Solved: Cisco ASA 5500 and ASA 5500-X Series Next- Generation Firewalls - Page 3

net buzz · ‎05-01-2013

Hi!

I was checking the ASA 5500-X series Next-Generation Firewalls and I noticed that it supports features like IPS, Application Visibility and Control (AVC) and Web Security Essentials (WSE).

I have a doubt on the ASA 5500-X capabilities and my question is as follows:

Can an ASA 5500-X really support all these featues in the same box?

It appears to me that if for example an ASA 5515-X is needed with IPS functionality, the following hardware will be needed:

ASA5512-IPS-K9 which is a Cisco ASA 5515-X IPS Edition

and if an ASA 5515-X is needed with Application Visibility and Control (AVC) and Web Security Essentials (WSE), the following will be needed:

ASA5515-SSD120-K9 which is a ASA 5515-X with SW, 6GE Data, 1GE Mgmt, AC, 3DES/AES, 120G SSD
ASA5515-AW1Y which is a license for Application Visibility Control and Web Security Essentials for 1Year

Based on the above, I am pretty sure that it is either IPS or AVC/WSE and not both in one box.

Can someone shed some light on this.

Regards,

Alvin

Nilo Noguera · ‎08-12-2014

Part number L-ASA5512AWI3Y= license will enable Application Visibility and Control (AVC), Web Security Essentials (WSE) and NGFW IPS for 3 years.

You can contact our Technical Assistance Center (TAC) for guidance of the upgrade. To check for the Cisco Technical Assistance Center (TAC) support number per country, please check the link below:
http://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

You can email tac@cisco.com or open a case (online): https://tools.cisco.com/ServiceRequestTool/scm/mgmt/case

You can also check the following guides:

Cisco ASA 5500-X Hardware Installation Guide - Maintenance and Upgrade Procedures for the ASA 5500-X
http://www.cisco.com/c/en/us/td/docs/security/asa/hw/maintenance/5500xguide/5500xhw/asa_procs.html

Cisco ASA CX Module Quick Start Guide
http://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/cx/cx_qsg.html

User Guide for ASA CX and Cisco Prime Security Manager 9.1 Installing Software
http://www.cisco.com/c/en/us/td/docs/security/asacx/9-1/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_1/b_User_Guide_for_ASA_CX_and_PRSM_9_1_appendix_010000.html

"niLz" Nilo Noguera Jr. | Specialist, Virtual Engineering - Partner Helpline Organization together we are the human network

Marvin Rhoads · ‎08-13-2014

Confirming Nilz's advice - your hardware plus the license you mention are what's needed to run all three (AVC, WSE, IPS) on the CX module.

The IPS-on-CX wasn't initially available when this thread was started but was added as a capability ca. December 2013.

If you have specific problems re setup or validating your license after reading the links Nilz provided, I'd recommend opening a new discussion thread for simplicity of following the issue.

zheka_pefti · ‎08-13-2014

Thanks, Marvin, for your comment as well. One of my implicit points when I asked the question about CX and IPS support was a confusion that Cisco created when stated that both IPS and CX can be supported simultaneously. We, technicians and engineers, when hear IPS we assume a real full fledged IPS that can run on the hardware or software module. Apparently the IPS that is supported with CX is sort of castrated. It's not a complete signature set IPS but a solution developed to address Internet based threats only. To summarize, as it became lucid and clear after talking to TAC engineer the ASA has the capability to run 3 different module, not all at the same time. 1. Cisco IPS 2. Cisco CX 3. Cisco SourceFire FirePower (coming very soon)