12-03-2019 06:37 PM - edited 12-03-2019 08:06 PM
Hi All,
Tried to find a proper cisco community section for this question. This seamed like the best place. Please move the post in case it isn't.
I'm looking for a used but still decent Cisco ASA or another Cisco Firewall solution. Any recommendations?
I've done some Googling etc. I see quite a few but what I was looking for here is the Community experience with the Cisco ASA's.
What your experience was with some of them?
Which ones were good?
What kind of issues did you have with the models you've used?
Licencing?
Do I need any licences for used gear off of Amazon or eBay?
What to look for when searching for a used one?
What can I ask to get specs before buying?
What is one ideal for a small LAB?
etc.
What I'm looking for are things I won't get from Google searches, direct feedback.
Thx,
Solved! Go to Solution.
12-04-2019 01:33 AM
I would not buy any of the 5505/55x0 devices as they are too old to be useful. Just as a comparison, if you want to prepare for Windows server, you would not use Windows 2008 for it.
For a lab I would look at the 5506-X. This device is already replaced by a newer generation which makes it a typical eBay-candidate. But it's still supported by actual software. For regular use the "Base" license is ok. The "Security Plus" has some more features that are not always relevant. But for only sone bucks more I would take a device with SecurityPlus.
12-04-2019 04:19 AM
HAve you considered using an ASAv (VM)? You can run it on the free version of ESXi and it does 90% or more of what a physical appliance does.
If you only want to learn and don't need to pass other than test traffic through it, there is a free version that's limited to 100 kbps throughput.
12-04-2019 07:27 AM
Yes, "show version" will give you the info if it's Base or SecPlus.
Marvins idea with the VM would be a perfect fit for "playing around". If you want to use it with more than 100 kBit/s you have to buy it which is likely much more expensive than a 5506.
For reporting and alerting you have syslog and netflow which will give you much information. Restricting based on content is difficult. The ASA alone is limited in that, you can do everything that can be specified in layers 3 and 4 (which is IPs and ports). For content-inspection that is more than highly limited you need the Firepower functionality. For this, the 5506 is also the wrong platform as it's not powerful enough for the actual software. And Firepower is a licensed feature for IPS, malware-scans and URL-filter. If you want to have these features, the Firepower 1010 is the right device. But it's brand new and typically not available as second hand.
Your last question is again very difficult to answer. The ASA alone can't detect that. Based on your syslog- and netflow reporting you could spot it if you know what to look for. But if it looks like normal traffic, you won't find it.
With Firepower, you could act on traffic going to command and control servers and similar things. Again, you need an expensive license for that.
12-04-2019 08:36 AM
The 100kBit/s is the throughput of the virtual ASA in evaluation mode when you have no license for it.
The mentioned 5506 has Firepower included, but only in the old version 6.2. The version that we can run on more powerful hardware ist 6.5 with many more features. And as mentioned, to take full advantage of Firepower an additional subscription is needed.
The 5506-X alone can handle your internet-connection. But the moment you configure more advanced firepower filtering it will slow things down. Hard to say how much as that depends on the configured policy. My tests with all security applied was a slowdown to 30 MBit/s. But with some tuning something around 50 to 100 MBit/s throughput is likely.
12-04-2019 08:56 AM
I didn't have the 1010 in my own hands. But the slightly bigger boxes like Firepower 1120 keep their promises as far as I can tell.
12-03-2019 07:32 PM
Hi Tom,
Few months back I bought a used ASA 5505 from eBay in an auction, I use it for homelab. Good experience.
12-04-2019 01:33 AM
I would not buy any of the 5505/55x0 devices as they are too old to be useful. Just as a comparison, if you want to prepare for Windows server, you would not use Windows 2008 for it.
For a lab I would look at the 5506-X. This device is already replaced by a newer generation which makes it a typical eBay-candidate. But it's still supported by actual software. For regular use the "Base" license is ok. The "Security Plus" has some more features that are not always relevant. But for only sone bucks more I would take a device with SecurityPlus.
12-04-2019 04:19 AM
HAve you considered using an ASAv (VM)? You can run it on the free version of ESXi and it does 90% or more of what a physical appliance does.
If you only want to learn and don't need to pass other than test traffic through it, there is a free version that's limited to 100 kbps throughput.
12-04-2019 06:35 AM - edited 12-04-2019 06:40 AM
@Marvin Rhoads That's interesting. Never knew a VM existed. I could install one to get a feel for it before I buy it. The F/W will be web-facing, however. So would have to be one of the physical boxes.
@Karsten Iwen Started to eye the 5506-X last night. It's growing on me.
How do I know that the device has Security Plus? Can I ask owners run:
ciscoasa# sh ver
to get that info?
Does the ASA allow for detailed reporting esp alerting?
Can I also restrict traffic through the F/W like content etc?
An additional question that I have is around a protection feature that I need to test. If I have a user connecting through the Cisco ASA, can I detect that say a malicious user has taken control of said user's workstation and is actually remoting in to then establish a connection through said, client/user? In other words, weed our crackers or who utilize said users or client's access unknowingly.
Thx,
12-04-2019 07:27 AM
Yes, "show version" will give you the info if it's Base or SecPlus.
Marvins idea with the VM would be a perfect fit for "playing around". If you want to use it with more than 100 kBit/s you have to buy it which is likely much more expensive than a 5506.
For reporting and alerting you have syslog and netflow which will give you much information. Restricting based on content is difficult. The ASA alone is limited in that, you can do everything that can be specified in layers 3 and 4 (which is IPs and ports). For content-inspection that is more than highly limited you need the Firepower functionality. For this, the 5506 is also the wrong platform as it's not powerful enough for the actual software. And Firepower is a licensed feature for IPS, malware-scans and URL-filter. If you want to have these features, the Firepower 1010 is the right device. But it's brand new and typically not available as second hand.
Your last question is again very difficult to answer. The ASA alone can't detect that. Based on your syslog- and netflow reporting you could spot it if you know what to look for. But if it looks like normal traffic, you won't find it.
With Firepower, you could act on traffic going to command and control servers and similar things. Again, you need an expensive license for that.
12-04-2019 08:14 AM - edited 12-04-2019 08:21 AM
This is really great info!
That's what I wanted to know. I see 5506-X's getting sold with the following advertisement:
ASA5506-SEC-BUN-K9 ASA 5506x with FirePOWER
Note the wording w/ FirePOWER. Is that the same thing?
>> Marvins idea with the VM would be a perfect fit for "playing around". If you want to use it with more than 100 kBit/s you have to buy it which is likely much more expensive than a 5506.
I wasn't sure what you mean here. Do you mean if I need more then 100kBits/s the 5506 will give me that or do you mean that even a 5506 can't keep up and I need something more powerful from a throughput perspective?
There's a number of throughput specs available through this page.
https://www.cisco.com/c/en/us/support/security/asa-5506-x-firepower-services/model.html
I get a general understanding or can look this up, of what to expect based on them except for one thing. How does this translate to what I'm used to now from folks experience here in real life? For example, if I'm on a connection that's doing 250MB/s down and 20MB/s up, how will this impact my traffic, taking into account all things said here? I'm assuming there will be a slowdown or delay in response as the ASA Filter's the traffic before it moves forward? Just not clear how much of a slowdown based?
Thx,
12-04-2019 08:36 AM
The 100kBit/s is the throughput of the virtual ASA in evaluation mode when you have no license for it.
The mentioned 5506 has Firepower included, but only in the old version 6.2. The version that we can run on more powerful hardware ist 6.5 with many more features. And as mentioned, to take full advantage of Firepower an additional subscription is needed.
The 5506-X alone can handle your internet-connection. But the moment you configure more advanced firepower filtering it will slow things down. Hard to say how much as that depends on the configured policy. My tests with all security applied was a slowdown to 30 MBit/s. But with some tuning something around 50 to 100 MBit/s throughput is likely.
12-04-2019 08:42 AM
Thanks very much again.
Thinking then that the throughput of the Firepower 1010 would be much better with all the security features enabled? Have you tested this one as well?
Thx,
12-04-2019 08:56 AM
I didn't have the 1010 in my own hands. But the slightly bigger boxes like Firepower 1120 keep their promises as far as I can tell.
12-04-2019 09:01 AM
Thank you once again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide