Cisco ASA 5500 seris for DMZ

[SagaLore]

I'm in the process of setting up a DMZ. We already have a PIX Firewall, but I would prefer to use an additional piece of equipment and run it parallel to the main PIX (will connect to the 2nd interface on the Internet router). That way changes I'm doing to the DMZ won't affect our internal Internet and incoming VPN connections.

The DMZ will have about 3 servers in it to start, probably never growing past 8. I was looking for a solution that included other functionality besides NAT and blocking ports, such as an IPS and an easy GUI interface for setting up or changing servers.

Does anybody here have experience with Cisco's new ASA product? Any recommendations or warnings?


Antisource - antivirus, antispam, antispyware

http://www.antisource.com

 

[NetworkGhost]

Cisco ASA is the next gen. I think it would be a good buy. Although for 8 servers only, I would have to question the cost vs benefits. If you have a Pix and need to make changes to your DMZ you shouldnt have an effect on internal traffic. The Pix definitly does more than nat and block ports. I havent figured out how to get it to do my laundry but then again thats what the wife is for.

Warnings for the ASA:

Cisco is an established company but code bugs are always an issue, be prepared to deal with them. With that, it could translate into down time and other problems esecially if you are entering new territory as far as configuration settings and such.

 

[SagaLore]

Do you have *experience* with the ASA?

Antisource - antivirus, antispam, antispyware

http://www.antisource.com

 

[NetworkGhost]

No I have to say I have no hands on experience with the ASA. From books and articles it looks good. But for 8 DMZ servers I think its overkill.