?
Solved

ASA 5505 Pre Purchase Question

Posted on 2007-10-17
7
Medium Priority
?
715 Views
Last Modified: 2012-08-14
We just got a T1 line for a small office about 15 users and I am looking to purchase a Firewall device I've been looking for something that is relatively easy to manage and maintain.

I was recommended the Cisco 1800 but i wanted something more low maintenance and a bit lower in price.

The primary use of this T1 will be for VPN access, and the VPN will be PPTP not IPSec as it is much faster, for a few people who'll need to connect every now and then when they are away from the office, this would be for heavy financial applications. Plus we run a mailserver and ftp etc, no heavy use its for 10 people.

I am looking to find out if the ASA 5505 will suffice our needs and would be a good reliable product.

- I need to be able to NAT (we have 3 public IP's for different services) not port forward, can i do this with the ASA5505 ?
- We use Web Proxy from another provider so surfing will be minor, but ASA 5505 says it can be use for anti-spyware anti-virus, does this model provide that support ?
- Does this provide the intrution detection ?
- We are a very closed enviroment that needs to be higly secure due to the financial nature of business.

Any other info or clariffication would be appreciated.

Thanks in advance.
0
Comment
Question by:z969307
  • 4
  • 3
7 Comments
 
LVL 19

Expert Comment

by:nodisco
ID: 20097202
hi

Firstly to clarify - your T1 must already be terminated as an ASA will not terminate a T1 - you must have an edge router/ISP router to do this and provide the Ethernet handover to the firewall

ASA series does not support PPTP termination - so you cannot use it as a PPTP server (you can use it for pass through to an internal PPTP server though)  Cisco have removed this functionality as IPSec is a far more secure option.

Natting and port forwarding - no problem

Anti-spyware and anti-virus - the ASA series uses different modules to support different types of functionality - these are not default options but add-ons - VPN concentrator, IDS etc

Here is an excellent link showing you all of the aspects of the ASA series, the models and spec sheets, the modules and their parameters:
http://www.cisco.com/en/US/products/ps6120/products_data_sheet0900aecd802930c5.html

hth
0
 

Author Comment

by:z969307
ID: 20097416
Thanks for the reply.

- The T1 is already terminated out and handed to us via an Ethernet cable by the ISP.  

- I am running an internal Win2k3 RRAS PPTP VPN currently and would like to continue using that.

* I saw the link you provided, thanks, so basically, the ASA 5505 is scaled down and not very modular like the 5510, and I won't be able to add the Content Security Contol, thats what i wanted to clarify.

* Also, wasn't sure what IPS was [ Concurrent threat mitigation throughput (firewall + IPS services) ] as it is not available on the 5505 and if it was something that i should be concerned about and should get.

* It also says High Availability not supported what would this imply ?

* Security contexts (included/maximum) 0 on 5505, what is this ?

If this can be clarified I would appreciate it.
Thanks
0
 
LVL 19

Accepted Solution

by:
nodisco earned 750 total points
ID: 20097505
* I saw the link you provided, thanks, so basically, the ASA 5505 is scaled down and not very modular like the 5510, and I won't be able to add the Content Security Contol, thats what i wanted to clarify.
Correct - the 5505 is a smaller model aimed a branch offices that do not need the same functionality.  

* Also, wasn't sure what IPS was [ Concurrent threat mitigation throughput (firewall + IPS services) ] as it is not available on the 5505 and if it was something that i should be concerned about and should get.
5505 doesn't support the AIP-SSM module (for IPS) the first model up to do this is a the 5510

* It also says High Availability not supported what would this imply ?
Active/Active stateless mode is supported from 5510 models up (with the appropriate lic).  This allows 2 ASA devices to function together load balancing requests as well as acting as failover for each other.  The 5505 just support Active/Standby - where the 2nd 5505 comes to life when the primary fails (also requires additional lic)

* Security contexts (included/maximum) 0 on 5505, what is this ?
Security contexts are like virtual firewalls.  There is one physical device and you can "partition" it into several virtual devices that each have their own interfaces/ips etc to manage different network segments - these are called security contexts.  Again - only really used in a large office environment - or a classroom situation.

cheers


0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 

Author Comment

by:z969307
ID: 20097563
thanks for the clarification so do u think in your opinion the ASA 5505 would be a good choice for my needs ? Do you know of any other alternatives in the same price range with similar or better capabilities ?
Thanks.
0
 
LVL 19

Expert Comment

by:nodisco
ID: 20097627
hi

For email, VPN (through a translated PPTP server) small office size and easy of management, the ASA5505 is perfect in my opinion.  ASDM GUI for control if you are not comfortable with Cisco CLI etc.

cheers
0
 

Author Comment

by:z969307
ID: 20098493
Thanks for your assistance, I'll go ahead and get one tomorrow.
Do you think in conjunction with the PPTP VPN, can I utilize the 2 IPSec VPN that come with it ? do i need to get the cisco client for that ? is one faster over the other ?

If i have more questions i'll post again.
0
 
LVL 19

Expert Comment

by:nodisco
ID: 20098598
You can use the ASA as an IPSec VPN server its no faster or slower than PPTP but its far more secure.

cheers
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month17 days, 2 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question