Cisco ASA - classic firewall at a classic price
August 03, 2016

Cisco ASA - classic firewall at a classic price

Anonymous | TrustRadius Reviewer
Score 6 out of 10
Vetted Review
Verified User
Review Source

Overall Satisfaction with Cisco ASA

We use the Cisco ASA as our Internet firewall as well as for site-to-site and client-to-site IPSec VPN connectivity. The device provides security policies, NAT, business-to-business connectivity over the internet, etc. The devices are deployed globally in HA (high availability), where applicable, in our offices and co-location facilities.
  • Secure inbound and outbound connectivity - this is the bread and butter for every firewall. The device is built for security.
  • VPN - the ASA does a very good job at providing stable VPN connectivity, and the debug and show commands are robust and reliable.
  • ASDM packet capture and packet tracer - these functions, particularly in the GUI, are very useful and easy to use for troubleshooting and security.
  • Next generation firewalls - the "classic" ASAs (e.g. 5505, 5510, etc.) have simple, policy-based rules that cap out at L4. The ASA -X's do have Sourcefire, so Cisco has mitigated this issue, but you would have to purchase new hardware if you wanted that feature-set, as it is not software-enabled.
  • Routing protocol support - newer versions of software finally started supporting more routing protocols, but it took a long time and the features available are minimal.
  • We've gotten every penny's worth of use with our Cisco ASA firewalls - they were a few thousand dollars to purchase, even in HA, and have been in production for over 5 years
  • I'm glad that when the Cisco ASA IKE buffer overflow vulnerability was released, Cisco provided a code update, even though the 8.2-series code was EOL. This saved us and many companies from scrambling and spending big $ and time to put a workaround in.
We actually went with the Palo Alto firewalls in most sites, and are using the Palo Alto to replace the classic ASAs; however, there was one location where cost was a major issue so we decided to go with the X-series ASA. We spent a few thousand dollars (though only the L4 functionality) as opposed to spending tens of thousands for Palo Alto, where we really didn't need the advanced functionality.
The Cisco ASA platform is best used in the following situations:
- Smaller firms that are "Cisco shops", which simplifies Smartnet, Cisco CLI in-house knowledge, etc., along with the generally low price of ASAs (especially the 55xx series)
- Smaller firms that need to be able to draw on a large pool of engineers that have experience with Cisco firewalls (though many other vendors could fit this bill too)
- Firms that want the tried and true Cisco solution, as Cisco has been in the firewall business for quite some time