Cisco ASA 5505 vs Juniper SSG5

ThorpedoUK

ThorpedoUK

ThorpedoUK

Associate
Joined
15 Sep 2009
Posts
839
Hi guys

Ok since I've had to hand back the ASA 5505 I had to work (without having chance to touch it! :confused:) I think its time to buy myself a geeky xmas present, so I am looking at a firewall unit and these two are my main choices (unless you have some other suggestion that does not involve pfsense or Untangle // VMware etc it needs to be hardware):

Cisco ASA 5505
Juniper SSG5

I'm leaning towards the CISCO as I'm doing my CCNA and want to do the security exam after (though I realise the base license probably wont help me 100% as it lacks certain features? but it will help a bit being ASA), what do you think? I've heard Junipers are pretty cool.

It will be connected to my ADSL router (CISCO 877W)

Also anyone have any experience of Aironet 1310's? what do you think? was thinking of grabbing one to stick in the garage as a WAP - will this connect easily to my 877w?

Thanks!
 
If you are going down the Cisco certificiation route then get a 5505 by all means to have a play with. If you are not, then get a cheapo unit!

The base license is fine for CCNA Security, the Sec+ bundle only gives you extra VPN connections, throughput and failover.
 
If you're looking to learn the CCNA-S, the firewall wont help you at all a it doesnt have any basis in that exam/course. Jump on fleabay and pick up something like an 831 with a new IOS (12.4+). Providing you can get SDM 2.5 then this will cover your CCNA and CCNA-S needs. I did this last week as an addition to my lab and it cost me £35 including delivery for a new-condition 831.

If on the other hand you want a nice toy and intend to do the CCNP-S down the line, then yes get the ASA (nb - if I were you id get both, 831 or similar for learning on as the ASA wont help for the CCNA-S, then buy the ASA anyway :D)

- Pea0n
 
Last edited:
Ha ha!! Pea0n I like your way of thinking, its the same "click the buy button" mentality I have (that I then regret at the end of the month!)

I want to learn ASA to diversify my skills (and the CCNA security exam, although not sure if this is overkill now based on your guys opinions) and I think it would be a cool addition to my Cisco lab.

Pea0n I already have a 877W which is my DSL router - isn't this even better than the 831?

I also noticed in another thread you mentioned you've switched to Be and your also using a 877w to connect to it? I assume since your posting here you got it working fine? I'm also on Be aswell!

Did you get your wifi and dhcp working ok? what you got in your lab atm mate?

You should check out Zenoss Core (Open Source) if you haven't already for monitoring and graphing your lab, I was just messing around with it now - looks pretty cool!
 
Last edited:
OK well to answer those!

Learning the ASA is a great thing and I'd recommend it - just aware of 2 things - 1: It isnt part of the CCNA or CCNA-S. 2: To get it working in a home environment properly yould need to use your 877 as a perimeter router and use the ASA behind it and NAT out - you don't want to double NAT so you'll need a largish block of IPs rather than just 1 static (theres ways around it but I wouldnt recommend it).

877w is better IMO than an 831. My reason for recommending an 831 was 2 fold, firstly you dont need to mess with your 877 in its live environment so you cant break much ;) Secondly, the 831 has an ethernet (RJ45) WAN port so you can connect it to another ethernet port and set the VPNs up nice and easy etc (like to the VLAN interface on your 877 for example)

As for getting my 877 working with Be - piece of cake, its just bridging rather than using a dialer interface so I can help with that if needed. Essentially its just changing your NAT rules, change default route, delete dialer interface and amend the encapsulation. Basically I made next to no changes :)

Only problem is that it isnt stable at the higher speeds - this seems to be a known issue so you may find that it becomes a pain (ATM interface keeps dropping out). Ive tried 3 different dsl firmwares and nothing was good enough so until I find a fix Im using the Thompson that I was sent by Be :(

Current lab -

1 x 877w
4 x 2650
2 x 2950
1 x 3550
1 x HP 2120
4 x 2500 series
1 x Pix501
1 x 831
1 x netgear 5 port hub (for some reason)
1 x Patch panel
1 x Skeletek 20u rack :D

Zenoss looks cool :) if you havent heard of it Id recommend you look at GNS3 ;)

I'm also doing my CCNP/CCNA-S at the moment too so let me know if you want to discuss anything

- Pea0n
 
No worries! It can be a little unstable if run from windows desktop and its a total resource hog. Id recommend something like Process Lassoo to limit the CPU priority of the virtual devices :)

- Pea0n
 
Wow man nice lab!!!

Would you mind expanding on the ASA and block of static IP's a bit more mate? I'm on dynamic atm (ISP) and have been thinking of switching to there static IP setup (for webserver, SMTP port unblocking etc etc) so maybe this is a good time to do it, how many IP's would I need?

I just googled the rack in your list and I am likeing that a lot :D, did you get it from "Dantrak Uk"? I think its about £99 there which isn't bad at all! I'm going to grab one now cometh pay day as I've been looking for one ever since I lost out on a nice 24U Dell rack on fleabay.

What speeds were you running on your 877W? I only get 4.5Mbps, so its pretty much rock solid for me - the only thing I couldn't get working was DHCP on the wifi or address negotiation from the ISP, so its a static IP (on the 877w) on a dynamic IP plan :confused: , I'm still working on that one.

I like your idea with the 831 - but there are none on the bay at the moment, I'll keep an eye out - I did have the 2611xm running my DSL but the underside fan drove me insane (living room)!

I work from home some times so use Windows to connect to the PPTP VPN, but I'd like to set this up on the 877w just not sure how (I don't want to use the SDM) as I haven't read up on it yet, would I need to put it on its own VLAN, any ideas what the best way would be to make that work?

Thanks for the offer of help mate - I will take you up on that! :D (I think I already have ha)

What patch panel do you have? please don't say "Neat Patch" or I will be eternally jealous!

I want to use my garage as a "2nd site" to emulate a leased line or something with a crappy pc in there running CentOS as maybe a webserver (connecting to the internet), I think that would be pretty cool.
 
Cheers :) Taken a while to get that stuff, it isnt much but even second hand bits are expensive.

As you want the ASA to do the NAT ideally you'll need public IPs between the ASA and the router, then from the router to the ISP - you'll need probably a block of 8 or so, be will do this on the high end package if you pay for the block. Otherwise you'll have to NAT through the ASA to the router, then the router NAT to a single IP a second time. Not good. It is possible to not NAT on the ASA and give it private IPs tothe edge 877 but it seems a little pointless as youll lose a load of features

I love the rack, its really well made worth every penny. And yep you're right about the price and supplier. They do different sizes, perfect for labs :)

Speeds wise....on be I got around 15Mb sync when it worked. The Thompson is a bit better - 17Mb or so. I think half the problem with speed and stability is the Alcatel modems built in - they don't seems to like the equipment found in most of our exchanges. Broadcom always seems to be better.

With the WIFI, you need to tie the dot1radio interface into a BVI and use that. Ill fire an example over later for the config, I dont have it to hand at the moment.

I like the 831 - it isnt fast but it is silent - no fans = win :)

Im nto sure on the PPTP VPN - I only work with IPSEC really so Im not sure hwo to configure it as a pptp client without messing around, should be guides available though. You will have to get used to the SDM app though - the CCNA-S focuses on it a fair bit...forget it once don though, I hate it :)

No probs on the help, just shout if youy have any questions. The patch panel...i cant rememebr the brand, I got it off a mate when he was doing a refresh (36 port). i had to buy a Cat5e roll and wire it up myself though (takes ages :( )


- Pea0n
 
Hmmmm was going to buy this (ASA) next week until I realised the base (firewall edition) license won't really allow me to use the DMZ effectively, the upgraded license by itself is in the region of £320!!!

I think I'll forget the 5505 and go for a PIX 515E from fleabay (with unrestricted license) or the Juniper now.

If it doesn't really contribute to the exam then its no loss.

Shame, but.....
 
At the moment I think the PIX 515e offers better value than the ASAs for learning. If you can update the PIX to the latest software 8.0(4) then it's very similar to the ASA.

With the PIX you'll miss out on some features such as SSL VPNs but if you're interested in doing failover with a second unit the PIX supports stateful failover which the 5505 can't do - the 5505 only does basic stateless failover.

The problem with the 5505 is it has been deliberately crippled compared to the other ASAs which might restrict you later on from trying out some more elaborate labs.

Now if only I could afford to get hold of a Juniper SRX - really interested to see what these can do!
 
I've seen this mentioned (lab based PIX failover) on a few forums around the web but the unrestricted license does not seem to always include fail over, do you need a specific fail over license for this on the PIX - I would have expected it to come as part of the unrestricted license surely?

The newer images are not a problem.

The SRX210's would be my choice too instead of the ASA (now I know about the DMZ limitation!), but as you say, they are in the region of around £500!

Been keeping an eye on the bay for one on auction but no luck.

Another option is a Watchguard Firebox I guess.
 
If it's just your house the entry level SRX 100 would likely offer more than enough performance... can be had online now for just under £300 if you shop around though the IDP features often need the high memory versions so that might be worth considering if you think you'd pay for them.

It's the cheapest, smallest box you can you get that runs Junos too so is excellent for learning on, it can be a bit of a learning curve but if you're proficient with Cisco it should be easy to pick up once you get used to their ways of doing things :)

Wipes the floor with an ASA 5505 IMHO too.

As for a WiFi AP I'd just pick up a 1242AG (can be had for circa £200 these days), unless it is you're wanting to mount it outside then the 1300 series is the right thing to look at.

For my tuppence worth I'd also say it's good to have experience of more than one vendor's products. Far too many people come to us with just a CCNA/P and they have never tried to learn or use anything else - needless to say they often won't make it through the paper sift of CV's.
 
As far as I know if a 515 has an unrestricted licence it will do failover. Where it gets complicated is if the unit is licensed as a failover only unit.

If you have a failover only licence you'll need to partner it with a "proper" unrestricted unit otherwise it will reset every 24 hours.

Some failover only licences provide active/standby failover - the second unit will sit idle until the first one goes offline. While others offer active/active failover, this relies on multiple security contexts (something else the 5505 can't do) you run one context on one of the active units and another context on the partner so they both have something to do.

Saying that, quite a lot of features become unavailable when you start using multiple contexts.
 
Last edited:
pictus said:
As far as I know if a 515 has an unrestricted licence it will do failover. Where it gets complicated is if the unit is licensed as a failover only unit.

If you have a failover only licence you'll need to partner it with a "proper" unrestricted unit otherwise it will reset every 24 hours.

Some failover only licences provide active/standby failover - the second unit will sit idle until the first one goes offline. While others offer active/active failover, this relies on multiple security contexts (something else the 5505 can't do) you run one context on one of the active units and another context on the partner so they both have something to do.

Saying that, quite a lot of features become unavailable when you start using multiple contexts.
Click to expand...
 
Last edited:
pictus said:
As far as I know if a 515 has an unrestricted licence it will do failover. Where it gets complicated is if the unit is licensed as a failover only unit.

If you have a failover only licence you'll need to partner it with a "proper" unrestricted unit otherwise it will reset every 24 hours.

Some failover only licences provide active/standby failover - the second unit will sit idle until the first one goes offline. While others offer active/active failover, this relies on multiple security contexts (something else the 5505 can't do) you run one context on one of the active units and another context on the partner so they both have something to do.

Saying that, quite a lot of features become unavailable when you start using multiple contexts.
Click to expand...

That is exactly the situation. The failover PIX can only be used with the unrestricted licensed PIX -you can't pair a failover only licensed box with a restricted one. This all starts to get very pricey indeed.

Unless you are doing CCIE security a simple PIX will serve you fine to learn the basics.

BTW - have you checked out PEMU for Dynamips/GNS? Allows you to fully emulate a PIX in every way on a PC - wired into a full lab of other emulated routers as well. Incredibly powerful.

Lots of stuff on how to do this on the web.

Chck out

Steve
CCIE R+S
 
Cheers for the thoughts all

I am still on the lookout for a Juniper SRX100 but not having any luck whatsoever below £400 and at that price I could probably easily buy two 515E's, but if I could get the Juniper for £300??

At the moment I am probably going to pick up a unrestricted PIX 515e from fleabay and the outdoor Aironet I mentioned (for the garage!), I think the failover scenario would be too expensive.
 
Pea0n said:
Only problem is that it isnt stable at the higher speeds - this seems to be a known issue so you may find that it becomes a pain (ATM interface keeps dropping out). Ive tried 3 different dsl firmwares and nothing was good enough so until I find a fix Im using the Thompson that I was sent by Be :(
Click to expand...

Out of interest did you contact BE at all about this problem ? I had a similar issue when I fitted my 857 where it kept dropping out and being pants, so I phoned BE who changed the profile of my line to one that is more suited to different chipsets. The guy pretty much did this straight away once I told him I was using a Cisco rather than the BEbox and it fixed the problem instantly. Its now been running at full speed for about 2 months with no outages.

Just for reference, the BE modem was able to connect at 20mb and the Cisco has connected at exactly the same speed.
 
20mbps is very impressive!

Mine has been 100% stable since I did three things (I know some of you guys know way more than me about this but you never know it might help someone :D )

1. Set the dot11radio (wifi) to choose "least congested" channel (before this it would periodically drop every 20mins or so, hugely annoying - I liked this feature though, very cool! but then its Cisco right!

2. Use the un-documented commands to modify the dsl noise-margin to get fastest connection to most stable:

a) login to router
b) enable
c) conf t
c) service internal
d) int atm0
e) dsl noise-margin <<value>> (value between -3 and 3 with 3 being the slowest but most stable connection)

Increasing by 3 means you increase snr by roughly 3dB

That command in particular was very useful

3. Turned off Netflow and NBAR.

:)

BTW: I am massively impressed with Cisco gear, as I mentioned above I bought a cheap 3725 router and not only is it hugely overpowered for home use (5x more powerful than the 2611XM I have) but I am using it to route between my switch which has 4 VLANs and my DSL router, DNS caching / forwarder server for all VLAN devices, NTP server, DHCP server for 1 VLAN and it doesnt miss a beat, plus it hardly uses any power at all.

I'm majorly impressed

When there 1Gbps switches come down (not Linksys) I'll probably grab one of them too!
 
Last edited:
TheKnat said:
Out of interest did you contact BE at all about this problem ? I had a similar issue when I fitted my 857 where it kept dropping out and being pants, so I phoned BE who changed the profile of my line to one that is more suited to different chipsets. The guy pretty much did this straight away once I told him I was using a Cisco rather than the BEbox and it fixed the problem instantly. Its now been running at full speed for about 2 months with no outages.

Just for reference, the BE modem was able to connect at 20mb and the Cisco has connected at exactly the same speed.
Click to expand...

Only just seen this resurrection! Well no I haven't - if you got luck with that then I might give them a bell and see if there's anything they can do. Would be nice to not have to use the Thompson...

@Thorpedo - I haven't tried influencing the noise margin on this connection. I tried it back on my old BT line without success although I might give it another go. The problem I have is that the DSL firmware is known to do this and to be honest I can't really be bothered at the moment :P

Ill probably try next week after ringing Be and see if they have any ideas

- Pea0n
 
You must log in or register to reply here.
Back
Top Bottom