Few questions about Cisco ASA 5500-X NextGen Firewalls?

ryabutler · ‎02-03-2014

Hi,

I have some questions about the Cisco ASA 5500-X NextGen Firewalls.

Focusing on the Cisco ASA 5512-X Series. If I want to do application and micro-application inspection (AVC) including SSL decryption on the ASA itself I would need the following:

- ASA5512-SSD120-K9 (includes the CX software module??)

- Next-Gen Firewall Subscriptions: AVC, Web Security, etc

- Cisco Prime Security Manager for managing the ASA

Here are my questions about this:

1) For ASA5512-SSD120-K9 does the CX module already come pre-installed and ready to go to use for Next-Gen Firewall Subscriptions?

2) Are there any free trials for using AVC of Web Security Next-Gen Firewall Subscriptions on the ASA for testing?

3) Are there any plans for a cheaper ASA 5505-X model being released especially for learning purposes?

4) Is Cisco Prime Security Manager basically like ASDM that is locally on the ASA that we can use for configuring the ASA firewall?

5) Anything else I'm missing that is important?

Thanks in advanced!

-rya

Collin Clark · ‎02-03-2014

1. Yes it does

2. Yes there are (90 day if I remember correctly)

3. Unkown. There is a replacement for the 5505 in the works, but we don't know any specs yet.

4. Yes- Both ASDM for firewalll management and PRSM for CX is locallly on box.

5. I think you're good.

ryabutler · ‎02-03-2014

Thanks for the fast answer! So, can I just use PRSM for managing the ASA for firewall policies, VPN, NAT, etc? Or do I need to use the ASDM and PRSM?

Thank you!

-rya

Collin Clark · ‎02-03-2014

Eventually PRSM will replace ASDM, but it's not there yet. Today in PRSM you can manage ACL's and NAT's on the firewall, but that's it. So for now you'll need both. As a heads up, either use ASDM or PRSM for ACL's and NAT, not both. Once PRSM "sees" the ASA it will not recognize changes made in ASDM and revert the changes you just made! I learned that one the hard way :-)

Marvin Rhoads · ‎02-03-2014

In addition to Colin's correct answers, note that you can run the "on-box" PRSM and manage each ASA separately via browsing to its GUI.

If you manage more than a handful of ASAs that way you will usually be better served by buying the licensed "off-box" PRSM (runs as a VM on your VMware ESX server) which allows you to manage multiple ASAs and define common objects, policies, etc.

Eventually PRSM will indeed supplant ASDM and even CSM. It has a ways to go but that's where the development is focused for ASA management going forward.

ryabutler · ‎02-04-2014

Thanks for the additional info guys.

Also, someone told me that a license is required for the CX and PRSM in order to use them. Is that true?

I didn't see details on the Data Sheets or any product IDs about this.

Thank you!

-rya

Collin Clark · ‎02-04-2014

On box PRSM does not require a license. Off box (Virtual Machine) PRSM does require a license.

Cisco CX SSP supports three subscription-based features:

1. Application Visibility and Control (AVC): Activates application recognition, visibility and control features on CX

2. Web Security Essentials (WSE): Activates URL filtering and Web Reputation based access control

3. Intrusion Prevention Services (IPS): Activates Intrusion Detection and Protection.

The subscriptions terms are 1 year, 3 years and 5 years. It is also possible to purchase the services together using a bundle license. With a built-in discount, the bundle price is less than the price of buying these services a la carte.

Marvin Rhoads · ‎02-04-2014

Hi Rya - you're welcome. Thanks for the ratings.

If you scroll down in the Cisco ASA 5500-X Series Next-Generation Firewalls Data Sheet and look at the section of table 3 with the heading "ASA Next-Generation Firewall Services Software Subscriptions" you will see the various combinations of licenses you can order. A prerequisite is a firewall with the SSD - it can also be ordered separately if you don't already have that.

The features are all available on a 60-day trial license to start out if you are just evaluating the features.