Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5500

Hi all,

We have gone through tremendous growth with RA VPN clients and decided that SSL VPN will be a better solution for us.

So we started looking and are testing two vendors, Juniper and Aventail. While their products deliver what they promise, I started wondering about ASA, since we are currently running PIX. So I have a few questions about it I hope you can help me with:

1) As far as I see, ASA comes in several 'editions'. Are the 4 editions not just modules or licenses for the same box and IOS? The significance of this is that if we purchase from a different vendor and PIX runs out of steam one day, we will probably upgrade to ASA anyway for its firewall capabilities. We then might sit with two boxes, and both can do SSL VPN. The same applies to IPS. If we do buy ASA, could we some day 'add on' IPS modules if we want to, or is it a new ASA model all together? Apart from redundancy issues, I am very keen on keeping these things tied together. So instead of going for another vendor, should we go for ASA and add modules as we go along?

2) How does ASA SSL-VPN compare to other vendors. I have seen comparisons (granted, supplied by Juniper putting themselves at the top and aventail 2nd :). But I cannot really find independant comparisons anywhere.

Thanks a lot for any comments!



Re: ASA 5500

Hi Jacques,

1) The editions idea is partly marketing and certainly confuses a lot of people, but it goes as follows:

* If you need IPS buy an AIP SSM module (this is hardware - you also need a "services for ips" contract to get signatures)

* If you need Anti-X then buy a CSC module (this is hardware, but has a couple of options depending on number of users)

You can only have one of these modules, but it can be added anytime, although it's cheaper to buy an "edition" bundle initially.

The Firewall edition is the vanilla ASA - all the usual features you get with PIX, with license options depending on what you need. The VPN edition is simply a vanilla ASA with an SSL license.

2) As usual, Gartner's magic quadrant makes good reading, even if you don't agree with it:



New Member

Re: ASA 5500

Thanks Andrew,

The Gartner report is more or less what Juniper is advertising, so they are probably not blowing their own horn as much as I thought. Still, always good to double check. I must say their device is great, I have not seen ASA SSL VPN yet, but I would like to compare it. Do you (or anyone else reading this) have any comments on functionality?Specifics I am after (in order):

1) Security (ie. authentication methods - Ideally we want AD and certificate based auth)

2) Reporting. One thing that drove me to look for something else was that there is no effective way to see who is doing what with IPSec. The Juniper device has logs to summarize activity like 'user mike connected to at 17:00' or 'user mike tried to connect to and was denied' etc.

3) Ease of use for users. We need to cater for all levels of users.

4) Ease of installation. Ideally no admin intervention.

5) Host checks. AV levels, OS, browser etc.

Thanks for any comments!