Cisco ASA NGFW Review

I'd like the ability to use IPS & CX modules simultaneously but overall it provides peace-of-mind against cyber-attacks.

Valuable Features

The most valuable features are the IPS and Botnet software modules. These security features, working in tandem, truly provide a peace-of-mind against all levels of cyber-attacks.

Improvements to My Organization

Since the 5512-x is software license based, there is no need to purchase additional hardware to enable much needed features.

Room for Improvement

Since most features are license based and some licenses are time-based, there should be a way for the device to alert via SNMP that licenses are about to expire. Also, I would like to be able to use both the IPS and CX modules simultaneously, instead of one or the other.

Use of Solution

I have been using the 5512-x for almost one year now.

Deployment Issues

Deployment of the 5512-x is very simple. The main issue I found was in deploying the firewall using the "new" style of configuring NAT statements.

Stability Issues

I have not encountered any stability issues with the IOS version or the IPS version. I am currently running IOS 9.3.2 and IPS version 7.3(2)E4.

Scalability Issues

The 5512-x with a BASE license does not have many options for scalability. However, the Security Plus option allows multiple contexts and ACTIVE/ACTIVE fail-over options. I currently do not use those features, but I can definitely see the need for both of these options.

Customer Service and Technical Support

Customer Service:

Cisco customer services have always been excellent. I have never had any issues with them.

Technical Support:

Cisco TAC is always hit-or-miss. You either get a guru or a newbie, and there is nothing in between.

Previous Solutions

The previous firewall was a Cisco SA520W. This device was great as it was a firewall, IPS and WLC all in one. I switched due to this device being EOL/EOS. Also, the main complaint about this device was that with the IPS enabled all traffic was slowed to a crawl. I would rate the SA520W as 3/10.

Initial Setup

The SA520W was a simple setup. There is no CLI option; it is all done within a straightforward GUI.

Implementation Team

All solutions are designed, configured, and maintained by me.


The ROI on the SA520W is 0. As this device is EOL/EOS.

Pricing, Setup Cost and Licensing

The original setup cost of the SA520W was approx. US$500. The setup for the 5512-x was approx. US$3000. For the 5512-x, additional costs were endured for the IPS and Botnet licenses approx. an additional US$1000/year. As for day-to-day costs, the 5512-x self-updates the security modules, so there is little interaction that I need to perform.

Other Solutions Considered

I was considering going to the ISA550W (the replacement for the SA520W) or a 5505. I ultimately went with the 5512-x due to its speed and software licensing model.

Other Advice

The next-gen firewalls are a great solution. Be aware of the additional hardware costs (120GB SSD) that are needed to implement some features like the CX module. Also, if you do not need ACTIVE/ACTIVE fail-over there is no real need for the Security plus license. And finally, understand the true speed of the model you choose with and without the IPS module enabled before making a final decision.

Disclosure: My company has a business relationship with this vendor other than being a customer: My company is a Cisco re-seller.
Add a Comment
Sign Up with Email