Many small businesses, as well as organizations with branch offices, rely on broadband routers to act as firewalls to protect their networks. Unfortunately, these devices—especially those provided by the broadband provider—aren’t true firewalls and rely on Port Address Translation (PAT) or Network Address Translation (NAT) to protect connected computers. Although some broadband routers have rudimentary firewalls, they’re often insufficient or they lack the enterprise-class features that branch offices require. For these reasons, I recommend that you look at the range of Adaptive Security Appliances (ASAs) from Cisco, which are the successors to the PIX family, and are excellent firewalls.
The Cisco ASA 5505 is the entry-level product in the family, but it’s packed with enterprise-class features that can be used as organizations grow or their needs change. As in many Cisco products, the ASA 5505’s advanced features need licenses to unlock them for use. A basic-level license supports 10 simultaneous users on the LAN, 10 IPsec VPN connections, and 2 SSL VPN connections. This configuration will cost you less than $400 and is sufficient for most small networks. The ASA 5505 can be purchased with licenses for 50 users, an unlimited number of users, more VPN peers, failover support, Virtual LANs (VLANs), and a true demilitarized zone (DMZ) LAN segment, among other features. You can also purchase upgrade licenses later if you require them. All the ASA 5505’s features and licensing options can make your head spin.
The ASA 5505 comes with two network cables, a console port cable that connects to a serial port on a PC, and a power supply. When you unpack the ASA 5505, the chassis might look familiar and remind you of other Cisco products that are tailored to small businesses. (To keep costs down, Cisco standardized its chassis design.) Figure 1 shows the Cisco ASA 5505. The front of the ASA 5505 has a USB port for future expansion, and the back of the device has a card slot for expansion cards, eight Fast Ethernet (100Mbps) network ports, a console port, and a power connection. Of the network ports, port 0 is configured by default to connect to the Internet, and ports 1 through 7 are configured as LAN ports. Ports 6 and 7 provide Power over Ethernet (PoE). Connect port 0 to your Internet connection, connect your LAN devices to ports 1 through 7, and connect the power to get started.
Figure 1: Cisco ASA 5505
Initial configuration is a breeze. Open your browser and enter https://192.168.1.1/admin to get access to the Cisco Adaptive Security Device Manager (ASDM) and run the ASDM Startup Wizard. Note that you must install Java to run the ASDM. The ASDM Startup Wizard will ask you a few questions and configure your ASA 5505. The simplest configuration is for the ASA to use DHCP to obtain an IP address from your ISP, as well as for the ASA to function as a DHCP server to your internal network and to use PAT.
The one glitch in configuration is that the ASA 5505 might not ship with the latest firewall software installed (version 8.4.1 at press time). You should receive a CD-ROM with your ASA 5505 that contains the latest software. You can upgrade both the firewall and user interface software by using Trivial FTP (TFTP), FTP, and (from an internal website) HTTP. The upgrade process isn’t as simple as it could be; you’ll need to consult the Cisco documentation to perform the upgrade.
By default, the ASA 5505 blocks all unsolicited incoming traffic to your LAN. If you want to configure VPNs (whether SSL VPNs, VPN tunnels for site-to-site connectivity, or VPNs for remote access), you can use wizards in the ASDM to get them up and running quickly. If you need to publish servers on your LAN to the Internet, you can quickly accomplish that task through the ASDM as well, by adding a public server in the firewall configuration section. The ASDM provides configurations for common protocols and services, making the task quite easy. The ASDM can also be used to monitor your ASA 5505 and to troubleshoot problems. The ASDM is a bit clunky in places, and you might need to spend some time with the online Help and with Cisco’s installation guides to configure some of the advanced features.
The Cisco ASA 5505 is a great firewall with enterprise features that won’t break the bank, especially for small-to-midsized businesses (SMBs). This appliance provides peace of mind and can grow with your company and needs.
Cisco ASA 5505