Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member


We are in the process of building out our infrastucture to support 3rd parties. In the design we will be adding either 525s for asa's. I am interested in hearing peoples experiences with the ASA, being they are a new product. Specifically the kinds of problems you may have run into.




Re: ASA vs PIX


I dont think you will have any problems using ASA. ASA's are replicas of PIX V7.0 products. The biggest advantage of ASA will be a converged/scalable solution for your network, with the same box doing multiple functionalities. You can definitely save cost if you have an ASA box with SSM , instead of having a PIX and an IPS appliance...

I would advice you to go to ASA. The only drawback i could see in ASA is the cost of the secondary box. YOu need to invest the same money as the primary box, which isnt the case in PIX. The positive side of this is, in case of emergencies, you can plug off the secondary ASA and use it as a fully functional box in any other network, unlike PIX failover unit (which cannot be used as a primary box)

Hope this helps.. all the best..


New Member

Re: ASA vs PIX

one more quesiton on ASA. We are planning to setup one small dedicated network in datacenter.

Can we use ASA appliace without need of border router device? our datacetner provides fast ethernet feed to our cage and no intelligent routing needed.





Re: ASA vs PIX


Yes you can use it as a border device since your just accepting an ethernet connection and are basically a stub network.


New Member

Re: ASA vs PIX

Actually, if you compare the price of a primary PIX 525 to an ASA 5540, the PIX is quite a bit more, but the secondary unit is much less. Whereas the ASA is less expensive but there is no 'Primary/Secondary' pricing. It ends up about the same for a redundant PIX or ASA (without the SSM).

New Member

Re: ASA vs PIX

Hi Marcus,

May be my response is bit late but I think you might find it useful in your context. Some time back I wrote some comments on nww and they are given below:-



Today's focus: Is Cisco's ASA a headache-in-waiting?


Today's focus: Is Cisco's ASA a headache-in-waiting?

By M. E. Kabay

Reader Noman Bari wrote to me some time ago from Karachi,

Pakistan, with a thoughtful comment on Cisco's new

multifunctional ASA security appliance.

Bari has a B.S. in Electronics and has the certifications CCNA,

CCDA, CCNP, CCDP, CCSA,CIW Security Analyst, CompTIA Linux+

Certified and MCSE. With his kind permission and collaboration,

here are his thoughts:

* * *

I am writing this e-mail to learn your views on a new security

box from Cisco. Adaptive Security Appliance (ASA) is a

multi-function security appliance which integrates firewall,

IPSec and SSL VPN, intrusion prevention, virus filtering and

network quarantine in a single device.

I have been thinking about this development from Cisco. Surely

putting all the eggs in one basket is never a good idea.

If all the functionality of security is taken care of by one

single box and if that box gets compromised then it will be a

serious problem. It is widely known that there is no such thing

as 100% security. At some time in the near or distant future we

will hear that there are security holes found in the working of

ASA and they can lead to a security breach.

There will be critics who will say that since ASA comes with all

the bells and whistles it will be extremely hard if not

impossible to compromise its security. But what if a person with

malicious intent is able to do it? And this will happen - it's

just a matter of time.

The job of the marketing guys is to show everyone a rosy

picture. I am not blaming them; it's what they get paid for. But

it's our job as techies to filter out useful stuff from what

they say.

My analysis is that ASA is an excellent device for small to

midsize companies to save costs, for ease of management and so

on, depending upon the nature of their mission-critical work.

However, for enterprise-level security, I would rather go with a

layered approach with multiple defenses to protect my network.

Although I am here in Karachi I believe that effective security

requirements are valid for every organization in any part of the

world. What you and Bruce Schneier write in your security

newsletters is equally useful for me here in Pakistan. My vision

gets broadened.

* * *

Need I [MK] say more? My only comment is "Wow! I got mentioned

in the same sentence as Bruce Schneier! Cool!" Well, OK, that's

not very useful for readers, so here's a link

<> to the

Cisco page describing their ASA 5500 product.

Now take two of those and a glass of water and I'm sure you'll

be fine in the morning.


To contact: M. E. Kabay

M. E. Kabay, Ph.D., CISSP-ISSMP, is Associate Professor in the

Division of Business and Management at Norwich University in

Northfield, Vt. Mich. and his Web site is


New information assurance journal - Norwich University Journal

of Information Assurance (NUJIA). See



Hope this helps.


Noman Bari

CreatePlease login to create content