Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

New ASA 55xx

I currently have a 3725 + the NM-CIDS module doing my firewall / IPS / VPN.

I'm considering upgrading to a ASA 55xx box.

I was reading the product page, and it does not seem that I can have one ASA box that does both the IPS with an AIP-SSM-xx and the anti-virus with an CSC-SSM-xx because the box only has one SSM slot.

I also need this box to be compatible and take over the peer to peer VPN that the 3725 is doing with my current IOS. I have several remote 87x router connected over ADSL and cable connection with active IOS VPN. My 3725 currently has a AIM VPN card to help the CPU. If I change it to a ASA box will I have to re-configure all the remote 87x routers?



Re: New ASA 55xx

I think it will work , make sure the configuration and necssary setings before you proceed.

New Member

Re: New ASA 55xx

Ok, thanks for the VPN info. Now I guess I need 2 ASA 55XX to be able to do both IPS and Content (Anti-X) filtering right?

Is there some design documentation somewhere about this?


New Member

Re: New ASA 55xx

None of the ASAs have more than one SSM slot. So, in that regard, yes, you would need two. But I beleive there are other solutions than using 2 ASAs. Content filtering can be done by other systems and appliances (iPrisims, ISA, WebSense, etc). So this may be an alternative. If you have the cards and wish to leverage your current hardware, then a second ASA may be the most economical.

Re: New ASA 55xx

I would use one ASA with the AIP-SSM module.

And then place a seperate Anti-x type of device at the back. Having a seperate ASA for the CSM module is overkill IMHO.

There is no real integration between the CSM/IPS module anyway, so you still have to manage different GUIs. A good option would be to go for IronPort, since they are now part of Cisco, there might be some neat integrations coming along in the future (giving you more value for money). There is'nt any great feedback about the CSM module, most people I know don't like to position it, including some Cisco CSEs themselves(its based on Trend Micro btw)



CreatePlease to create content