[jassi]

Quote:

Originally Posted by Samurai

Ok, I have to pick between these:

ASA5505-BUN-K9 ASA 5505 Appliance with SW, 10 Users, 8 ports, 3DES/AES
ASA5505-50-BUN-K9 ASA 5505 Appliance with SW, 50 Users, 8 ports, 3DES/AES
ASA5505-UL-BUN-K9 ASA 5505 Appliance with SW, UL Users, 8 ports, 3DES/AES

Since I don't understand how these user licenses appy, I don't know how many licenses I would need.

Say I am putting 100 devices on internal LAN and about 10 devices on the public network. How many user licences do I need?

Hi Samurai - pasting one of the private messages I sent you for the benefit of others
"I know the user licensing, which is only on this specific model is a bit confusing. However I remember from my checkpoint days that checkpoint had user licensing on all their models and they way it was counted was "how many inside users is the firewall protecting from the outside world" and even if the users would be natted on some other device behind the firewall, they would still get counted (not technically but legal liability if audited).
Cisco only does user licensing on 5505 to give various price points to their smaller customers. The way they measure it is number of "SIMULTANEOUS" user nodes passing traffic to the internet. So if you have 100 users who will be browsing out to the interweb at the same time, then you need unlimited licenses (you can't opt for 10 or 50 in this case). If you have users working in shifts of 50 passing traffic to the internet, then you need a 50 user license.
Also if you need more connections and vlans as well as advanced DMZ options and ability to club 2 ASA5505s in a failover pair and ISP redundancy feature, get the security plus license. This is provided as an option because most of the small 5505 deployments don't need these. You can get the sec plus license later if you feel the need or get the bundled unlimited user ASA 5505 with secplus license on day 1 itself (cost in the bundle or as as an add-on stays the same)
ASA5505-SEC-BUN-K9 - ASA 5505 Sec Plus Appliance with SW, UL Users, HA, 3DES/AES
If your dealer is not a cisco reseller, then make sure he quotes for direct cisco smartnet support, so that you can open cases with cisco 24X7 on a need basis and get next business day replacement incase of complete failure or if TAC deems necessary (a lemon ASA is very rare)"

[autoenthusiast]

Jeez I was just compiling an answer for the licensing and you beat me to it Jassi. You glued to this thread or something

[given2fly]

So I see that you have been convinced to buy Cisco ASA 5505. As much as I should be happy that you finally got your solution, I am saddened to see you sold to a poor solution. I do respect Jassi's experience, but I can also see him playing favorite with Cisco, not sure why. Everyone has their own preference and I'm sure he likes their products more, which are necessarily not the best.

Anyway, below is the details of Juniper's Bangalore office. Have a word with them on SSG 5 and 20 before you finalize on Cisco product. SSG 5 is entry level and you have option of adding Wireless support also. SSG 20 is a bit advanced.

Juniper Networks :: Bangalore,India

For a demo of the product & official price list, you can visit the following web-site where they have details on testing the same.

Juniper SSG 5 - Pricing & Information

Ingram Micro is one of their vendors worldwide, so you can contact them using the following link.

Southern Branches

Would love to know how you are going to implement the solution. Of course, without the innards of routing tables and permissions, etc.

[jassi]

Quote:

Originally Posted by given2fly

I do respect Jassi's experience, but I can also see him playing favorite with Cisco, not sure why.

I am not very heavily into Juniper and I still believe Checkpoint has more experience in making better firewalls. I would have gladly helped him decide on a checkpoint model however with their pricing and expensive user licensing, I feel a Cisco solution will make more sense. Technically I see nothing poor about a Cisco solution vis a vis checkpoint or Juniper.
The Juniper SSG 5/20 datasheet is here
http://www.juniper.net/products/inte...eet/100176.pdf
What in your opinion makes Juniper any more suitable to the requirement here than an ASA 5505 or a Checkpoint or a Fortinet for that matter

[Samurai]

Are there any independent comparisons between Juniper SSG vs Cisco ASA?

Why do you call Cisco ASA 5505 poor solution? What concerns do you see?

[jkdas]

Quote:

Originally Posted by Samurai

Are there any independent comparisons between Juniper SSG vs Cisco ASA?

Why do you call Cisco ASA 5505 poor solution? What concerns do you see?

Cisco is easy to work with.

Juniper is a better at FW as per experts.

[autoenthusiast]

Quote:

Originally Posted by Samurai

Are there any independent comparisons between Juniper SSG vs Cisco ASA?

Why do you call Cisco ASA 5505 poor solution? What concerns do you see?

I really don't see how ASA can be a poor solution, I have seen hundreds of them (PIX & ASA) across all different models (515E, 525, 535, 5505, 5510, etc) and using different kinds of connectivity, deployed in a gigantic enterprise environment with no issues.

Samurai, if I were you, I wouldn't worry too much about it. My suggestion is that if the pricing suits your budget, go full steam ahead. In terms of Cisco TAC support, they are extremely responsive and good at what they do, you'd only need to buy a support agreement on a yearly basis.

Just one thing though is getting someone technically conversant to configure it well, that's the most important thing.

[jassi]

Quote:

Originally Posted by Samurai

Are there any independent comparisons between Juniper SSG vs Cisco ASA?

Why do you call Cisco ASA 5505 poor solution? What concerns do you see?

Samurai - comparisons are never independant - they are always biased by the evaluators mindset - even on the so called independent reports from miercom, gartner, etc etc - this is why I have recommended the Common Criteria Evaluation Assurance Level Certs and more importantly the security target of evaluation for the device's EAL cert. This is one of the very few unbiased evaluations with no qualititive opinions used anywhere. I have read through 100s of reports and have seen a very very rare independent report - nothing which cannot be paid off. CC EAL certs are the only things which cannot be influenced by money.

I have also noticed that if you start with a mindset of finding fluff against a vendor you will find enough of it against each and everyone of them. The same applies if you wanted to find good points on a vendor - the internet can sometmes be quite misleading and confusing and not one vendor out there is perfect or "best corporate firewall" its always what best suits your requirement and gives all the knobs you need.

[Samurai]

My local vendor took 3 months to deliver the Cisco ASA 5505 equipment.

When I connect the appliance to the PC, for some reason the appliance is not providing a DHCP address. However, I can connect using serial port using telnet(Putty). But for ASDM, the DHCP needs to work.

I thought by default DHCP provider would be enabled. Any idea how to enable this?

[jassi]

Did you try the ASA 5505 getting starting guide here
Cisco ASA 5505 Getting Started Guide, 8.0 [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems

I am not sure if the 5505s have a console part - did you check? Also by default dhcp is pre-configured on ASAs. If the link above does not help, just call Cisco TAC and they will guide you.

Edit - 5505 does have a console port Cisco ASA 5505 Getting Started Guide, 8.0 - Installing the ASA 5505 [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems
just connect and give it an ip addy and enable management access on the inside interface

Edit 2 - just give the pc a static ip addy as mentioned here Cisco ASA 5505 Getting Started Guide, 8.0 - Installing the ASA 5505 [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems
192.168.1.2 should do and make sure you are connected to ports 1 through 7 not port 0 as that is configured as outside. Try and then connect ASDM - blank username and password by default i guess on the 5505

[josepeter]

Cisco ASA is cisco's latest jab at a real firewall; after their first attempt with the PIX series. But it is still just a router with fancy access lists. As far as manageability is concerned ASA is nowhere near industry leaders like Checkpoint and Juniper Netscreen. ASA has two GUI options for management, ASDM and CSM - both of which are not user friendly. Let me list down the issues currently faced with ASAs:

1. Rules put in using command line can get erased if edited in the GUI.

2. There is a CPU usage bug in the current stable release which has no fix.

3. Management connectivity is tricky in HA mode.

4. Live transaction analysis isn't intuitive.

IMO the ASA platform needs to stabilise; it will eventually!

In comparison Netscreen has much better manageability, robust performance and has an intuitive http interface; if the SSG5 matches the ASA 5505 in price, is the better option. You can also run Netscreens in Layer 2 mode ( Transparent mode) and forget about routing; which is also better as a Perimeter firewall due to its stealth nature.

[Samurai]

Quote:

Originally Posted by jassi

192.168.1.2 should do and make sure you are connected to ports 1 through 7 not port 0 as that is configured as outside. Try and then connect ASDM - blank username and password by default i guess on the 5505

Wow! Two days of banging my head and this is what worked, I was connected to port 0. Thanks boss.

Now that I am checking it out, I realise I may not the adequate license.

This is what I have:

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0

This platform has a Base license.

I was hoping to connect both reliance and airtel ISPs in failover mode, but now I see dual ISPs is disabled. I also want to be in permanent VPN connectivity my US office network.

Do I have enough licenses for two ISPs, DMZ, internal LAN and permanent VPN connectivity to two different US offices?

Can Cisco TAC help me with these queries? What is their local number by the way?

[mathewpn]

From my personal experience,
Cisco,
serves the purpose
rock solid ( have been administrating one for the last 4 years )
easy to confgure
GOOD MARKETING
BRAND IMAGE

ISA,
BRAND IMAGE
GOOD MARKETING
just a firewall which requires a lot of maintenance and regular updates to keep it running ( maintaining one for the past 2 years and its a pain)
easy to configure

Linux/Unix with Iptables,
MARKETING - NO NO
BRAND IMAGE - Yes, but limited
Once configured, no need to turn back until you need some other settings to be enabled on it. ( I am using 4 Firewalls of these kind )
VPN configuration is a bliss ( Openswan/Freeswan), with any parameters you can name !!



Your inputs are welcome .

[jassi]

Quote:

Originally Posted by Samurai

Wow! Two days of banging my head and this is what worked, I was connected to port 0. Thanks boss.

I didn't know it either, but knowing how to find your way around the userguides helps. Here is a link to the ASA docs page
Cisco ASA 5500 Series Adaptive Security Appliances - Support - Cisco Systems

Quote:

I was hoping to connect both reliance and airtel ISPs in failover mode, but now I see dual ISPs is disabled. I also want to be in permanent VPN connectivity my US office network.

Do I have enough licenses for two ISPs, DMZ, internal LAN and permanent VPN connectivity to two different US offices?

Can Cisco TAC help me with these queries? What is their local number by the way?

Dual ISPs is a licensed feature and I am not sure if it is just failover from one ISP to another or if both ISP can pass traffic at the same time. Last I heard on the higher models, this was a feature pending a new code release, but maybe 5505s have it.
In the link I pasted above, there is a TAC service request link, use that and open a case. Leave your contact details and they will call you and advise on your licensing or support queries

[Samurai]

For more than a year now, all our 3 offices are connected to each other via permanent VPN using Cisco ASA 5505 at each branch. It is working out very well, you could call me a happy customer. BTW, I learnt to configure it myself.

Thanks for all the support and guidance I received here.

Quote:

Originally Posted by Samurai

My local vendor took 3 months to deliver the Cisco ASA 5505 equipment.

Now I need one for another location in India. But I do not dare use the same vendor because of the above reason.

I need the basic version: ASA5505-BUN-K9 + smartnet support.

Is there a vendor in Bangalore from whom I can buy Cisco ASA 5505 quickly?