The Cisco ASA line has some serious bad juju when mentioned in networking circles. Example of this is of my mentor, Kurt Bales. He is a Juniper champion, JNCIE candidate, and all around network guru. His background lent it self to best tool for the job mentality. Yet with that mindset – there is hate. Don’t think this musk stick loving engineer is alone. There are others who concur and agree.
That being said, I think I am sick of it. I want to share my experiences with a platform I believe is stable, robust, and deserves a place in your next upgrade and deployment.
Bad juju or haters gunna hate?
Is the ASA such a terrible platform or are the haters who hate on ASA do so unjustifiably? In a recent installation of 6 x 5585-X SSP-10 I have been through the entire PPDIOO life cycle. I planned, prepared and designed. I assessed our needs.
- Virtualize the core.
- Establish multiple VRFs and VPNs to many sites.
- Allow third party access with very particular rule sets.
- Establish multi-site failover to partner services whilst sustaining sessions.
- Establish access control and ease of management.
- Predictable traffic patterns.
I needed throughput and rule set grunt. The fact that 2 x 10GBE connections will be sitting at a moderate utilization was a factor.
The ASA delivers on this and more. Not once in any of our tests could we load it up enough. Failover with HA technologies were flawless. The ability to control our traffic to meet the security requirements that we had in place were met. Load balancing via context loading was important and achieved. Management via CLI/ASDM as phase 1 before moving to CSM was a benefit. I am pushing some serious traffic through this and have more than a paltry need. The environment I am in cannot tolerate downtime nor fault
I am not blind
I know there are shortcomings of the platform. Some may argue that the ASA code is years behind. Some gripe that ASDM doesn’t work on OSX due to java. (I agree Java is so-so). Juniper do have some rock solid offerings that can do features that ASA cannot. BGP routing, DHCP reservation, just to name a few.
As ASA 9.0 approaches (I have been told it isn’t vaporware) the playing field between code features that Juniper offer should be leveled. It pairs it back to a hardware battle. What that means to you? Sound high availability. Great failover. Sound build and quality. Cisco reliability that has made them the number one networking company.
Tool for the job
The right tool for the job needs to be adopted. In the plan and prepare phases you need to assess the requirements of what will traverse the firewall. What functions need to be performed and how it will do it? Service contracts and maintenance. Who can provide you with that? Professional services if you used managed services? Are they proficient with the platform? In house skill sets are also important to consider if training budgets or ability of staff is a concern. With these things in mind then finding the right firewall in the ASA family can be achieved.
As Kurt said, candidate config and commit confirmed would be nice. Just a small software nice to have which can always be added at a later day.
Vote 1 ASA
I think the ASA family needs to be considered in your designs. The hardware is sound. Cisco are a Tier 1 vendor. The code, albeit missing some feature, is stable. I am a very happy customer of the ASA family and this top end model for me has nothing but delivered.
25 thoughts on “Why hate on ASA?”
I will admit to being a closet ASA fan as well. I’ve noticed the animosity toward the platform from others on the Twitter feeds. Part of me wonders if most of this is simply due to the problems that the ASDM/PDM have had over the years. I think that Cisco’s web based interface for the CX module of the ASA might be a hint toward a new interface in 9.x.
I believe you are right there Ben. I have been told that many software issues that people point out will be rectified with ASA 9.0 code including all those “juniper has this” features. Welcome to the ASA fanclub. Member number #002 🙂
Count me in for #003…
I’m curious to know how people hold the ASA up to the Fortigate. Cost difference is significant especially after licensing for all the feature sets is added. Plus Fortigate maintains all features when virtualizing a platform and ASA loses a lot when put in context mode. I would take Cisco support any day over Fortigate and there is an extra level of comfort I get when sitting behind a Cisco that I don’t get with a Fortigate but the price and feature bloat are tough to ignore.
Price is something that is expected when paying for Cisco. Call it what you want. It has some bad names. I see it has “insurance” as you get support/tac and the like. I believe the issues you point out will disappear in 9.0 code release. I personally have not used a Fortigate but I have peered with one and I know it was a headache for the other techs from that party. Not sure if user/device issues were the cause.
For me, the ASA has been a rock solid firewall for many of clients i work for. Yes there are bugs and shortcomings (hopefully some of those will be fixed in the 9.x train), but they still deliver on good performance and features. I personally have no hate towards them other than the fact that ASDM is still Java based 🙂
Oh come on, Java isn’t all ~that bad~ 😉
I think there are bugs and shortcomings in all platforms. Again, right tool for the job.
At the High end of things, both Juniper and Cisco are reassuringly expensive and chock full of fun features. However at the shallower end of the pool (ASA 5505 , SRX100 etc) most of my clients seem to have an allergic reaction to the licensing restrictions and figuring out exactly what they do and don’t need. Having to pay extra to get a trunk interface on an ASA 5505 for example really makes the SRX an easy sell in comparison.
That is a good point. I know the 5505 is painful. Stateful failover is only available in the 5510 and upwards. I got my head around the licencing in place for the ASA family but I always felt the 5505 was just stupid. That being said I have always preferred to step up to a 5510.
Allergic reaction. I think I nearly spat half my cup of tea out 😉 Very amusing!
Just like people hate on the ACE and the WAAS. Their predecesors sucked!!
I know people hate on ACE too. I think I could do an ACE post like the above and get the same attention.
I have a HA pair of ACE 4710s and they do their job quite well.
The ASA can’t do VTi – That’s killer. Even the lowly 5gt could do them for many years! I would take an SSG/SRX over an ASA any day of the week
I have worked with Netscreen’s as well as ASA’s. They are both pretty good and then there is good and bad with everything, but I’d definitely take ASA over Netscreen any day. It has been pretty solid in my experience. I agree with the poster above I wish ASDM was not java based.
Somehow, I like the current way ASDM is. Not looking pretty, but working fine. Especially in my Mac OSX 10.8. You have no way to manage a Checkpoint FW on Mac OS directly. Haven’t test ASDM 7.0 yet, but I guess it would be OK
Fact that ASA does not support policy based routing has caused a great many dislikes in people i know.
I won’t touch ASA. It’s like if you took IOS (an already pretty bad OS) and butchered it, and convoluted it, you’d get ASA OS. It might “do the job”, but there are so many other options that also “do the job”. And often better. For less money.
I have been working with all kinds of FWs over the years. I still like the ASA the best. As for the router guys. IOS is NOT ASA. Nor is it s stripped IOS. The ASA does not do alot of routing as it is NOT a router. I always have to laugh at the IOS Router guys because they just dont understand what the ASA does and what it is for. A router is made for routing thus its performance and stability is just that. The ASA is made for BLOCKING traffic and pushing VPN traffic as fast as possible. And that is what it does. ALso IPS works quite well on it. Yes it does not have DHCP – WHY SHOULD IT?? ITs a Firewall not a DHCP Server. WHy would you need it? Any company needing an ASA should have their own DHCP Server. Yes, policy routing would be nice, i miss that from the IOS, but from a security perspective, i can understand why it (at least not right now) not implemented. NO, Routers are NOT secure as they have way too many bugs. Just compare the bug list ASA-IOS to IOS. If you want a firewall, stable, fast, great support, you wont be passing by the ASA. And if you want a sports car that packs a punch, you dont look for the extra trunkspace like in a minivan. Just my 2 cents…
Well..do not anything about 55xx-x platform, but this 55xx combined with CSM (Cisco Security Manager) is a network hell.ASA is just good for VPN’s, not for a firewall (maybe it works for SMB, but not for an enterprise). We had ended up replacing them with Checkpoint IP Appliances. CSM was pushing like millions of line against 100’s rules and depleting the memory, and operating/upgrading CSM is a pain in the but too…no good tools like Checkpoint Smartview Tracker…Cisco just needs to fire all the ASA architects and rethink its firewall design…
I agree completely. Checkpoint kills ASA is every department and ASA is so unstable I want to take them and fire them out the window. Awful platform and Cisco should be ashamed!
Man you must be sorely disappointed with the new ASA code. Clustering is next to useless except in a datacenter (no sip inspection). Still can’t do BGP (on a device that is internet facing mind you). And try working with one that has 5k acl lines (102k Ace entries). It is a bloody night mare. You can’t run CX and IPS (a crappy IPS at that) together in the new code (though they are suppose to be bringing that, but still IPS is crappy). Oh and to go back to clustering for a moment….try rebooting a cluster member that can’t find the cluster….It will come up with the master IP address which then causes a duplicate IP address. Always fun when your troubleshooting remotely! It has gone from out-dated to bloody awful. Don’t even get me started on the weird, not very customizable, identity feature (or hack rather). Check Point all the way (if you hate it, it is probably something your doing).
Can SRX do SSL VPN? I don’t think so. It’s a nice feature to have. Checkpoint? Apparently it does BGP but have you actually tried the nightmare of VSX running BGP? BGP shouldn’t be run on a firewall anyway. It’s an application and if an interface or the unit itself becomes overutilised and BGP keepalives are not sent/received in time your whole network can start shapeshifting and I am sure that is something you would all like to experience. Any anyone who is using ADSM instead of the CLI gets what they deserve. Learn the CLI, on any firewall you care to use for that matter.
Sure the srx can do SSL/VPN. I (like most)learned networking on Cisco, but now prefer junos. The cli just makes so much more sense, is extremely intuitive, and doesn’t leave me guessing like I find myself doing so often on Cisco gear. And don’t get me started on the differences in available troubleshooting tools. 🙂
I’d be surprised if any networking newcomer that had the privilege to learn both simultaneously would prefer Cisco.
No one mentioned about logs with the ASA. Terrible.
So Sorry, but ASA is a firewall, nothing more.
You can do the same today with other solutions, less price, more features, less license crap and easy management.
Sorry, this is out of my company solutions for firewall.
Advice, get a UTM
VTI is available in 9.7(1). Just a comment for those who were waiting for it.