Home Lab Firewall

rob42

Should I get a Firewall for my home LAB? If so, which one?

I've seen a few different ones for sale, but I don't know a thing about them.

The ones I've seen...

PIX 501

PIX 515

ASA 5505

ASA 5506

ASA 5510

ASA 5512

ASA 5520

ASA SSM-10


Any advice is much appreciated .

Thanks.

OctalDump

Don't get a Pix. They are old. The ASA's are more current. The 5505 hasn't had a code update in awhile, so could be considered end of life (not officially, just practically). The 5506-x runs Firepower, which is the cool new stuff.

The 5510 is a bigger 5505, and the 5512-x is a newer 5510 (or bigger 5506-x).

Probably the 5506-x is what you want, but that depends on pricing. If you can get a 5512 cheaper, then that might be a better option. The 5505 is probably good enough for now.

The SSM is a module, so probably not what you'd want to start, but worthwhile if you find a 5510 with the SSM (a 5512-x is better, though).

clarson

well depends on what you need the firewall for.

if it is for studying for the ccna:security exam, then a 5505 is good enough. What you need is newer asa/asdm software. I think you need at least asa 9.1x and asdm 7.3. These are pretty much the last version for the asa 5510/5520/etc. So, if you find a cheap one you could use it. Cisco has continued updating the asa5505 software.

But, they have discontinued doing so for the other models in that generation of the asa. And,cisco now supporting the 5506/etc. So, while the asa5505 is much cheaper and still good enough for the ccna:security exam. You might need a 5506 for the next version for the ccna:security exam and on to the future. So, get an asa5505 and get your cert before it requires way more expensive hardware.

rob42

Thanks guys.

Planned usage (good point): I see that ICND1 Exam (Topic 1.3) includes a Firewall section and I'm thinking "hummm, maybe I need some hands-on...". Thinking ahead, I'd like to specialise in Security, so (maybe) practical experience would be of benefit there also.

I can get a 5505 at a very reasonable price (around £50.00), but the others range from £250 - £1500 and as such would be more of a stretch for me to afford.

One last thing, if you don't mind too much. RE: 5505's.

Some are described as "Cisco ASA 5505 V05. 50 Inside Host - 128MB Flash - 256 RAM" and others are simply "Cisco ASA 5505". Is it that theses are in fact the same and that some sellers are being more/less descriptive, or would these be in fact different models?

Again, thanks for your input and time.

---

To add...

For others following this thread, I've just seen this link [http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733510.html] which describes the "BUN" suffix that I've seen on some of the listings.

clarson

Well, it depends on how much effort the seller put into it. Basically the hardware is the same. But the licensing is probably different.

Some resellers don't even know how to or can't (be sure to get the power brick) power on an 5505. In which case all they know is what is written on the case.

Then there are the resellers who actually power on the 5505 and can tell you a little about the licensing. Such as your example, the 50 inside hosts with 128mb flash and 256 ram. But, even though the information is right there, they don't tell you what the license is or what the version of the software is. Maybe they just copied another ad, maybe they don't know what to look for, maybe they just don't want to tell you.

Anyway, there are two basic licenses, ip base and security plus. The security plus is better. But, people that know the difference, know that the security plus license is better and will charge more for it. But, the ip base license is just fine for home use.

as mentioned, you will need version 9.1 or better of the asa software. I believe starting with version 8.6, the 5505 required 512mb of ram. So, a 5505 with 256mb of ram is going to need a ram and software upgrade. The hardware isn't hard to upgrade. Need a stick of ddr pc3200 (non-ecc) ram. either 512mb or 1gb (only sizes that will work). 3 screws and a couple of clips hold the case together. And, upgrading the software is easy too. But, you need the software to do it.

rob42

All the information here is of immense help to me. Thank you.

OctalDump

One other thing is that you don't need an ASA for the CCNA Routing and Switching exams. It's very good to have one for the CCNA Security exam, though.

The 5505 has up to version 9.2 of ASA and 7.4 of ASDM. The 5506-x (5512 etc), up to 9.7 and 7.7. ASA 8.3 is the momentous change, and requires 512MB in the 5505.

rob42

Thanks OD.

I'm going to resist the temptation of getting one until I need one as I think that the money could be better spent elsewhere.

The information that both you and clarson have provided here is outstanding and will be added to my (ever growing) KeepNote system. I'm sure that the day will come when I'll need to look back at the notes I've made and will once again be very grateful to you both.

Best regards.

Uriah7

Rob42, how is your studying coming along?

rob42

Thank you for asking.

I have to say, I'm fining it hard going {holding down a full time job and doing everything else one has to do in order to 'live', as well as finding time to study}, but I'm getting there.

Right now, I'm working through the ICND1 Exam Topics to make sure that I'm on track, knowledge wise, using Todd Lammle's Free Study Guide. So far, so good. I only d/loaded yesterday and I've just finished chapter 2. There were a couple of 'fundamentals' I needed to refresh on, but nothing major so far.

Like I say, it's tough going, but then I never expected it to be easy.

I don't know if I'll ever find myself in a position of employment in this field (I feel I'm a little too old now), but you never know.

Well done to you: Full CCNA . You must be very proud!

Cheers for the inquiry and my best regards to you.