Cisco ASA - classic firewall at a classic price
August 03, 2016
Cisco ASA - classic firewall at a classic price
Score 6 out of 10
Vetted Review
Verified User
Overall Satisfaction with Cisco ASA
We use the Cisco ASA as our Internet firewall as well as for site-to-site and client-to-site IPSec VPN connectivity. The device provides security policies, NAT, business-to-business connectivity over the internet, etc. The devices are deployed globally in HA (high availability), where applicable, in our offices and co-location facilities.
- Secure inbound and outbound connectivity - this is the bread and butter for every firewall. The device is built for security.
- VPN - the ASA does a very good job at providing stable VPN connectivity, and the debug and show commands are robust and reliable.
- ASDM packet capture and packet tracer - these functions, particularly in the GUI, are very useful and easy to use for troubleshooting and security.
- Next generation firewalls - the "classic" ASAs (e.g. 5505, 5510, etc.) have simple, policy-based rules that cap out at L4. The ASA -X's do have Sourcefire, so Cisco has mitigated this issue, but you would have to purchase new hardware if you wanted that feature-set, as it is not software-enabled.
- Routing protocol support - newer versions of software finally started supporting more routing protocols, but it took a long time and the features available are minimal.
- We've gotten every penny's worth of use with our Cisco ASA firewalls - they were a few thousand dollars to purchase, even in HA, and have been in production for over 5 years
- I'm glad that when the Cisco ASA IKE buffer overflow vulnerability was released, Cisco provided a code update, even though the 8.2-series code was EOL. This saved us and many companies from scrambling and spending big $ and time to put a workaround in.
- Palo Alto Networks PA-500 and Palo Alto Networks PA-3000 Series
We actually went with the Palo Alto firewalls in most sites, and are using the Palo Alto to replace the classic ASAs; however, there was one location where cost was a major issue so we decided to go with the X-series ASA. We spent a few thousand dollars (though only the L4 functionality) as opposed to spending tens of thousands for Palo Alto, where we really didn't need the advanced functionality.