Any ASA gurus here?

[brad310]

At work we're getting an ASA soon, was going to try to pick up some skills since i may be left to manage it. Does anyone know a good book or video training...or other recommendations on how to set it up?

I have small lab set up already for CCNA so im not opposed to adding to it if that is the only way.

 

[drebo]

I'd recommend against an ASA, honestly. There are a LOT of things it doesn't do that a lot of businesses don't realize and decide they need later.

I'd recommend a normal IOS router with the Advanced Security license or maybe a Juniper SRX. A little more expensive, but a LOT more featureful.

 

[RadiclDreamer]

Depends on what you are doing, things like the initial config and VPN setups have wizards that walk you through the setup, what exactly is your goal and what model are you getting?

 

[RadiclDreamer]

I'd recommend against an ASA, honestly. There are a LOT of things it doesn't do that a lot of businesses don't realize and decide they need later.

I'd recommend a normal IOS router with the Advanced Security license or maybe a Juniper SRX. A little more expensive, but a LOT more featureful.

I disagree, we use the 5520 in failover pair and it does everything we need and then some.

 

[Pheran]

This book is decent (though enormously thick):

Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance (2nd Edition)

 

[Nothinman]

I disagree, we use the 5520 in failover pair and it does everything we need and then some.

Yea, we resell and support a lot of ASAs and the only things that tend to come up as "would be nice" are content filtering, and no the shitty CSC modules don't count since they don't work most of the time, and per-user bandwidth reports. But I believe newer firmware does NetFlow now so that might be taken care of even if you have to map IPs to users after the fact.

 

[ViviTheMage]

I'd recommend against an ASA, honestly. There are a LOT of things it doesn't do that a lot of businesses don't realize and decide they need later.

I'd recommend a normal IOS router with the Advanced Security license or maybe a Juniper SRX. A little more expensive, but a LOT more featureful.

Examples as to what a company would use that an ASA doesn't provide?

 

[drebo]

Examples as to what a company would use that an ASA doesn't provide?

ICMP redirect, policy-based routing, and GRE tunnels, to name 3.

There are more, but those are the biggies that ASAs don't do and that SMBs are likely to need.

Someone who only needs them to firewall (routing handled by a layer 3 switch or a multi-tiered network) can get away without those features, for the most part, or someone who only needs a VPN gateway...these two conditions would be the ones under which a 5520 would be useful. But a SMB that may move to an MPLS setup or may require more advanced features will see their investment turn up as useless.

Either way, the Juniper SRX100 is cheaper and more feature-rich than an ASA5505, and would be my recommendation if the company does not want to spend money on an IOS router with Advanced Security featureset.

 

[gordita]

can I offer the 'PAN's?
The visibility offered by Palo Alto's and the ability to restrict/allow based on AD is a big step-up...(for us).
we went from 5510's and 5520's to PAN 3020's and 5020's and haven't looked back..

 

[drebo]

Palo Altos are great, but this thread is pretty old.

Also, Palo Altos have a few limitations as well: no GRE tunnels, and their traffic shaping leaves a bit to be desired (max of 8 classes on egress on the PA-200 at least).

 

[Lithium381]

Where the PA's shine is the deep packet inspection. . they block applications at layer 7, not layer 4 like a lot of firewalls...and their reports are nice 'n' pretty to hand to management 😉