Cisco ASA NGFW Review

Site to site VPN is easy, but it's very expensive.

Valuable Features

  • VPN
  • ASDM configuration

For FirePOWER:

  • IPS
  • AMP
  • URL filtering

Improvements to My Organization

It's pretty easy to connect between different branches using site to site VPN.

Room for Improvement

Cost, it's very expensive. To migrate from a Cisco ASA 5550 and not drop in performance, you have to go to a Cisco ASA 5555-X with FirePOWER. To fully use the Cisco FirePOWER IPS, AMP and URL filtering, you are forced to (MUST) buy the Cisco FireSIGHT management centre. You also have to buy licensing for Cisco AnyConnect VPN client

Use of Solution

I've been using it since October 2004, so for 10 years.

Deployment Issues

Due to the cost, I am still waiting for more funds to deploy the final phase, FirePOWER IPS, AMP and URL filtering.

Cisco did an upgrade from v8.2 to v8.3 of the migration system. NAT configuration is different from 8.2 to 8.3. It's not easy to upgrade to 8.3 and above leading to running different software versions.

Stability Issues

V8.2 is very stable. With the latest versions it's still early to tell.

Scalability Issues

Upgrading from v8.2 to v8.3 is a nightmare. The risks of down time are so high that I am forced to run different versions. Stay with 8.2 on all NAT dependent on your ASA, but again it's all about the cost.

Customer Service and Technical Support

Customer Service:

Excellent customer service. Cisco listens to their customers.

Technical Support:

Excellent customer service and documentation.

Previous Solutions

We previously used Checkpoint, and I switched because Checkpoint was expensive but now it looks like Cisco is following the same route.

Initial Setup

It was not that complex because I was using Cisco routers and switches five years prior.

Implementation Team

It was an in-house implementation.


I can't tell right now as I am still investing.

Pricing, Setup Cost and Licensing

The initial investment on the Cisco ASAs was around one million South African Rand and there's a R200,000 annual maintenance cost with Cisco's partners.

Other Solutions Considered

No. I went straight to Cisco because of my experience with their CUCM IPT solutions, routers and switches.

Other Advice

Budget a lot of money, especially on the initial setup and the annual licensing and maintenance cost.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Network Head at a manufacturing company with 1,001-5,000 employeesReal User

First, I would question you need a 5555. That is a lot of throughput. You have Internet connections faster than 1G?
A 5545x matches 5550. In almost every upgrade I've done to NextGen X series, I've been able to go down a model number.
NAT difference after 8.3 wasn't trivial, but you should be on 9.x or higher by now. PBR and BGP are now available on the firewall.
AnyConnect pricing changes to be more favorable on version 4. You license across all firewalls and no hard limit. You license for 50, the 51st user connects.
I had everything in my environment of 300+ locations - Fortigate, Juniper, Checkpoint, Sonicwalls. Cisco is the most reliable. When you factor in soft costs troubleshooting of non-Cisco firewalls. Cisco is by far the cheapest.

09 June 15

@finny47 - If you want to make a step forward and start segmenting your network on the firewall, than you need every bit of throughput a box can deliver.
If you stay on the classical flat network architecture, than you are right.

09 June 15
Simon ChabaReal User

Yes, we have 3 x 1Gbps and 1 x 155Mbps. We have four internet breakouts in different cities around the country and three of them are 1Gbps each. The fourth internet breakout is 155Mbps. There's only 2 ASA which are still on 8.3 and all others have been upgraded to 9.1. The remaining two will be upgraded in a few weeks time. Cisco ASAs are reliable, very stable and the best. The Cisco Firepower works like magic, application visibility, URL filtering and the ability to drop p2p protocols like torrent, on the fly are some of the best capabilities of the product.

10 June 15
Sign Up with Email