Cisco ASA Firewall Review

Site to site VPN is easy, but it's very expensive.

What is most valuable?

  • VPN
  • ASDM configuration

For FirePOWER:

  • IPS
  • AMP
  • URL filtering

How has it helped my organization?

It's pretty easy to connect between different branches using site to site VPN.

What needs improvement?

Cost, it's very expensive. To migrate from a Cisco ASA 5550 and not drop in performance, you have to go to a Cisco ASA 5555-X with FirePOWER. To fully use the Cisco FirePOWER IPS, AMP and URL filtering, you are forced to (MUST) buy the Cisco FireSIGHT management centre. You also have to buy licensing for Cisco AnyConnect VPN client

For how long have I used the solution?

I've been using it since October 2004, so for 10 years.

What was my experience with deployment of the solution?

Due to the cost, I am still waiting for more funds to deploy the final phase, FirePOWER IPS, AMP and URL filtering.

Cisco did an upgrade from v8.2 to v8.3 of the migration system. NAT configuration is different from 8.2 to 8.3. It's not easy to upgrade to 8.3 and above leading to running different software versions.

What do I think about the stability of the solution?

V8.2 is very stable. With the latest versions it's still early to tell.

What do I think about the scalability of the solution?

Upgrading from v8.2 to v8.3 is a nightmare. The risks of down time are so high that I am forced to run different versions. Stay with 8.2 on all NAT dependent on your ASA, but again it's all about the cost.

How are customer service and technical support?

Customer Service:

Excellent customer service. Cisco listens to their customers.

Technical Support:

Excellent customer service and documentation.

Which solution did I use previously and why did I switch?

We previously used Checkpoint, and I switched because Checkpoint was expensive but now it looks like Cisco is following the same route.

How was the initial setup?

It was not that complex because I was using Cisco routers and switches five years prior.

What about the implementation team?

It was an in-house implementation.

What was our ROI?

I can't tell right now as I am still investing.

What's my experience with pricing, setup cost, and licensing?

The initial investment on the Cisco ASAs was around one million South African Rand and there's a R200,000 annual maintenance cost with Cisco's partners.

Which other solutions did I evaluate?

No. I went straight to Cisco because of my experience with their CUCM IPT solutions, routers and switches.

What other advice do I have?

Budget a lot of money, especially on the initial setup and the annual licensing and maintenance cost.

Which version of this solution are you currently using?

5555-X With FirePOWER SW v9.2.5, 5550 SW v8.2.5, 5510 SW v9.1.1 and 5520 SW v9.1.1
**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More Cisco ASA Firewall reviews from users
...who work at a Financial Services Firm
...who compared it with Fortinet FortiGate
Learn what your peers think about Cisco ASA Firewall. Get advice and tips from experienced pros sharing their opinions. Updated: January 2021.
456,812 professionals have used our research since 2012.
Add a Comment

author avatarit_user9858 (Network Head at a manufacturing company with 1,001-5,000 employees)

First, I would question you need a 5555. That is a lot of throughput. You have Internet connections faster than 1G?
A 5545x matches 5550. In almost every upgrade I've done to NextGen X series, I've been able to go down a model number.
NAT difference after 8.3 wasn't trivial, but you should be on 9.x or higher by now. PBR and BGP are now available on the firewall.
AnyConnect pricing changes to be more favorable on version 4. You license across all firewalls and no hard limit. You license for 50, the 51st user connects.
I had everything in my environment of 300+ locations - Fortigate, Juniper, Checkpoint, Sonicwalls. Cisco is the most reliable. When you factor in soft costs troubleshooting of non-Cisco firewalls. Cisco is by far the cheapest.

author avatarit_user230721 (User)

@finny47 - If you want to make a step forward and start segmenting your network on the firewall, than you need every bit of throughput a box can deliver.
If you stay on the classical flat network architecture, than you are right.

author avatarSimon Chaba
Real User

Yes, we have 3 x 1Gbps and 1 x 155Mbps. We have four internet breakouts in different cities around the country and three of them are 1Gbps each. The fourth internet breakout is 155Mbps. There's only 2 ASA which are still on 8.3 and all others have been upgraded to 9.1. The remaining two will be upgraded in a few weeks time. Cisco ASAs are reliable, very stable and the best. The Cisco Firepower works like magic, application visibility, URL filtering and the ability to drop p2p protocols like torrent, on the fly are some of the best capabilities of the product.