Router review - Cisco ASA 5506W-X w/FirePOWER

Status
Not open for further replies.

OVERKILL

$100 Site Donor 2021
Joined
Apr 28, 2008
Messages
57,912
Location
Ontario, Canada
Picked this up on an NFR to play with at the house. It replaced an HP R120 that I've been using for a few months, a device which, while featuring great range and throughput, I would not recommend if you run VLAN's, as it doesn't seem to handle them well, despite being advertised as supporting them.

Anyways, on to the ASA. This is an "all-in-one" product designed to give you a single point for IPS, malware prevention, Wireless, Firewall, NAT....etc. It is physically one product but functionally actually three.

1. On the Firewall side it is the replacement for the Cisco ASA 5505, which was a small, fanless firewall product with an integrated configurable switch. This device carries on the fanless (thus noiseless) tradition and features 8 ports on the rear but unlike its predecessor, these are NOT part of a switch, so you cannot simply group the ports. This was a bit disappointing.

2. For wireless it contains the hardware/software for the Cisco SAP702i, which I believe I have posted about before. It is currently Cisco's most affordable "current generation" Aironet AP (runs IOS) and supports A/B/G/N/AC. This requires a separate SmartNET contract if you want access to firmware updates for the AP. The contract is about $20.00. I recommend this as it ships with rather old firmware.

3. For advanced IPS, traffic screening, filtering, malware detection...etc the device includes a small embedded Linux server running "Cisco Linux" that provides the "FirePOWER" functionality. Cisco's description of the product reads thusly:
Originally Posted By: Cisco
Cisco ASA with FirePOWER Services is centrally managed through the Cisco Firepower Management Center which provides security teams with comprehensive visibility into and control over activity within the network. This capability includes users, devices, communications between virtual machines, vulnerabilities, threats, client-side applications, files, and websites. Holistic, actionable indications of compromise (IoCs) correlate detailed network and endpoint event information and provide further visibility into malware infections. Cisco Firepower Management Center also provides content awareness with malware file trajectory. It helps you track an infection and determine the root cause to speed time to remediation.


Setup is pretty straightforward if you don't have an existing network. Since that describes almost no scenario I've ever encountered, setup is a relative PITA. The device comes shipped with the management network assigned with a 192.168.1.x subnet on the 2nd physical interface. The FirePOWER module, while physically in the same chassis, is not connected internally. That means it requires a separate ethernet cable either as a loopback with it routed or into a separate switch to which you are connecting it and port 2. Since I use a separate switch, my configuration (which is their recommended configuration) reflects the 2nd scenario. Now, since my subnet for my home network is NOT the same as the predefined subnet on the device that meant some initial setup of the device via laptop and the defining of my own subnet on the 3rd interface (easier than goofing with the management interface and reassigning it), giving it the same security level as the management interface, assigning my computer's IP as the management IP and then connecting it to my network to replace the HP.

Now, my home network consists of 3 VLAN's and three subnets that are not routed. Two are guest networks, one is internal. That scenario does not work with this device. The reason for that is the wireless. The integrated access point has its own internal switch port. You cannot assign the same VLAN's to that switch port as you can to your other switch ports. That is, if I assign VLAN 1, 2, 3 to eth1, I cannot again assign those to eth9 (Wireless). Which means that you cannot use the same subnet across devices within this device.

Ultimately the solution was 6 separate VLAN's, three on on LAN interface and three on the wireless interface with phased subnets and using security levels to allow them to see each other. So for VLAN 1 and VLAN 4, both have security level 100, so traffic between the two is permitted. This allows my scan tool (wireless) to be seen by the diagnostic software (wired), but prevents clients on the other networks from accessing either of those two networks. This does of course give you greater flexibility because of the security groupings but you have to deal with the hassle of adding more subnets, which means if you have devices with static IP's, particularly ones that are spread across wired and wireless but featuring a common subnet, you may have a bit of a headache.

Of note here: The wireless, being its own switch port is, by default, its own network. It has a web UI, but being Cisco, it isn't overly intuitive for the uninitiated. I chose to just program it via CLI, as my setup was far easier to implement that way given the multiple VLAN's and bridge groups.

Once that was working, it was on to performing the initial setup of the FirePOWER module, which you assign the IP address to via the setup wizard. Since I had changed the Inside interface to management only (no internet) and had assigned my pre-existing subnet to the 3rd interface, I had to change the configuration on this module to reflect that, so that its IP was within the same subnet as the network it was physically connected to. This is relatively painless. HOWEVER, upon getting the device operational, it was not resolving names. There was no way to set the DNS servers for it through ASDM, it was supposed to just "work" but obviously wasn't. A few minutes with the CLI and the network settings for the module (SSH into it) allowed me to assign it a couple DNS servers. This yielded another hiccup: I still had no name resolution. I then issued the restart command to the module, which resulted in resolution working and it downloading updates by itself when it came online. That's when I discovered this thing is SLOW (the module). This embedded Linux server is not a high performance device. I am sure it is more than adequate for its intended purpose, but upgrading it and restarting it are painful, both take a great deal of time.

And this of course brings us to the next part: Software updates. It (surprisingly) shipped with the latest version of both ASDM and the ASA software. However the software on the AP was ancient and the same goes for the FirePOWER server. I'm currently in the process of upgrading the latter and it is not for those in any kind of hurry.

So, in summary:

Pros:
- Excellent throughput w/8GE ports and NAT. It has 4GB of RAM, which is plenty.
- Integrated true AiroNET Access Point, good range and throughput, IOS reliability
- Integrated threat detection and malware tracking via FIrePOWER
- ASDM management software makes it relatively easy to setup for those not familiar with Cisco's CLI
- Relatively compact for a Cisco product
- Low heat output, completely silent

Cons:
- Indicator LED's are on the back of the chassis (and the top at the back) making observing them difficult
- The quick setup only works for somebody whose existing subnet matches the preconfigured one
- The separate cabling for the FirePOWER module could be seen as inconvenient and the requirement of a 2nd switch for a typical deployment to work means this device cannot truly be an "all-in-one" product
- Typing in with the above, the ports on the back are not switch ports, which complicates somewhat your typical WAN/LAN setup
- AiroNET AP needs to be configured separately (no way to configure it via ASDM) and the GUI is a far cry from simple
- LONG wait times for the updates on the FIrePOWER module
- Many of the software updates require a valid SmartNET contract, which is an extra expense

And a stock pic:



All-in-all, for a small branch office or SMB, I think it would be a great product as long as you are prepared to deal with the rather lengthy setup. It will have typical Cisco reliability, which means it will last long into obsolescence and probably still be working fine when it hits the dust bin.
 
So... Right now I have FiOS, and that comes with a modem and router/wifi in one. It's fast enough, but the wifi range leaves just a bit to be desired for the back of my home and backyard.

Would something like this be prudent to use instead of the built in Verizon software and router?
 
No, you'd probably be better off just disabling the integrated wireless and setting up a couple of access points in a cluster.

OR

You could just add an access point closer to the back and back yard area, assign it the same SSID and passphrase as the primary one and clients should automatically roam to it when it becomes the closer target.

This device is more for an office environment where the risk of malware causing data loss and malicious traffic are an issue. The integrated AIronet AP, which can easily be clustered with another Aironet AP (or several) is not a breeze to setup and unless you have some Cisco CLI experience (or are willing to learn it, and if that's the case, go for it!) would likely be a bit frustrating to configure.
 
Originally Posted By: Y_K
Thank you, but few of us are eligible for NFR pricing.


I understand that, but at regular price it still makes sense for branch or SMB use.
 
JHZR2
I have the same issues with FIOS. The modem/router is in the basement on one side, and the other side of the house is where I have issues with the wifi connection. I bought a NetGear AC2200 extender that works ok but still could use improvement.

Rand
Have you already tried this setup? How easy is it to disable the wireless function in the FIOS router?
 
Originally Posted By: Rand
to: JHZR2
I'd disable the built in wireless and put a few of these in

https://www.amazon.com/dp/B015PRCBBI/ref...NS3GXR856S27FQP


Or if you have an older router locate near back of home/area with deficit. simply disable DHCP it it. Run Ethernet from Verizon router to one of the ports on wireless(not internet side) and that works generally well.

The op setup while fun for a network guy is overkill (his name!) for home use.
 
Originally Posted By: GGorman04
JHZR2
I have the same issues with FIOS. The modem/router is in the basement on one side, and the other side of the house is where I have issues with the wifi connection. I bought a NetGear AC2200 extender that works ok but still could use improvement.

Rand
Have you already tried this setup? How easy is it to disable the wireless function in the FIOS router?


you actually dont have to disable the wireless.. buts its very simple.

I have the older non-AC version of those and they work quite good.

I have a WZR-1750DHP buffalo router.. I have the Roku and other heavy bandwidth on the 5ghz band.

And for outside, basement,garage etc I have a couple of these
https://www.amazon.com/Enterprise-System-UBIQUITI-NETWORKS-UAP-LR/dp/B00HXT8S9G

You can hardwire them all or just one and they will make a wireless relay.
They look like a large smoke detector.

My house is a capecod style with mesh in the walls etc.. which can be challenging for wireless.
The cable modem and router are also in the upstairs office which doesn't help. There is 1bar 25ft away outside on the back deck. With the UAP-LR it covers most of the backyard the garage and the back deck. I am putting in second and wiring my security cameras soon.

I temp. set it up and the coverage with 2 is very good. I could go more into detail but this is a thread hijack already.
 
Status
Not open for further replies.
Back
Top