analysis, traffic anomaly detection, and protocol anomaly detection.

Today our systems use over 1400 signatures as another method to detect attacks. These are updated on a regular basis, and ASA has an ability to automatically download updates. Regarding Trend Micro, we have partnered with them, and they develop a range of signatures (primarily worm related) that complement the many signatures that our internal signature team develops here at Cisco. These combined signature updates are available from download from Cisco for customers who have a "Cisco Services for IPS" contract (our signature subscription service which also includes hardware/software support).

Regards,

Mike Jones

donlon
Level 1
Level 1

Michael

How great to have this opportunity to clarify the features and roadmap of the ASA.

One thing that confuses me: what's with the "network antivirus/anti-X" stuff that the Marketing folks are touting. I don't see any shipping products or existing capabilities in the ASA that pertain to it except possibly the limited IM and Go-to-my-PC blocking.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: