ASA5510 - expension cards

Ndxx · November 2016

Hi Guys,
I got my hands on ASA5510 V06, not sure if this is modern enough to play with ?

I had 0 exposure and figured that it might be a neat device to play with.
I did see on ebay some cheap cards... like Cisco ASA-SSM-AIP-10-K9

I assume that they don't have valid activation etc .. but will they work with out activation ?
is it worth getting this for a lab ?

Thank you

Iristheangel · November 2016

It'll be good for a basic lab for learning ASA IOS but I wouldn't recommend investing a lot of money in it. If you want to pay around with more modern ASA code or Firepower, my recommendations are virtualizing and using the following:
- ASAv by either getting your hands on the IOS through a Cisco rep or wherever or using VIRL to run it. It would probably run newer code than an ASA 5510
- vFTD + Firepower Management Console virtualized - if you want to run the NGFW/NGIPS features. If you have the OVAs for this, you can run it in evaluation mode for 90 days to lab. In 90 days, delete and re-stand it up for another 90 days.

Ndxx · November 2016

Woow that's a great response !

Quick google on vFTD shows that this can run on ESXi box ... does that mean that you no longer need physical Cisco device ?
And the software + esxi+ network ports is the new way to go ?

Is that the new model, do I understand that right ...

How about VPN AnyConnect etc is that virtual as well now

Thank you!

Ndxx · November 2016

Btw my 5510 seems to be running asa917-11-k8.bin

Iristheangel · November 2016

New way to go? Depends on a lot of factors. Your edge firewall in a big DC is going to be big iron but there's a lot of reasons to have virtual firewalling and IPS. You may have a multi-tenancy environment or certain security zones in your organization which require a lot more scrutiny.

What you're basically losing by going virtual for your lab is the ability to play around with multi-context and clustering - which for a CCNA/CCNP level, it's no big deal or you could easily try to spend some cash doing rack rentals if you want to play around with those features instead of investing in bigger hardware.

As far as VPN Anyconnect, you can do that with an ASAv as well so you're off to the races with that. Firepower Threat Defense (both hardware and physical) doesn't support Anyconnect/RA VPN yet but it will in the future. Give it a go and you should be able to lab with the latest version of code on or close to it on the ASAv. I think it's up to 9.6.x or 9.7.x now. If you find a way to get your hands on vFTD, go for version 6.1. Lots more to play with.

I don't know how advanced you are in terms of learning but I'm spending the day compiling some CLI troubleshooting tools and other ways of seeing policies from the CLI. I'm working towards the CCIE security so it's all about cutting down time or getting fun workaround to the GUI for me but take a look if you want to play around: https://drive.google.com/open?id=1w8ymG-HGGcITU1SYJ-KXlaUzXimQu5LGivuTYEjEsZ8
I'm filling out more info today so check in tomorrow on that

docrice · November 2016

Also keep in mind that the old (non-X) ASA series models like the 5510 is very old at this point. That generation of ASAs came out in 2005 as a replacement for the PIX and older VPN concentrator series devices. The newer "X" devices have the SFR chip for Firepower services and is well worth getting a lower end unit for labs, in my opinion.

Cisco also doesn't make any of the new code trains for the older series. With a 5510, you'll be stuck with the 9.1 branch.

ASA5510 - expension cards

Comments