Cisco ASA 5510

aix0

aix0

aix0

Associate
Joined
16 Mar 2005
Posts
708
Location
Staffordshire
Hi

I'm currently reviewing the suitability of an ASA 5510 and have a couple of (hopefully) straight forward Q's!

How are the various features licensed? There's a million different specifications for the 5510 on a competitor web site, each varying in cost, but it's not really clear what you're paying for. Presumably, the different features such as IPS/IDS, Anti-X etc. cost extra?

Also, if my assumption in true, if you were to buy a 5510 without these features initially, is it possible to activate them further down the line? Is it done with hardware modules as other Cisco kit?

Sorry for my noobism, but I'm just coming to grips with Cisco kit.

Thanks
 
Check out:
http://www.cisco.com/en/US/docs/security/asa/asa80/license/license80.html#wp82234

Summarised, you're paying for the different numbers of maximum sessions allowed for VPN terminations or Cisco IP telephony connections, whether you want to use strong encryption or use the features that Security Plus gives.

Anti-X is done by the additional hardware Content Security and Control Security Services Module (CSC SSM). Check out the first Q & A of:
http://www.cisco.com/en/US/prod/col...ecd806e76ed_ps9774_Products_Q_and_A_Item.html

or, IPS with the Advanced Inspection and Prevention SSM. Check out:
http://www.cisco.com/en/US/prod/col...s6825/product_data_sheet0900aecd80404916.html

So, you could buy the base 5510 and buy additional licenses/add the additional hardware but buying a combined bundle will be a lot cheaper than getting each separately. Having said that, Cisco prices are 50%-80% more that what they were a year ago because of the current GBP/USD exchange rate, so you could wait and hope that the prices will come down.
 
Tui said:
Anti-X is done by the additional hardware Content Security and Control Security Services Module (CSC SSM). Check out the first Q & A of:
http://www.cisco.com/en/US/prod/col...ecd806e76ed_ps9774_Products_Q_and_A_Item.html

or, IPS with the Advanced Inspection and Prevention SSM. Check out:
http://www.cisco.com/en/US/prod/col...s6825/product_data_sheet0900aecd80404916.html

So, you could buy the base 5510 and buy additional licenses/add the additional hardware but buying a combined bundle will be a lot cheaper than getting each separately. Having said that, Cisco prices are 50%-80% more that what they were a year ago because of the current GBP/USD exchange rate, so you could wait and hope that the prices will come down.
Click to expand...

I use a SSM-20 module in a ASA5540 at the mo.

To be honest, i am not very impressed with it for the cost. Hence i am now putting a ISA server behind the ASA, as i feel the CSC isnt up to the job.

Andy
 
Rich said:
What makes you say it isnt up to the job?
Click to expand...

Its a bit too brash with its filtering IMO. Its ether all or nothing, which most cases its normally fine. However, if you want to block sites in a more granular way it does struggle.

One example.

We block websites depending if they are permitted on a company policy. However, some websites that we use even though they have been added to the do not filter list do not funtion correctly.

Plus on a side note, the SSM-20 is around 5K. So i would have though it would have been better IMO. On paper it looked like a good replacement for our againg fortinet box. However, this wasn't the case. :(

One reason i am looking to install ISA server as a backend firewall /proxy server is for its more granular approch to blocking items. It can also block traffic using header signtures like for example MSN. Also the fact it intergrates in to AD. So we can produce usage reports etc....


If its very simple blocking your after, id say its fine.

A
 
I did wonder if you were talking about the AIP-SSM or CSC-SSM. The CSC is very basic you are right, the AIP-SSM is quite nice though!
On a cost front the CSC-SSM is a bit of an odd proposition. It must be because Trend made the software and Cisco the hardware that it is so expensive.
I didn't like the spam handling functionality for mail. It was quite simply allow it or delete it. No option to deliver it to an alternative mailbox.
 
You must log in or register to reply here.
Back
Top Bottom