Hi marvin,

I have one more question ,  how  can i  conclude that  ASA 5585 SSP20 is enough for a mid sized data center  Or in another way how can i decide  which firewall  can be choose or what is the criteria to choose . As i know   ASA 5585 SSP20  is designed especially for big data center like service providers 

Thanks again 

When considering a firewall it must be within the context of your overall architecture and security needs.

Functionally, what are you trying to achieve? Simple access-list controls and stateful firewalling, NAT, VPN, Next Generation features such as user identity and Trustsec support, IPD/IDS functionality, Malware protection, etc.?

Beyond those, we then look at "speeds and feeds". Having a baseline of existing traffic and growth projections helps there. If those are not available, then some basic estimates with documented assumptions that are vetted with your peers and management are a good start. We would consider both raw throughput in Mbps as well as connections per second and any other available data.

All of that feeds into what sort of device or devices you would choose. The model of SSP is only one of several bits to consider in that decision making process.

When we scale up to the 5585, we also need to consider the services processor (i.e. FirePOWER) if that's a factor. We also compare against alternative devices such as the dedicated FirePOWER appliances or even the new FirePOWER 9300 which can run a module with ASA software.

Hi ,

Thanks for valuable reply .

"We also compare against alternative devices such as the dedicated FirePOWER appliances or even the new FirePOWER 9300 which can run a module with ASA software - "

 If i am using   ASA 5585 SSP10  , can i use dedicated firepower appliances along with it .?

Actually i was  trying to replace a palo alto firewall 4000 series . Our internet is traffic is around 100 Mbps (it may go to upto 300 Mbps ) and  dmz is also reside at internet edge . Is it ok going with  ASA 5585 SSP10 , and data center ASA 5585 SSP20 . 

Thanks

The ASA 5585 is optionally available with a FirePOWER SSP in the top slot. You can use it or not, depending on the type of services you need. Typically for Internet edge, we wnat to add next generation IPS features (AVC, URL Filtering, Malware protection) such as that module provides when fully licensed.

You always have the option of running FirePOWER services on a dedicated appliance should you decide that's appropriate for your environment. A number of factors play into that decision - price, performance, architecture and sometimes even organizational boundaries.

You should consult with your Cisco account Systems Engineer (or partner SE) if you're unsure about what models suit you best. This is potentially a multi-hundred thousand dollar /euro / whatever currency decision and best not made on the basis of a support forum thread.

Hi, 

Thanks a million . 

I have one more question in palo alto virtual wire mode ( transparent mode )  we do 

qos and traffic shaping  , if  ASA 5585 SSP10 or 20 in transparent mode can we do the same ?

You're welcome.

Not to speak badly of my peers but maybe you should consider a different partner. (I do pre- and post-sales engineering.)

QoS (shaping policing etc.) is supported on ASAs in either routed or transparnet mode. Single context only though. Reference.

Hi ,

" Not to speak badly of my peers but maybe you should consider a different partner. (I do pre- and post-sales engineering.) " .

Actually i did not mean anything .sorry for that . ( i did not blame all the pre and post sales engineers :))

could you  give physical and logical diagram if it i possible . so i ll have a better understanding  or some useful links .

One thing i noticed  where ever cluster referred , they are talking only about  inside and outside zone .Does it mean Dmzor any other zones are not possible 

Thanks