cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2401
Views
30
Helpful
8
Replies

ASA purchase advice

Darkglasses
Level 1
Level 1

Hi Folks,

 

I am looking to replace my ASA 5510 with a 5512-x or 5515-x and looking for a little advice to ensure I get the right version to enable future learning/protect my small network.

 

Essentially I have my CCNA R&S and looking to start either my CCNP or CCIE now the new certifications have been released. So this firewall will be used in a lab environment and protect my home network. The difficulty is that I am limited to purchasing second hand devices as Cisco partners I have spoken to will not sell to an individual. As a result, I cannot get access to software releases and variation which means I need to get the correct OS and hardware config. Price, as always, is a factor. 

 

My intention is to get a 5512-x or 5512-x with Firepower. I believe I need:

 - OS version 9.2 or later (higher the better)

 - SSD and SFR installed 

 

The static licence will enable Firepower?

Any additional considerations or suggestions on were to pick up EOL devices that partners will provide a support contract to an individual?

 

Any advice and guidance is appreciated,

 

1 Accepted Solution

Accepted Solutions

If i were you and preparing for CCIE sec or enhancing my skill set i wont spent money too much I shall make sure i have  a server (with a lot of power with RAM and storage) you can get second hand server with good spec around $700.

 

everything is going software. day are gone when you needed a hardware to do your study etc. I did my ccie security with all software were virtual on the server. EVE-NG and GNS3 is good start.

 

firepower you can use FTD as this is the future of cisco firewalls. ASAv you can use/download in insitall in you lab. its all depend how you want to spent...ISE you can do a virtual appliance.

please do not forget to rate.

View solution in original post

8 Replies 8

If i were you and preparing for CCIE sec or enhancing my skill set i wont spent money too much I shall make sure i have  a server (with a lot of power with RAM and storage) you can get second hand server with good spec around $700.

 

everything is going software. day are gone when you needed a hardware to do your study etc. I did my ccie security with all software were virtual on the server. EVE-NG and GNS3 is good start.

 

firepower you can use FTD as this is the future of cisco firewalls. ASAv you can use/download in insitall in you lab. its all depend how you want to spent...ISE you can do a virtual appliance.

please do not forget to rate.

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

    If you plan to learn for like CCNP, go with virtualisation,you'll have no issues. If you plan on learning for CCIE, depending which one, there are still many things which are supported ONLY in hardware. For example, for CCIE Security you would need physical ASA's to learn clustering and you would need a physical switch for some advanced 802.1x features (like IBNS 2.0).

 

Regards,

Cristian Matei.

@Cristian Matei I did ASA's clustering and advanced 802.1x features (like IBNS 2.0) virtually all on server no physical hardware need at all. The only thing i see in long run is FTD multi-instance for this to learn you need a physical hardware.

please do not forget to rate.

Thanks to you both,

 

I am running Server 2012 with a reasonable spec to comfortably run a number of Virtual Machines on top of a few other services. A few extra Network cards have been installed to connect VM's to different points of my lab. I appreciate the recommend on Virtual tools, they are being installed now.

 

While I primarily use packet tracer, the lab has been useful physically deploying, learning products/reference features and maintaining as my home network. Basically, the firewall will be to tie my 2 FTTC routers together and run my internal network/lab because i loose 30 Mbps of bandwidth with ZBF enabled on my 88VA's. Therefore I will be getting a firewall but won't push my budget for features I am more than likely not going to utilize. 

 

Your comments have been useful, thanks.

 

 

Hi,

   

    ASAv does not support multiple context (the commands are not even there), as for clustering, even though commands are there, it doesn't really work. How did you test these features in virtual? As for IBNS 2.0, there are many features which are supported only by the hardware switches.

 

Regards,

Cristian Matei.

Hi Christian,

I haven't been able to download ASAv so no virtual testing. This is because I have been unable to get any type of support contract for logging into the Cisco Software center. Therefore I am limited to the hardware in my lab and the options available via the installed OS, Packet Tracer and any network tools I get my hand on. Thanks again for the recommendations.

My current setup is an 887VA connected to each of my FTTC broadband circuits which connect to a 2960 (S1) switch for connecting my home network. A cable from S1 to S2 (another 2960) which provides connectivity to my lab that consists of:
Switches: 2 x 3750 and 3850
Routers: 2 x 2801
Firewall: ASA 5510 with no module.

When looking at ASA configuration documentation and examples, I could configure multiple INSIDE and OUTSIDE interfaces. This would allow me to connect my wireless AP / switch (S1) to the Firewall and remove ZBF from each of my 887VA. If I cannot do this, then I have the 5510 which I can get an SSM 10 module at some point. I just thought getting a newer firewall with Firepower would give me options and late, I could see about a second 5510 for active/active/standby configs but, I am back to licencing difficulties for a Sec Plus licence.

Ultimately, my aim is to do away with S1 and have my Firewall run my network by filtering traffic, DHCP and routing a few vlans to either 887VA. Maybe I need to go back to have a rethink because I have changed direction a few times when learning hardware/knowledge limits.

Your insight is appreciated.

Do not mean to hijack this. but if you search around you can see there are images which can be install in eve-ng and on GNS3. which include the multi context and even asa clustering. there two image run in eve-ng/gns3 and give you a feel like you working on an actual hardware. (having said that, there are limitation on throughput but as long as you want to learn and polish your skill-set this is a great tool). on the other hand you have virtural ISE/WSA/FMC/FTD. even you can do a ZBFW in eve-ng/GNS3.

 

I was a fun of hardware but end of the day if i am learning I have to look my budget (electric cost/hardware etc). if you can afford hardware thats good. but if you need alternative there is always a way. it depends how to want to use your resources. 

 

there is a difference between a learner and working in production network. when you are a learner you always try to find a way which is cost saving as we can not afforad cisco expensive kit. for example even i can not afforad buying ASA5512 with lic. too much cost. Cisco itself understand and kind to learn to give us 90 day trail lic for FTD/FMC/ISE etc.

 

as i said earlier and i stick with it if i where at your i would build my all lab virtual instead of physical. during my ccie day i always relay on virtual instead of going physical (as physical always cost me more). 

 

i hope you understand what i am trying to say.

please do not forget to rate.

Your comments are certainly welcome Sheraz,

In the main I learn using virtual tools as I do a bit of travelling but always have an eye out for anything within budget - you can beat hands on bare mental! I now have new tools to work through.
I think I will probably invest in a ASA 5500 series but no rush so time to find a deal. I wouldn't mind a POE access point for no WLC.

Continuing the balance the learning again resource. . . . time is the problem with workload so apologies for the delay in responding.

Thanks,
John