New ASA 55xx

Unanswered Question
May 14th, 2008

I currently have a 3725 + the NM-CIDS module doing my firewall / IPS / VPN.

I'm considering upgrading to a ASA 55xx box.

I was reading the product page, and it does not seem that I can have one ASA box that does both the IPS with an AIP-SSM-xx and the anti-virus with an CSC-SSM-xx because the box only has one SSM slot.

I also need this box to be compatible and take over the peer to peer VPN that the 3725 is doing with my current IOS. I have several remote 87x router connected over ADSL and cable connection with active IOS VPN. My 3725 currently has a AIM VPN card to help the CPU. If I change it to a ASA box will I have to re-configure all the remote 87x routers?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mchin345 Tue, 05/20/2008 - 06:22

I think it will work , make sure the configuration and necssary setings before you proceed.

Bernard Magny Thu, 05/22/2008 - 00:03

Ok, thanks for the VPN info. Now I guess I need 2 ASA 55XX to be able to do both IPS and Content (Anti-X) filtering right?

Is there some design documentation somewhere about this?


None of the ASAs have more than one SSM slot. So, in that regard, yes, you would need two. But I beleive there are other solutions than using 2 ASAs. Content filtering can be done by other systems and appliances (iPrisims, ISA, WebSense, etc). So this may be an alternative. If you have the cards and wish to leverage your current hardware, then a second ASA may be the most economical.

Farrukh Haroon Mon, 05/26/2008 - 22:11

I would use one ASA with the AIP-SSM module.

And then place a seperate Anti-x type of device at the back. Having a seperate ASA for the CSM module is overkill IMHO.

There is no real integration between the CSM/IPS module anyway, so you still have to manage different GUIs. A good option would be to go for IronPort, since they are now part of Cisco, there might be some neat integrations coming along in the future (giving you more value for money). There is'nt any great feedback about the CSM module, most people I know don't like to position it, including some Cisco CSEs themselves(its based on Trend Micro btw)




This Discussion