Picked this up on an NFR to play with at the house. It replaced an HP R120 that I've been using for a few months, a device which, while featuring great range and throughput, I would not recommend if you run VLAN's, as it doesn't seem to handle them well, despite being advertised as supporting them. Anyways, on to the ASA. This is an "all-in-one" product designed to give you a single point for IPS, malware prevention, Wireless, Firewall, NAT....etc. It is physically one product but functionally actually three. 1. On the Firewall side it is the replacement for the Cisco ASA 5505, which was a small, fanless firewall product with an integrated configurable switch. This device carries on the fanless (thus noiseless) tradition and features 8 ports on the rear but unlike its predecessor, these are NOT part of a switch, so you cannot simply group the ports. This was a bit disappointing. 2. For wireless it contains the hardware/software for the Cisco SAP702i, which I believe I have posted about before. It is currently Cisco's most affordable "current generation" Aironet AP (runs IOS) and supports A/B/G/N/AC. This requires a separate SmartNET contract if you want access to firmware updates for the AP. The contract is about $20.00. I recommend this as it ships with rather old firmware. 3. For advanced IPS, traffic screening, filtering, malware detection...etc the device includes a small embedded Linux server running "Cisco Linux" that provides the "FirePOWER" functionality. Cisco's description of the product reads thusly:
Setup is pretty straightforward if you don't have an existing network. Since that describes almost no scenario I've ever encountered, setup is a relative PITA. The device comes shipped with the management network assigned with a 192.168.1.x subnet on the 2nd physical interface. The FirePOWER module, while physically in the same chassis, is not connected internally. That means it requires a separate ethernet cable either as a loopback with it routed or into a separate switch to which you are connecting it and port 2. Since I use a separate switch, my configuration (which is their recommended configuration) reflects the 2nd scenario. Now, since my subnet for my home network is NOT the same as the predefined subnet on the device that meant some initial setup of the device via laptop and the defining of my own subnet on the 3rd interface (easier than goofing with the management interface and reassigning it), giving it the same security level as the management interface, assigning my computer's IP as the management IP and then connecting it to my network to replace the HP. Now, my home network consists of 3 VLAN's and three subnets that are not routed. Two are guest networks, one is internal. That scenario does not work with this device. The reason for that is the wireless. The integrated access point has its own internal switch port. You cannot assign the same VLAN's to that switch port as you can to your other switch ports. That is, if I assign VLAN 1, 2, 3 to eth1, I cannot again assign those to eth9 (Wireless). Which means that you cannot use the same subnet across devices within this device. Ultimately the solution was 6 separate VLAN's, three on on LAN interface and three on the wireless interface with phased subnets and using security levels to allow them to see each other. So for VLAN 1 and VLAN 4, both have security level 100, so traffic between the two is permitted. This allows my scan tool (wireless) to be seen by the diagnostic software (wired), but prevents clients on the other networks from accessing either of those two networks. This does of course give you greater flexibility because of the security groupings but you have to deal with the hassle of adding more subnets, which means if you have devices with static IP's, particularly ones that are spread across wired and wireless but featuring a common subnet, you may have a bit of a headache. Of note here: The wireless, being its own switch port is, by default, its own network. It has a web UI, but being Cisco, it isn't overly intuitive for the uninitiated. I chose to just program it via CLI, as my setup was far easier to implement that way given the multiple VLAN's and bridge groups. Once that was working, it was on to performing the initial setup of the FirePOWER module, which you assign the IP address to via the setup wizard. Since I had changed the Inside interface to management only (no internet) and had assigned my pre-existing subnet to the 3rd interface, I had to change the configuration on this module to reflect that, so that its IP was within the same subnet as the network it was physically connected to. This is relatively painless. HOWEVER, upon getting the device operational, it was not resolving names. There was no way to set the DNS servers for it through ASDM, it was supposed to just "work" but obviously wasn't. A few minutes with the CLI and the network settings for the module (SSH into it) allowed me to assign it a couple DNS servers. This yielded another hiccup: I still had no name resolution. I then issued the restart command to the module, which resulted in resolution working and it downloading updates by itself when it came online. That's when I discovered this thing is SLOW (the module). This embedded Linux server is not a high performance device. I am sure it is more than adequate for its intended purpose, but upgrading it and restarting it are painful, both take a great deal of time. And this of course brings us to the next part: Software updates. It (surprisingly) shipped with the latest version of both ASDM and the ASA software. However the software on the AP was ancient and the same goes for the FirePOWER server. I'm currently in the process of upgrading the latter and it is not for those in any kind of hurry. So, in summary: Pros: - Excellent throughput w/8GE ports and NAT. It has 4GB of RAM, which is plenty. - Integrated true AiroNET Access Point, good range and throughput, IOS reliability - Integrated threat detection and malware tracking via FIrePOWER - ASDM management software makes it relatively easy to setup for those not familiar with Cisco's CLI - Relatively compact for a Cisco product - Low heat output, completely silent Cons: - Indicator LED's are on the back of the chassis (and the top at the back) making observing them difficult - The quick setup only works for somebody whose existing subnet matches the preconfigured one - The separate cabling for the FirePOWER module could be seen as inconvenient and the requirement of a 2nd switch for a typical deployment to work means this device cannot truly be an "all-in-one" product - Typing in with the above, the ports on the back are not switch ports, which complicates somewhat your typical WAN/LAN setup - AiroNET AP needs to be configured separately (no way to configure it via ASDM) and the GUI is a far cry from simple - LONG wait times for the updates on the FIrePOWER module - Many of the software updates require a valid SmartNET contract, which is an extra expense And a stock pic: All-in-all, for a small branch office or SMB, I think it would be a great product as long as you are prepared to deal with the rather lengthy setup. It will have typical Cisco reliability, which means it will last long into obsolescence and probably still be working fine when it hits the dust bin.
Originally Posted By: Cisco
Cisco ASA with FirePOWER Services is centrally managed through the Cisco Firepower Management Center which provides security teams with comprehensive visibility into and control over activity within the network. This capability includes users, devices, communications between virtual machines, vulnerabilities, threats, client-side applications, files, and websites. Holistic, actionable indications of compromise (IoCs) correlate detailed network and endpoint event information and provide further visibility into malware infections. Cisco Firepower Management Center also provides content awareness with malware file trajectory. It helps you track an infection and determine the root cause to speed time to remediation.