Cisco ASA 5505 Review
Most people these days are happy to have a Linksys, Netgear or D-Link router attached to their broadband connections. The basic functionality and throughput that they provide are ample for the casual user.
But when you need more out of a device, and are willing to spend the money to achieve this, the market can become a bit of a mine field. At the time of writing, the 5505 is available for around £350 retail. Those of you who work in the Cisco arena may be able to get them for less.
Personally, I have used a Cisco 831, 1721 and more recently a Cisco ASA 5505 Security Appliance for terminating my cable connection. It is the latter that we will be taking a look at today!
When I first saw the ASA5505 documentation I knew I would be buying it. It offers almost every feature that the higher end models provide, but in a tiny, fanless configuration. Having no moving parts is good on two fronts. Firstly, no moving parts means no noise – and I mean it, the 5505 is silent. Secondly, no moving parts mean a high MTBF – Mean time Between Failure.
Unboxing the 5505 is a bit of a shock to be honest. After working with Pix 520s, 515s, ASA 5510/20/40s you cannot be prepared for how small this device is. Check the picture below with a 50p piece for scale.
At the front of the device, we have the usual array of lights, each indicating the port status of the integrated 8 port switch. Yes, I said 8 ports, quite an unusual move but certainly very useful in the Small office environment.
To the left of the device is a solitary USB port, which is as yet unused. I would like to think that it would be used in the future, but Cisco has a habit of including USB ports and not using them. The latest ISR routers being the exception to the rule.
Down each side of the device are vents to keep the device cool. Along the top the Cisco logo is embossed.
The back is the interesting part, boasting 8 switch ports, 2 of which are Power over Ethernet capable. This means you can plug a Wireless Access Point or IP Phone in there and not need a separate PSU. Very useful!
Again, along the back we have 2 USB ports (unused) and the familiar console port. The only let down here is the power supply connector, which is flimsy to say the least.
Lastly we have the SSC slot. This is a cut down version of the SSM slot used on the bigger ASA models. Cisco are due to release a module for this slot, though they have not released any information regarding this. If the current SSM’s are anything to go by, it will either be an IPS module or a Trend Content Security Module. To be perfectly honest, I would much prefer the IPS module due to the amount of trouble we have seen with the CSC.
It terms of size then, the 5505 is not a great deal bigger than a DVD-Writer/DVD-Rom drive.
Power connector aside, the overall build quality of the device is high and certainly feels like it has been built to last.
Ease of Setup and Configuration:
This is a difficult one to be objective about, given that I work with these devices pretty much every day. To me it seems very easy, others may struggle. What I will say on this front is that Cisco have clearly made a very serious effort to improve the ASA’s GUI, ASDM or Adaptive Security Device Manager. People moving straight from Pix 6.x releases will be in for a shock in any case.
The nice thing for a lot of people is the addition of wizards. Basically, there are 5 wizards that can be used to configure the Device within ASDM. Personally I am a CLI person, but the GUI also has a lot of useful features.
Firstly, and the one most users will come across, is the Start-up Wizard. This will take you through the basic steps of setting your device up, addressing it, giving it a hostname etc. This wizard can also be used to modify your config down the line.
The IPSEC VPN Wizard, which we covered in an earlier article http://cisconews.co.uk/2007/07/06/configuring-remote-access-vpn-for-asa-and-pix/, can be used to configure remote access and lan to lan VPNs. Cisco have made a good job of taking a complex CLI procedure, and breaking it down into several GUI driven options. There are options within this wizard for configuring L2TP VPNs for the Windows guys out there. This has the added benefit of not needing to install the Cisco VPN client on the host machine, which may be useful given Cisco’s lack of support for 64Bit Vista.
The SSL VPN Wizard does what it says on the tin also! It takes you through the steps of creating a Web based VPN portal, so that you can log into your network anywhere in the world, without having to install client software! Anybody familiar with the Cisco Concentrator series will have seen this before. Do note that version 8.02 of ASA code and newer improve the SSL VPN functionality!
High Availability and Scalability Wizard. This is an interesting inclusion to the 5505. To be 100% honest, I’m not sure how many people out there are going to be running a HA pair of 5505s but at least the option is available to us 
I suppose it would be quite feasible given the performance of the 5505, which is rated at 150Mbps firewall throughout and 100Mbps encrypted throughput. Do be aware that HA is not available on the base licenses. You will need to pay; through the nose I might add, for this functionality.
The last wizard available to us is the Packet Capture Wizard. This can be used to track traffic in and out of interfaces and output either to your terminal or to a pcap file. The really tidy aspect of this is that if you tell the ASA where your ethereal install is, it will automatically open it using this app. Quite a nice touch.
Once the ASA is set up, on-going configuration and management can be as simple or as difficult as you make it. You can just “set and forget” but my thoughts are that anybody spending this money on a device like this may want to fine tune it a little.
You could for example choose to take advantage of the IPS functionality of the device. Granted, it is a limited signature set, much like past Cisco Routers, but it can be useful to you to see what is being stopped at the gateway.
I would also recommend ensuring that your Access Lists are tight, only allowing the minimum required ports through.
If you are new to ASAs altogether, I highly recommend reading Cisco’s setup guides for the device. Once you have done this, the Dashboard area of the GUI is a good place to get started. In here you will find graphing of stats such as CPU and Memory resources, Connections per second and bandwidth usage.
If you were to click the “Firewall” tab on this page you would be confronted with connection statistics, Dropped packet rate, and attack related information.
Further to the right is information on top usage patterns. This includes IP addresses, ports and the busiest rules from your access list!
The switch ports on the back can be divided up into 3 separate VLANs, Inside, outside and a DMZ. Please be aware that with the base license, the DMZ is only able to go out to the internet. You cannot access DMZ devices from the inside and they cannot access you. You need a more expensive license for this functionality.
Appliance performance and reliability:
Reliability of the device has been perfect so far, with no major issues noted by Cisco, or myself. We have several of these devices “in the wild” and have had no reports of problems. Generally, the uptime on my own 5505 is only ever interrupted by me upgrading it, or taking it apart
As for performance, the 5505 sits at the end of a 20mb cable connection. I am able to to download at the full rate, which is in the region of 2.4Mbps without the ASA breaking a sweat. Generally, CPU usage at these rates is around 26% bearing in mind that the device has a baseline CPU usage of around 10%.
Official performance figures can be found here: http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
Remember that some figures are dependent upon licensing, but are indicated in the chart.
Conclusion:
I realise we have skipped past the full feature list, but this is available at Cisco.com, no point regurgitating that.
To sum up, the ASA 5505 is a solid, user friendly and powerful device. It could very easily terminate either a broadband connection or business line without breaking a sweat.
The only caution I would issue is to be very careful which license you buy. The base license allows only 10 IP’s to connect through the device from the inside. Any connections above this are cut off. If you thing this is causing you problems, leave a comment and we will point you in the right direction for isolating this.
Thanks for reading.
More pictures of the 5505 are available in our Gallery http://cisconews.co.uk/gallery/
Entries (RSS)
January 1st, 2008 at 12:11 pm
Good review. I too use 5505s and have found them great, especially for the money!
January 10th, 2008 at 8:56 pm
My company has deployed about 61 of the ASA 5505’s since July 2007, using site to site VPN. So far, we’ve had one unit die just after the 90 day warranty. The unit would power up, but we could not access the CLI from the configured switch port or console port. Also, we have about 5 more 5505’s that will “lock up on occasion. After powercycling the unit, normal operation is restored.
I’ve only found one other user who has encountered the same problem, but CISCO support has not been able to provide a reason or source of this problem. Other than those units, the 5505 has been good for the price.
January 10th, 2008 at 10:43 pm
Hi David,
Feel free to post more information about the problem you are having, maybe we can relate it to something we have seen.
If you are running anything from 7.2(2) and older I would disable ESMTP inspect as this can cause the ASA to lock up. This was fixed in one of the 7 train releases but the exact version escapes me.
Cheers,
February 18th, 2008 at 11:37 am
How does the power supply on this compare to the PIX 501? I had one myself and it was not uncommon for it to get stuck in a reset loop or power cycle if you so much as breathed on it. Never found out whether it was a power supply problem or something specific to the connector on the PIX itself.
Have just ordered an ASA5505 (base 10-user) to replace it as the company I work for are moving to these as replacments for the outgoing PIX models.
I wish Cisco would make a gigabit switched version of this unit - it’s not uncommon now for consumer level devices to come with gigabit ethernet as standard, and when I was in the market for a replacement at home I was torn between a Linksys with debateable/non-existant IPSEC VPN support (vital for my job) and not having gigabit for my network at home.
February 19th, 2008 at 9:46 am
Hi Darren,
Every time I see a 501 in a cab I die a little inside :p
We have two in seperate locations, both of which reboot every time you go near them. Absolutely shocking design.
You will be glad to know that the 5505 does not suffer this problem. The connecter isnt all that bad, but it could be of better quality there is no doubt. As long as you plug it in and leave it you wont have any problems. If it is out in the open, on a desk for example, It might suffer for it.
As for gigabit, I dont see that happening any time soon. Remember that the routers you are talking about only have to switch data at gigabit speeds. The Firewall inspection of the traffic is what causes major overhead. The lowest spec ASA that is capable of this is the 5550, which costs 10’s of thousands.
You could still have gigabit ports and just allow gigabit speeds between hosts on the same VLAN i guess. Will be interesting to see how it all develops!
Thanks for reading!
February 28th, 2008 at 2:35 pm
I have a scenario where the Cisco ASA 5505 sits between a router and a MS SBS 2003 (which is the DNS SERVER & DHCP Server) - I need more than 10 users to access internet through the SBS - is that possible ? or will the ASA disconenct more than 10 users ?
March 1st, 2008 at 3:59 pm
If the SBS box is being used as a proxy then surely each connection will come from only 1 IP address, that of the SBS box? So the answer would be no.
Otherwise you will be limited to 10 seperate IP addresses. This is assuming you have the base license. You can upgrade this to 50 or unlimited.
If you notice any issues do a “sh asp drop” from the CLI of the ASA and it will tell you how many people it has dropped due to this. Using the “packet tracer” command can also help you identify this.
April 29th, 2008 at 2:59 pm
I am using a ASA 5505 with two IPSec Tunnels & Remote users IPSec VPN’s. I am finding that the unit locks up after about 2 days uptime. It remains visible locally so I can do an immediate system reload but there is no internet access, the tunnels gop down & the remote VPN users are unable to connect. After the system reload the unit is fine again until the next time. The license is for unlimited inside users 10 VPN Peers & 2 SSL VPN Peers ASA version 8.0(3) The two IPSec Tunnels are connected to Sonic Walls at the other sites. Has anyone any idea as to what may be causing the problems or has anyone experienced anything similar.
Thanks
April 29th, 2008 at 3:07 pm
Hi Colin,
Strange one. I would enable logging at a high level and see what that turns up. If you post the info back here I will see if anything looks out of place.
How do you get your Public IP address? Is it via DHCP or a statically configured address? Seen the odd bizarre issue when the lease expires, though 2 days is usually way beyond any normal lease time.
See if shutting down and re-enabling the outside interface brings the Internet back into play also.
Cheers,
July 16th, 2008 at 4:55 am
Thanks for the great review. I have a question regarding cisco asa 5505 license upgrades. I currently own the 5505 base model with 10 user license. I was planning to buy the security plus license (ASA5505-SEC-PL=) but how does this work after the purchase? To my understanding, the activation-key is related to your serial number so when you buy this product, does it come with a web site log-in where you can enter your serial and retrieve your activation key?
Thanks
July 16th, 2008 at 9:41 am
Hi Joon,
Yes, the Cisco licensing site sorts it all out for you. You need the serial number of the device and the PAK code that comes with the License you buy. You then use the “activation-key” command on the ASA to enter the key that Cisco provide. Its all very straightforward anyway.
Cheers,
August 8th, 2008 at 9:40 pm
My company is interested in buying a new firewall. I want to suggest the 5505 unlimited users. I have taken many Cisco class’s. including a pix firewall class. Unfortunately that was 2 or 3 years ago now, and I’m not sure how much I remember. How far does the GUI actually get you?
Thanks
August 10th, 2008 at 10:01 pm
The GUI allows you to configure everything, but you still need a base understanding of firewalls, TCP/IP and your own infrastructure. There is a “startup wizard” that will configure the basics for you.
August 18th, 2008 at 4:10 pm
Hi All,
I need your experience to clarify the ASA-5505 license restrictions and ASA5505-BUN-K9 upgrade.
Starting with the basic ASA5505-BUN-K9 device, license display:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
The ASA-5505-SEC-PL Cisco description is:
Cisco ASA 5505 Security Plus license (provides stateless Active/Standby high availability, dual ISP support, DMZ support, VLAN trunking support, and increased session and IPSec VPN peer capacities)
Is this upgrade will change the Inside Hosts number or only the VPN Peers?
What kind of display feature would I get?
How to upgrade the Inside Hosts limitation!
What will append to the 11th host before upgrade!!!
Cordially
August 18th, 2008 at 4:21 pm
Read ASA-5505-SEC-PL upgrade – Sorry
September 5th, 2008 at 1:44 pm
I am using a ASA 5505 with a DMZ that is used for public wi-Fi with a DHCP lease time of 4 Hours. I am finding that the unit locks up between 3 & 10 days uptime. Once locked up we can not access the internet. After the system is rebooted the unit is fine again until the next time. The license is Security Plus for unlimited inside users 20 Vlans 25 VPN Peers dual ISP’s and 8 Trunk Ports. Has anyone any idea as to what may be causing the problems or has anyone experienced anything similar.
September 9th, 2008 at 7:49 pm
I have a Cisco Wireless AP in a DMZ off the 5505 without issue. You will need to do some debugging to find out where things are falling over. Can be worth using the packet-trace and show asp drop commands too!
September 11th, 2008 at 1:48 pm
Colin: “I am using a ASA 5505 with two IPSec Tunnels & Remote users IPSec VPN’s. I am finding that the unit locks up after about 2 days uptime. It remains visible locally so I can do an immediate system reload but there is no internet access, the tunnels gop down & the remote VPN users are unable to connect. After the system reload the unit is fine again until the next time. The license is for unlimited inside users 10 VPN Peers & 2 SSL VPN Peers ASA version 8.0(3) The two IPSec Tunnels are connected to Sonic Walls at the other sites. Has anyone any idea as to what may be causing the problems or has anyone experienced anything similar.”
Got the same promlem. I have static Public IP. If I reload unit via ASDM it works for few minutes and freezes again. But after power off/on it works for few days. Device is ASA Version 7.2(4). Any ideas?
September 17th, 2008 at 1:36 pm
I have 4 Cisco Ap’s that are static set for IPv4 in the DMZ and the DHCP Scope is outside the range of those Ap’s that are in the DMZ. When the device locks up Inside and DMZ Cannot access the internet. You can ping outside devices from the CLI on the internet. Something in the Firewall portions is causing this to lock. Any Idea’s or suggestions.
October 31st, 2008 at 9:44 pm
Hi Michael,
The only way to make any sense of what is happening would be to use the packet trace command to debug the issue.
Say for example host 192.168.1.1 on the inside cannot access 172.16.1.2 on the DMZ:
MyASA# packet-tracer input inside tcp 192.168.1.1 1025 172.16.1.2 80
This will give you a list of output telling you where the communication is failing, assuming it isnt a random bug
Cheers,
November 30th, 2008 at 7:54 pm
I concur. This device needs a few gigabit switchports. I want my lan traffic to pass through this but I do not want my speeds to be cut down to 100mb. I would do the 5510 which has two gig ports but the price difference from 5505 to 5510 is overwhelming. Cisco does a great job of forcing you into the position to uprgade.
February 24th, 2009 at 6:40 pm
The ASA5510 does not have any gigabit ports, but the ASA5520 has 4 gigbit ports. Also, I do believe the limit of 10 ip was either eliminated or was mis-interpretted as I have a 5505 running in a branch office with at least 50+ ip addresses and no problems…maybe you were referring to the 10 Site-To-Site VPN Tunnel limitation? or maybe this is a change with the 8.0 code….
April 17th, 2009 at 9:13 pm
Hi,
I am intending to buy an ASA5505-BUN-K9, it’s the least expensive one and it is as expensive as the DFL-210 from D-Link so my the choice is obvious for me…
Some question although arised when reading what Cisco offers in that bundle…
- I need to access my home network via VPN, in this license, is this possible to do so or do I need to buy some extra VPN license? The literature says there are 2 VPN licenses present in this bundle for “Evaluating and remote control”, what do they mean with that? Are there restrictions to use the VPN in the BUN-K9 license?
- ISP/IDP is not present in the ASA5505, is it possible to add it later?
Thanks!
Tom
June 23rd, 2009 at 1:30 pm
We have 4 x 5580-40, the hardware is different but the operating system is ok. what we liked it is the number of concurent connections supported in contrast to other firewalls. In my opinion CISCO firewalls will surpass any other firewall soon.
September 7th, 2009 at 10:01 am
Hi Rich,
pretty good review of my favourite firewall unit-
one thing is bugging me though, i thought that the ASA5505’s didn’t have the 10 inside host limit that the 501’s had? Could you share some light on that for me? Also, I´d be grateful if you could share any tips as how to “deal” with the 10 inside hosts limit….
Thanks!
Steffen
May 2nd, 2010 at 7:52 pm
What’s Up! Just wanted to respond. I really enjoyed your post. Keep up the phenomonal effort.
May 16th, 2010 at 7:23 pm
Extraordinary blog post bro. This amazing is just a extraordinarily nicely structured article post on the blog, just the critical info I was looking just for. I am truly thankful