Product question

S891 · ‎04-11-2013

Hi there,

We have FWSM modules on Internet Edge 6500s. We have to replace them within a year as FWSM is soon EOL. We want to be able to replace them with ASA module or ASA Firewall. We also would like to have IPS on internet edge. We have an ASA 5540 pair available which can be used as a replacement for FWSM. I believe I can install an IPS module on 5540.

Given this above scenario, I have following questions:

1. Can I effectively install an ASA 5540 pair with IPS module for replacement of FWSM to take care of these requirements?

2. How long is the Cisco support available for 5540?

3. Is the same IPS module also supported for new ASA Firewall models (ASA 5540X I believe)?

4. Does the ASA module on 6500 has any built-in IPS (full) feature capability?

5. What will be the better product in this case considering my throughput requirement is only 250 Mbps (max)

- New ASA Module for 6500 with built-in or separate IPS module installed

- Existing ASA 5540 with IPS Module

- New ASA 5540X with IPS module

Based on following criteria what is your suggestion?

Thanks

Fawad

Julio Carvajal · ‎04-11-2013

1) Yes, it will go beyond the expectations

2)no EOL available as it will be here for a long long time.

3) The new asa models X has a built in ips ( no need for additional hardware)

4) Not built in.

5)Existing asa 5540 with IPS module, I would go for that one,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jouni Forss · ‎04-11-2013

Hi,

There is an EOL / EOS published for the original ASA5500 series

Here is the info for ASA5540

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/eol_C51-727354.html

Here is the link for a list of other EOL / EOS announcements

http://www.cisco.com/en/US/products/ps6120/prod_eol_notices_list.html

- Jouni

Julio Carvajal · ‎04-11-2013

Great,

thanks for the head's up Jouni...

There you go Fawad, you now have some stuff to think,

I would still go for the 5540, I mean if you already have it, the last day you would receive support will be till Semptember 2018, on those days we are going to have new stuff that you might want to use

regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

S891 · ‎04-11-2013

Thanks guys. Appreciate your feedback!

I will most likely go for the option "Existing ASA 5540 with IPS module" . I hope the IPS module does not limit any bandwidth capability or processing issue of the ASA. My current throughput is 250 Mbps bidirectional.

After looking at the IPS option I am sloghly confused which one I need. Cisco website say:

"...adding the broad range of intrusion prevention and advanced antiworm services delivered by the IPS modules via the AIP SSM and AIP SSC, or the comprehensive malware protection and content security services enabled by the CSC SSM."

Do I need SSM only or both SSM and SSC or CSC SSM? How many module cana be installed on 5540?

Fawad

Julio Carvajal · ‎04-12-2013

Hello Fawad,

Glad to know that we could help,

You will need the AIP-SSM that is the one you are looking for,

You only have one slot ( so only 1 module)

Finally remember to rate all of the helpful posts, let me know if you do not know how to

regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC