We are a solution provider and the Cisco ASA Firewall is one of the security products that we implement for our customers. My clients use it for security, and also to establish VPN connections.
Senior Manager of Network at a tech company with 1,001-5,000 employees
ASA5505 Multipurpose Robust Firewall for small office or small organization requiring for network security
Cisco ASA 5505 overview
Selecting a new fire wall is matter of individual requirements and preferences. For small office it is economical to have a single device having small switch and firewall capability. Cisco ASA 5505 is perfectly suitable for small office as it has 8 port connecting end device switch and two of which have PoE capability for connecting cisco ip phones or external wireless access point. Has a expansion slot for connecting IPS (Intrusion prevention System). Additional IPS card (AIP SSC-5), IPS protects form virus, worms Trojans, DDoS attacks. This all features makes it a truly multipurpose firewall for small office.
Pros:
1) Is small in size and light in weight, requires less space suitable for small office.
2) Has integrated 8 port Switch so no need to purchase additional switch.
3) Has 2 PoE ports, so IP phones or external wireless access points can be connected.
4) If IPS card is installed it gives protection form vires, Trojan and worms and DDoS.
5) It supports 3 vlan, traffics can be separated per vlan.
6) Can be easily configured through SDM
7) Last but not the least it is very robust system once installed it dose not need much attention.
Cons:
1) ASA5505 does not support expansion.
2) ASA5505 dose not support fail over ( Aacive / active or active/ standby)
3) ASA5505 does not support multimode.
4) Heavy CPU load and packet latency due to addition of IPS.
5) The ASA 5505 does not support Spanning Tree Protocol for loop detection in the network.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Network Consulting Engineer at a comms service provider with 201-500 employees
Easy to configure, good VPN capabilities, and the antimalware features provide extra security
Pros and Cons
- "The most important feature is the VPN connection."
- "I would like to see the inclusion of a protocol that can be used to protect databases."
What is our primary use case?
How has it helped my organization?
My client is in the financial sector and all of the connections are doing using the VPN. This type of access makes the connections more secure.
What is most valuable?
The most important feature is the VPN connection.
My clients also use the antimalware features and the scan is very good. It also supports packet inspection and IPS.
Cisco ASA is easy to configure.
The integration with the security features is something that I like.
What needs improvement?
The SecureX ASA administration platform should be improved.
The orchestration of modules should be improved.
I would like to see the inclusion of a protocol that can be used to protect databases. This would be a good feature to have added.
For how long have I used the solution?
We have been working with the Cisco ASA Firewall for approximately three years.
What do I think about the stability of the solution?
I have not had problems with stability, although I have had some small issues with bugs. In general, I can operate without a problem.
What do I think about the scalability of the solution?
It is very easy to scale this product. With SMC, you can control all levels of ASA in a central console. You can simply add a new ASA firewall to protect your network, and you will be able to control it.
We have approximately 300 users.
My clients for this solution are medium-sized organizations.
How are customer service and technical support?
I have not been in contact with technical support but I use the implementation guide. I have also used the community support and I think that it's okay. The information that I received about the configuration was good.
Which solution did I use previously and why did I switch?
Prior to Cisco ASA, my client was using Fortinet FortiGate. They switched because there were complaints about the connection being slow.
How was the initial setup?
The complexity of the setup depends on the needs and requirements of the client.
When a client does not know exactly what is needed, the complexity increases because the configuration is not clear. You really have to have a good understanding of what the client needs before configuring it.
If the model does not have SMC then it is complex to configure.
The length of time for deployment also depends on the requirements, but it will usually take between three days and one week.
What's my experience with pricing, setup cost, and licensing?
This is an expensive product, although when you buy this solution, you can do many things so it provides good value for the investment.
Which other solutions did I evaluate?
My clients did evaluate other options but ultimately chose this product. Other than the VPN connection, I don't know the reasons for this decision.
What other advice do I have?
I can recommend this product because it is one of the most stable firewalls on the market. The suitability, however, depends on the environment and what is needed.
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Buyer's Guide
Cisco Secure Firewall
November 2024
Learn what your peers think about Cisco Secure Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,562 professionals have used our research since 2012.
C.T.O at Sastra Network Solution Inc. Pvt. Ltd.
Reliable and easy to use with good security features
Pros and Cons
- "It is very stable compared to other firewall products."
- "They need a user-friendly interface that we could easily configure."
What is our primary use case?
We are using Cisco ASAv in our company and have deployed it for many of our customers. They are in both government and the private sector.
The deployment method varies depending on the customer's needs. For the government, it's through the government cloud while others are on-premises.
What is most valuable?
It is very stable compared to other firewall products.
It has good security features.
The firewall features make it easy for the users to work on it.
What needs improvement?
The interface needs improvement. I would like a better interface for Cisco. Other solutions such as Palo Alto have a user-friendly dashboard.
They need a user-friendly interface that we could easily configure.
It would be beneficial to have some of the features that Cisco has, integrating with other types of security.
For how long have I used the solution?
I have been using this solution for approximately eight years.
What do I think about the stability of the solution?
It's a very stable solution out of the box and we have not had any issues in our deployment.
We have 86% of the devices being used simultaneously.
What do I think about the scalability of the solution?
It's scalable based on the type of license and modules that you require.
We don't have the option to update the box, but we can add features such as antivirus protection.
How are customer service and technical support?
We have contacted technical support for some issues outside our technical expertise, mostly for updating the license.
We have a team that handles our issues.
What's my experience with pricing, setup cost, and licensing?
We work on a case-by-case basis and are have good offers by Cisco.
It's very competitive with other products.
What other advice do I have?
They should incorporate it with FortiGate, or Sophos firewalls.
If they are looking for a layer 7 type of security then they need to go with another solution.
I would rate Cisco ASAv a nine out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: partner
Technical Manager at a comms service provider with 501-1,000 employees
Offers good security and stability
Pros and Cons
- "What I like about Cisco is the security zone. By default when you configure it, it gives you a security zone, which other firewalls don't have."
- "I wish the Cisco interface was not so granular. Check Point was easier to create specific rules than with ASAv."
What is most valuable?
One of the important aspect when deploying Ciso ASA firewall, it’s oblige you at the beginning to define your security level, which will make it easier when making your security policy ( traffic allow From Source to Destination)
A security level will define how trusted is an interface in relation to another interface on the Cisco ASA.
The Higher is the security level, is the more trusted is the interface.
The highest security level is , “ Security Level 100” .
Nowadays other Firewall manufacturer try to adopt the same deployment principle as the Cisco ASA with security level, however the Cisco ASA do have other interesting features which I think are very useful:
- Firepower services
- Security context
- Firepower management
What needs improvement?
Normally in terms of design, the user prefers to use Cisco ASAv as a border router or a border firewall, because you have two different kinds of firewalls. You have a firewall when the data communication enters the network, and then you have a firewall, for when you've been inside the network. So, for the inside network firewall, Check Point is better because it can make a better notation of your network infrastructure. But, for the incoming data, or border firewall, ASAv is better. In terms of improving the interface, if you compared to the Check Point file, then I think that ASAv should be better. They should improve the interface so that it's similar to the Check Point firewall.
For how long have I used the solution?
I've been using the solution for the past three years.
What do I think about the stability of the solution?
The Cisco ASAv is really stable, especially if you compare it to Check Point. Not long ago Check Point did release one virtual firewall, and the virtual firewall of Check Point is not stable.
The hardware version of the firewall is more stable than the virtual one. In terms of the data center, many companies have a virtual data center in a group environment. Many companies want to have a virtual firewall, but the one from Check Point, in comparison to Cisco, is not stable at the moment.
What do I think about the scalability of the solution?
The solution is really scalable.
How are customer service and technical support?
I haven't dealt with technical support. We just check online, and if we have to contact Cisco about major issues, it's an internal department dealing with that. I don't know how technical support is, because our technical support team is located in Sofia, and I am in the Netherlands, so I don't have any view on that.
How was the initial setup?
The setup is always different. If you have a small company, the setup is quite easy, but if you have a bigger company the setups are quite complex. Cisco is pretty good in routing. So in bigger situations, configuring the ASAv file is pretty straightforward.
The deployment also depends on the customer's site. So, the time changes because most of the time we have to do a migration. For example, some customers have an old firewall, and you have to migrate things to a new one. And sometimes, it's just copy/paste, but in some situations, we cannot migrate all firewall configurations to a new one.
In terms of how many people you need for deployment and maintenance, again, it's dependent on the company strategy around the help desk. You should have a maintenance engineer who should be part of a team. The deployment will be done in a team. You can have one person to do the deployment but usually, you always have a backup, so it would be two. And then, for the maintenance, it can be one person or two. The maintenance can be done on the site desk, operating after office hours, so it depends.
What other advice do I have?
It's difficult to give specific advice on the solution because it always depends on the design solution and the strategy. So what I would recommend is to use different firewalls and to use Cisco ASAv as a border firewall.
I would rate this solution as 7.5 out of 10. I wish the Cisco interface was not so granular. Check Point was easier to create specific rules than on ASAv, so that's why I say this. If you want to make things easier for an engineer, you always have to work on the interface. But the product, in and of itself, there's nothing wrong with it.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Presales Engineer
Monitoring via the dashboard enables customers to see what is happening in the system
Pros and Cons
- "It's lacking one feature: VPN. Also, the 2100 Series lacks a DDoS feature. If they could add that to those platforms, that would be good."
What is our primary use case?
The use case has been for the banking sector, for one of our banking customers. According to them, it's working perfectly.
What is most valuable?
Monitoring, of course - the dashboard. It enables you to see what is happening.
What needs improvement?
It's lacking one feature: VPN. That is a feature we're looking for. Otherwise, the new devices have very good support, and the performance is quite good.
Also, the 2100 Series lacks a DDoS feature. If they could add that to those platforms, that would be good.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
So far, since we installed it, there have been no issues.
What do I think about the scalability of the solution?
In terms of scalability, it is really expensive. It is scalable, but when it comes to pricing, the upgrading is a bit high.
How was the initial setup?
It's not straightforward. You need to know what you're doing, you need to be trained. I don't know for other vendors whether it's the same issue, but for Cisco you have to be trained on the system.
Which other solutions did I evaluate?
Check Point and Fortigate. Generally, our customers choose Firepower because they've seen the system work somewhere before, and they see it is stable and working perfectly. Those are the reasons they opt for Firepower.
What other advice do I have?
There are other solutions, like Fortigate, which are very good solutions, and cheaper for the customer. Even the support via subscription is favorable, in terms of pricing. I would really advise the customer to do some research first and come up with the best solution for their needs
I rate Firepower as an eight out of 10. It is a good solution but it is expensive compared to other products, like Fortigate. Still, some of our customers do prefer Firepower over the others.
Disclosure: My company has a business relationship with this vendor other than being a customer: Solutions provider/integrator.
Works at a comms service provider with 1,001-5,000 employees
Clustering architecture which offers zero downtime upgrades, keeping uptime close to 99.999%
Pros and Cons
- "Clustering architecture which offers zero downtime upgrades, keeping uptime close to 99.999%."
- "REST API offering with rich capabilities which makes the product very robust."
- "ASDM needs to be able to customize applets."
- "REST API stability needs improvement in order for customizing resource allocation available to the user rather than just being there transparently. This way users can customize REST API and tailor it to their needs."
What is our primary use case?
Service Provider Operations manipulating thousands of firewall rules deploying Network Access Translations (NAT) for various multiservice networks.
How has it helped my organization?
- Easy and fast to deploy.
- User-friendly GUI
- REST API offering with rich capabilities which makes the product very robust.
What is most valuable?
Clustering architecture which offers zero downtime upgrades, keeping uptime close to 99.999%. This creates less stress on operations and network stability throughout the various maintenance tasks.
What needs improvement?
ASDM needs to be able to customize applets.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
REST API stability needs improvement in order for customizing resource allocation available to the user rather than just being there transparently. This way users can customize REST API and tailor it to their needs.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Network Specialist
It has an important role as a firewall and it improves our access control.
What is most valuable?
The security features are valuable because it is easy to use and it has an important role as a firewall.
How has it helped my organization?
It has improved our access control.
What needs improvement?
It would be useful to gather all security features in one box. For example, certain features like URL filtering and application control licenses need to be purchased separately and it depends on the hardware spec, as not all models are supporting these two features. This causes the user to be highly dependent on the pre-sales person.
For how long have I used the solution?
We have been using the solution for six years.
What do I think about the stability of the solution?
We did not encounter any issues with stability.
What do I think about the scalability of the solution?
We had a scalability issue, as each feature is based on license or hardware support.
How are customer service and technical support?
I would rate the technical support at 8/10.
Which solution did I use previously and why did I switch?
We did not use a previous solution.
How was the initial setup?
The setup was straightforward with two layers of firewall.
What's my experience with pricing, setup cost, and licensing?
It is too pricey if you want to activate more features in a box, which necessitates you to purchase a license.
Which other solutions did I evaluate?
We evaluated Palo Alto and CheckPoint.
What other advice do I have?
Know what features are needed, and then purchase the necessary hardware and license.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
System and Network Administrator at a hospitality company with 501-1,000 employees
It gives us the ability to do Lan-to-Lan VPN, but it needs support for automation tools, such as Puppet.
What is most valuable?
It gives us the ability to do lan-to-lan VPN.
How has it helped my organization?
So far it has proven to be rock solid and relatively easy to maintain.
What needs improvement?
- Support for automation tools (Puppet)
- More granular logging
For how long have I used the solution?
I've used ASA for four years.
What was my experience with deployment of the solution?
No issues encountered.
What do I think about the stability of the solution?
No issues encountered.
What do I think about the scalability of the solution?
No issues encountered.
How are customer service and technical support?
Customer Service:
8/10
Technical Support:8/10
Which solution did I use previously and why did I switch?
We moved our VPN termination from a Cisco ASR to an ASA. We switched because the ASR was not scalable and we realized it was a bad idea to use the same device for routing and VPN termination.
How was the initial setup?
The most complex part was figuring out the failover and what NAT mode to implement.
What about the implementation team?
We did it in-house.
What's my experience with pricing, setup cost, and licensing?
Licenses and prices are pretty high. I understand the validity of the product, so I can't complain much.
Which other solutions did I evaluate?
No options were evaluated. We heavily rely on Cisco hardware for our infrastructure
What other advice do I have?
I'd say it would be very beneficial to posses certification such as CCNP Security, at least, to get the most out of it. It's a complex product which requires good knowledge of procedures and best practices. Being a CCIE R&S I know the value of those certifications, and I wish I had a CCNP Security to better handle the task.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Popular Comparisons
Fortinet FortiGate
Netgate pfSense
Sophos XG
Palo Alto Networks NG Firewalls
Azure Firewall
Check Point NGFW
WatchGuard Firebox
SonicWall TZ
Juniper SRX Series Firewall
Untangle NG Firewall
Fortinet FortiGate-VM
SonicWall NSa
Sophos XGS
Fortinet FortiOS
Buyer's Guide
Download our free Cisco Secure Firewall Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What Is The Biggest Difference Between Cisco ASA And Fortinet FortiGate?
- Cisco Firepower vs. FortiGate
- How do I convince a client that the most expensive firewall is not necessarily the best?
- What are the biggest differences between Cisco Firepower NGFW and Fortinet FortiGate?
- What Is The Biggest Difference Between Cisco Firepower and Palo Alto?
- Would you recommend replacing Cisco ASA Firewall with Fortinet FortiGate FG 100F due to cost reasons?
- What are the main differences between Palo Alto and Cisco firewalls ?
- A recent reviewer wrote "Cisco firewalls can be difficult at first but once learned it's fine." Is that your experience?
- Which is the best IPS - Cisco Firepower or Palo Alto?
- Which product do you recommend and why: Palo Alto Networks VM-Series vs Cisco Firepower Threat Defense Virtual (FTDv)?
We have a 5520 with IPS installed. You are right about the CPU load with the IPS addition. It really maximizes the CPU utilization of the system, which can be a cause for concern. We've also have the IPS fail at some point due to a vulnerability. It was later patched with a firmware upgrade.
Fairly expensive, but will get the job done if you know how to configure it. Also recommend to have an HA set-up if protecting critical infrastructure. Might be expensive, but probably a good addition if you already have a Cisco-dominated environment. You should have it protecting you from the outside and use a separate in-line IPS if you want to protect the inside network.