The Cisco ASA line has some serious bad juju when mentioned in networking circles. Example of this is of my mentor, Kurt Bales. He is a Juniper champion, JNCIE candidate, and all around network guru. His background lent it self to best tool for the job mentality. Yet with that mindset – there is hate. Don’t think this musk stick loving engineer is alone. There are others who concur and agree.
That being said, I think I am sick of it. I want to share my experiences with a platform I believe is stable, robust, and deserves a place in your next upgrade and deployment.
Bad juju or haters gunna hate?
Is the ASA such a terrible platform or are the haters who hate on ASA do so unjustifiably? In a recent installation of 6 x 5585-X SSP-10 I have been through the entire PPDIOO life cycle. I planned, prepared and designed. I assessed our needs.
- Virtualize the core.
- Establish multiple VRFs and VPNs to many sites.
- Allow third party access with very particular rule sets.
- Establish multi-site failover to partner services whilst sustaining sessions.
- Establish access control and ease of management.
- Predictable traffic patterns.
I needed throughput and rule set grunt. The fact that 2 x 10GBE connections will be sitting at a moderate utilization was a factor.
The ASA delivers on this and more. Not once in any of our tests could we load it up enough. Failover with HA technologies were flawless. The ability to control our traffic to meet the security requirements that we had in place were met. Load balancing via context loading was important and achieved. Management via CLI/ASDM as phase 1 before moving to CSM was a benefit. I am pushing some serious traffic through this and have more than a paltry need. The environment I am in cannot tolerate downtime nor fault
I am not blind
I know there are shortcomings of the platform. Some may argue that the ASA code is years behind. Some gripe that ASDM doesn’t work on OSX due to java. (I agree Java is so-so). Juniper do have some rock solid offerings that can do features that ASA cannot. BGP routing, DHCP reservation, just to name a few.
As ASA 9.0 approaches (I have been told it isn’t vaporware) the playing field between code features that Juniper offer should be leveled. It pairs it back to a hardware battle. What that means to you? Sound high availability. Great failover. Sound build and quality. Cisco reliability that has made them the number one networking company.
Tool for the job
The right tool for the job needs to be adopted. In the plan and prepare phases you need to assess the requirements of what will traverse the firewall. What functions need to be performed and how it will do it? Service contracts and maintenance. Who can provide you with that? Professional services if you used managed services? Are they proficient with the platform? In house skill sets are also important to consider if training budgets or ability of staff is a concern. With these things in mind then finding the right firewall in the ASA family can be achieved.
As Kurt said, candidate config and commit confirmed would be nice. Just a small software nice to have which can always be added at a later day.
Vote 1 ASA
I think the ASA family needs to be considered in your designs. The hardware is sound. Cisco are a Tier 1 vendor. The code, albeit missing some feature, is stable. I am a very happy customer of the ASA family and this top end model for me has nothing but delivered.