Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
683
Views
5
Helpful
2
Replies

ASA 5500

jacquesd
Level 1
Level 1

‎01-30-2007 09:14 AM - edited ‎03-11-2019 02:26 AM

Hi all,

We have gone through tremendous growth with RA VPN clients and decided that SSL VPN will be a better solution for us.

So we started looking and are testing two vendors, Juniper and Aventail. While their products deliver what they promise, I started wondering about ASA, since we are currently running PIX. So I have a few questions about it I hope you can help me with:

1) As far as I see, ASA comes in several 'editions'. Are the 4 editions not just modules or licenses for the same box and IOS? The significance of this is that if we purchase from a different vendor and PIX runs out of steam one day, we will probably upgrade to ASA anyway for its firewall capabilities. We then might sit with two boxes, and both can do SSL VPN. The same applies to IPS. If we do buy ASA, could we some day 'add on' IPS modules if we want to, or is it a new ASA model all together? Apart from redundancy issues, I am very keen on keeping these things tied together. So instead of going for another vendor, should we go for ASA and add modules as we go along?

2) How does ASA SSL-VPN compare to other vendors. I have seen comparisons (granted, supplied by Juniper putting themselves at the top and aventail 2nd :). But I cannot really find independant comparisons anywhere.

Thanks a lot for any comments!

Jacques

Labels:
0 Helpful
2 Replies 2

andrew.burns
Level 7
Level 7

‎01-30-2007 05:00 PM

Hi Jacques,

1) The editions idea is partly marketing and certainly confuses a lot of people, but it goes as follows:

* If you need IPS buy an AIP SSM module (this is hardware - you also need a "services for ips" contract to get signatures)

* If you need Anti-X then buy a CSC module (this is hardware, but has a couple of options depending on number of users)

You can only have one of these modules, but it can be added anytime, although it's cheaper to buy an "edition" bundle initially.

The Firewall edition is the vanilla ASA - all the usual features you get with PIX, with license options depending on what you need. The VPN edition is simply a vanilla ASA with an SSL license.

2) As usual, Gartner's magic quadrant makes good reading, even if you don't agree with it:

http://mediaproducts.gartner.com/reprints/juniper/vol2/article3/article3.html

HTH

Andrew.

jacquesd
Level 1
Level 1
In response to andrew.burns

‎01-31-2007 08:54 AM

Thanks Andrew,

The Gartner report is more or less what Juniper is advertising, so they are probably not blowing their own horn as much as I thought. Still, always good to double check. I must say their device is great, I have not seen ASA SSL VPN yet, but I would like to compare it. Do you (or anyone else reading this) have any comments on functionality?Specifics I am after (in order):

1) Security (ie. authentication methods - Ideally we want AD and certificate based auth)

2) Reporting. One thing that drove me to look for something else was that there is no effective way to see who is doing what with IPSec. The Juniper device has logs to summarize activity like 'user mike connected to mail.company.com at 17:00' or 'user mike tried to connect to finance.company.com and was denied' etc.

3) Ease of use for users. We need to cater for all levels of users.

4) Ease of installation. Ideally no admin intervention.

5) Host checks. AV levels, OS, browser etc.

Thanks for any comments!

Jacques

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card