Cisco’s ASA security appliances combine a number of security features previously handled by separate types of servers:
Not all ASA appliances do all these things – their functionality depends on:
It can get kind of complicated. Small offices use the ASA5505-BUN-K9, with licensing for different numbers of inbound VPN connections. Above that, the ASA5510-BUN-K9, ASA5520-BUN-K9 and ASA5540-BUN-K9 are all similar, and each can have base or enhanced licensing to support more VPN connectivity, as well as to support optional hardware modules.
The two hardware modules available are the ASA-SSM-CSC-10-K9 and ASA-SSM-AIP-10-K9 (or ASA-SSM-AIP-20-K9). The CSC is an email-focused virus/spam/malware oriented addon module that requires an annual license to keep the definition file up to date. The AIP module is an advanced intrusion detection module that only requires a one time license upgrade. Only one or the other module can be installed – there’s only one expansion slot.
Another option is the SSM-4GE module. An ASA5540 with a 4GE module plus a license upgrade makes up the higher level ASA5550, but the 5510, 5520, and 5540 can also support it. No additional license required for its use.
Older models may be preferred. Members of the Cisco CVPN3000 series, such as the CVPN3030-NR-BUN, are still the ‘gold standard’ for large scale VPN connectivity or virtual VPN networking, while the PIX series of firewalls, such as the PIX-501 or the PIX-515E-R-BUN, still provides excellent traditional firewall protection. Both provide significant cost savings over ASA solutions.