Cisco ASA

In a previous closed post i was told my Cisco 2651xm is running at times reaching 100& utilization.

Was suggested to me to buy a ASA 5055 from ebay. Does the ASA do routing too or is it just a security appliance? Sorry if this is a stupid question but before i spend $400 - $900 on a used appliance i want to be sure what i am getting is all in one.


THanks
LVL 1
mxrider_420Asked:
Who is Participating?
 
Jimmy Larsson, CISSP, CEHConnect With a Mentor Network and Security consultantCommented:
0
 
mxrider_420Author Commented:
also when it says licensed for 10 users. does that mean 10 IP addresses on the network? i only have say 12 users at the office but we have about 40 IP addresses due to come computers using multi vlans IE guest access etc....

for example when it says
Cisco ASA 5505 Firewall Edition Bundle - 50 User  <--- what does this mean
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Yes it indeed does routing. It is by design a router and if needed you can run OSPF and EIGRP in the ASA.

50 or 10 means the maximum number of users/ip addresses on the inside of the firewall that are allowed to communicate thru the firewall.

/kvistofta
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
mxrider_420Author Commented:
hmm so if i have say 23 now buy a 50 or more to start to be safe?

how is your experience been with these devices vs a Sonicwall NSA240 or TZ210 for example?
0
 
mxrider_420Author Commented:
if i am running NAT and use private IP's and have only 1 outside IP does that mean i only have 1 ip that communicates through the firewall? I mean the rest are all internal IP's that do use the internet etc.. but you get the jist of my question. thanks
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
If you have 23 You should buy a 50-users ASA. I have no knowledge of sonicwalls, but I know perfectly well how the Cisco ASA works. :-)

/Kvistofta
0
 
mxrider_420Author Commented:
Finally,

I find on my cisco 2651xm router SDM is weak. Doesnt really work as well as command line. Does the same go for the ASA? Also i am curious because i see on the cisco spec page that the ASA 5505 only supports 3VLANS. i use 3 now. no room to grow, can that be upgraded?
0
 
orbistechnologyCommented:
Just a caveat - the ASA does *not* do routing in a broad sense.  Using it as a "NAT router" - as you would to share a single Internet connection and public IP with a small internal network - it does indeed "route."

However, if you had multiple internal networks, or private links, or even a more elaborate VPN setup, the ASA would *not* allow you to route packets from your internal network to another gateway or interface to another network.  The ASA is *not* a true router in the strict sense of a standard IOS router.  

The Security Plus license on the ASA 5505 allows up to 20 VLANs.  The chassis with licenses for the sec-plus is around $1000.

ASDM on the ASA is *okay* - you can do most things with it.  Command line on the ASA is pretty strong - good management and diagnostic flexibility.

The limit is on MAC addresses.  Most devices on your network will have a one-to-one correlation of MAC to IP address, so you can think in terms of IP addresses.  However, you could have multiple IPs assigned to a single computer.  That would not count against the license.  The first 50 MAC addresses seen by the 5505 will be "routed" and have Internet access.  Device 51 will simply be ignored by the 5505.  Device 51 could communicate to all local resources, but not traverse the 5505 and reach the Internet.  The assignment is arbitrary: the first 50 devices to be "seen" via the ARP protocol on the 5505 will "pass" while any others will not.





0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
In what sense is the ASA not a router? A Router has interfaces in multiple ip networks and forwards packets based on a routing table. The ASA does that, with or without nat. I suggest that you remove all "*not*":s in your statements above.

Furthermore, the license model of ASA has nothing to do with it´s ARP table. Of course communicating devices must show up in the ARP-table but it is not this table that is limited, it is the local-host table.

mxrider_420: Yes, your license can be upgraded from "base" to "security plus".

Best regards
Kvistofta

0
 
mxrider_420Author Commented:
so if im looking for one used on ebay i should look for one with say 50 users and preferably more vlan capability?

one question or clarification rather.


currently i have 3 sub interfaces on my 2651xm that are vlaned with 802.11q. I use HP Proliant switches to trunk etc. all i need the router or if you assume the upgrade (ASA) is to do exactly what i have bellow still. Would the configuration bellow count as 1 strike against the 3 allowed vlans the 'BASE' config allows? I guess in essence since the router i have now has 2WICs EVERYTHING is plugged into the switch and the internet (ISP) is in 1 and the uplink to the 24port HP switch is the other WIC. id assume the same physical config with the ASA for ease of implementation rather than use any more of the 8 offered ports.

eg:
 interface FastEthernet0/0.5
 description $FW_INSIDE$$ETH-LAN$
 encapsulation dot1Q 90
 ip address 172.17.17.20 255.255.255.0
 ip access-group 106 in
 ip helper-address 192.168.1.58
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect VLAN90-interneal in
 ip inspect VLAN90-interneal out
 ip virtual-reassembly
 no cdp enable
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
You need to go for the unlimited ASA in order to have 3 or more interfaces without limitations. And the unlimited asa (Security Plus) doesnt exist in 10- or 50-users version.

/Kvistofta
0
 
piersonmCommented:
While you're shopping EBay consider looking for an ASA 5510. This may offer a little more scalability for your office.
0
 
mxrider_420Author Commented:
The 5510 is out of our budget and we can get similar functionality with other vendors for cheaper. The 5505 seems great. but to clarify can the ASA 5505 with the Plus allow unlimited users by default? if so i will proceed with the ASA

thanks
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Yes, the "Security Plus" allows unlimited number of users.

/kvistofta
0
 
mxrider_420Author Commented:
thanks for your patience with me i know i am asking alot here. just want to be well informed before i spend money. so thanks in advance.

my FINAL question is with the Security Plus by defaut how many vlans are enabled?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.