cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2950
Views
14
Helpful
7
Replies

Cisco ASA5500-X and CSC-SSM

limlayhin
Level 1
Level 1

Hi,

Currently, I have Cisco ASA 5510, with CSC-SSM module.

With CSC-SSM, I can do the following:

- block certain URL

- filter certain type of URL

- filter certain categories of URL

- web reputation filtering

- block certain type of HTTP file type

- detect malware

I need to do Tech Refresh for my ASA 5510.

Understand that the new firewall CISCO 5525-X series will no longer support CSC-SSM module.

Is there any feature from CISCO 5525-X series new generation firewall which can do similar / complete function of CSC-SSM?

I aware that there is WSE for 5525-X series, can WSE cover full set of features from CSC-SSM?

Anybody have link to demonstrate full feature of WSE?

3 Accepted Solutions

Accepted Solutions

Hi,

Well for example we bought an ASA5515-X SSD120 model for testing ASA-CX

So that ASA model comes with the SSD already. If you have a model without the SSD120 I think you need to buy it separately.

Our model for example had the ASA-CX ready in it and they have a evaluation license for both WSE and AVC.

You will have to get a license for WSE and AVC.

The options are

  • WSE only
    • 1 year
    • 3 year
    • 5 year
  • AVC only
    • 1 year
    • 3 year
    • 5 year
  • WSE and AVC
    • 1 year
    • 3 year
    • 5 year

We got the 3 year WSE and AVC license for out unit.

I have still to setup the ASA-CX properly in the network for testing purposes so I havent done much with it yet.

- Jouni

View solution in original post

Let me try to summarize my understanding on Cisco Next Generation Firewall X series.

You are welcome to point out my error if there is.

The latest ASA Firewall from Cisco are ASA 5500-X Series Next-Generation Firewalls.

There are models such as 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, 5585-X.

IPS:

All these models come with build-in IPS, but seperate license is required to to use IPS feature in the device.

CX - Context Aware Security Feature:

Cisco ASA CX Context-Aware Security is a modular security service that extends the ASA platform with next-generation capabilities. It is available with SSD purchase for model such as 5512-X, 5515-X, 5525-X, 55545-X and 5555-X.

It is hardware based with purchase of additional module for 5585-X. The module are "ASA 5585-X CX SSP-10" and "ASA 5585-X CX SSP-20"

Application Visibility Control (AVC):

This is additional feature in CX. Activation of this feature require seperate license. This is the feature that do deep packet inspection for Application recognition. provide context-aware firewall security.

Web Security Essentials (WSE):

This is additional feature in CX. Activation of this feature require seperate license. It deliver features like "URL Filtering" and "Global Threat Intelligence".

When buying X-Series ASA Firewall, users has following options:

1) Base Firewall without any additional feature enabled - the firewall will act as Layer-3 Stateful Firewall.

2) Base Firewall + IPS

3) Base Firewall + SSD (to enable CX Context Aware Security Feature)

3.1) Base Firewall + SSD + AVC

3.2 ) Base Firewall + SSD + WSE

3.3 ) Base Firewall + SSD + AVC + WSE

As of now, "Base Firewall + IPS + SSD" is not supported.

View solution in original post

limlayhin,

That's pretty much correct.

You can run IPS on a 5500-X that has an SSD - but you have to choose either loading the CX software module or the IPS module. If you load the IPS module, the SSD will essentially remain unused.

If you run a CX without AVC or WSE licenses, it will be very limited in usefulness. Same thing if you start with the license(s) but let it expire.

View solution in original post

7 Replies 7

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I have not played around much with the ASA modules.

To my understanding the ASA has the ASA-CX which does Web and Application filtering.

There is also IPS which to my understanding will be incorporated to the ASA-CX at some point.

Neither of the above are actual physical modules on the ASA but require an additional SSD120 model of the ASA (or getting the SSD separately) and the software. I have just gotten ASA-CX but havent had much time to try it out yet.

Here are some links to ASA-CX related information

Q&A

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700607_ps12521_Products_Q_and_A_Item.html

Datasheet

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-701659_ps12521_Products_Data_Sheet.html

Application listing

http://asacx-cisco.com/

Hope these help

- Jouni

Hi Jouni,

Thanks for your reply.

Just want to confirm, for cisco Content Aware Security feature, I just need to buy the SSD and enable CX license.

I can skip AVC and WSE, am I right?

Hi,

Well for example we bought an ASA5515-X SSD120 model for testing ASA-CX

So that ASA model comes with the SSD already. If you have a model without the SSD120 I think you need to buy it separately.

Our model for example had the ASA-CX ready in it and they have a evaluation license for both WSE and AVC.

You will have to get a license for WSE and AVC.

The options are

  • WSE only
    • 1 year
    • 3 year
    • 5 year
  • AVC only
    • 1 year
    • 3 year
    • 5 year
  • WSE and AVC
    • 1 year
    • 3 year
    • 5 year

We got the 3 year WSE and AVC license for out unit.

I have still to setup the ASA-CX properly in the network for testing purposes so I havent done much with it yet.

- Jouni

Let me try to summarize my understanding on Cisco Next Generation Firewall X series.

You are welcome to point out my error if there is.

The latest ASA Firewall from Cisco are ASA 5500-X Series Next-Generation Firewalls.

There are models such as 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, 5585-X.

IPS:

All these models come with build-in IPS, but seperate license is required to to use IPS feature in the device.

CX - Context Aware Security Feature:

Cisco ASA CX Context-Aware Security is a modular security service that extends the ASA platform with next-generation capabilities. It is available with SSD purchase for model such as 5512-X, 5515-X, 5525-X, 55545-X and 5555-X.

It is hardware based with purchase of additional module for 5585-X. The module are "ASA 5585-X CX SSP-10" and "ASA 5585-X CX SSP-20"

Application Visibility Control (AVC):

This is additional feature in CX. Activation of this feature require seperate license. This is the feature that do deep packet inspection for Application recognition. provide context-aware firewall security.

Web Security Essentials (WSE):

This is additional feature in CX. Activation of this feature require seperate license. It deliver features like "URL Filtering" and "Global Threat Intelligence".

When buying X-Series ASA Firewall, users has following options:

1) Base Firewall without any additional feature enabled - the firewall will act as Layer-3 Stateful Firewall.

2) Base Firewall + IPS

3) Base Firewall + SSD (to enable CX Context Aware Security Feature)

3.1) Base Firewall + SSD + AVC

3.2 ) Base Firewall + SSD + WSE

3.3 ) Base Firewall + SSD + AVC + WSE

As of now, "Base Firewall + IPS + SSD" is not supported.

limlayhin,

That's pretty much correct.

You can run IPS on a 5500-X that has an SSD - but you have to choose either loading the CX software module or the IPS module. If you load the IPS module, the SSD will essentially remain unused.

If you run a CX without AVC or WSE licenses, it will be very limited in usefulness. Same thing if you start with the license(s) but let it expire.

Hi Marvin,

Thanks you for your great feedback. It helps...

Amazing information from all of you

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card