Cisco ISA550W Reviewed

JPElectron

Occasional Visitor
The ISA550W looks promising, but I have a few deal-breakers...

- Can you specify a unique DNS server used for each interface (and DHCP pool) that you create, such as LAN1, LAN2, DMZ

- I saw you tested VPN with what looks like the "Cisco VPN Client" is that in-fact what it comes with, or is that just what you used? The same thing is used with the Enterprise class ASA5505, 5510, and up series.

- Does site blocking (the kind without the subscription/service) allow for * to be defined, meaning, can I block user's trying to visit sites by IP address by putting in...
*.*.*.*0 and *.*.*.*1 through *.*.*.*9 (the ZyWALL USG can do this)

Shame this isn't offered without the subscription nonsense, I just want the box. Is there an online emulator for this model somewhere? Have you considered allowing users to peak at the management interface of model's you've recently reviewed (would require that you have enough static IPs to give each box it's own, and then give out it's username/password after request)
 
Last edited:

david7eagle

New Around Here
No Deal Breakers Here

Here is the link to the online device emulator: http://www.cisco.com/assets/sol/sb/isa500_emulator/index.htm

You can use the device without the subscription. For example, if you buy the device with only 1 year of the security subscription, after 1 year, the device will still function as a router and a firewall as normal. You will still be able to use all of the VPN clients. However, you will not have the built in IPS and content filtering until you renew the subscription.

About the VPN, yes, the ISA does indeed support not only the Enterprise IPSec VPN client but also the SSL based Cisco Any Connect. Any Connect is the SSL VPN client Cisco is now pushing and is the one found on the ASA5505 and higher series.

Additionally, the ISA comes built in with what would be called the VPN mobility license on the ASA. This means you can run the Any Connect VPN client from the Cisco AnyConnect App on a iPad/iPhone. Compared to buying an ASA with the mobility license, the ISA is an amazing deal.

Finally, you can specify unique DNS servers for each subnet (aka zone or VLAN). The lag in the user interface is by design; it was implemented in order to conserve power consumption. Doesn't make it any less irritating, but that is the official answer.

Without going into the details, Cisco worked a long time to make sure this product would be good. They also choose a very good OEM vendor, that is different than the others they have been using in the other RV routers.

Feel free to post any other questions.

Full disclosure: I previously worked at a Cisco Small Business Support Center and was involved with pre-release operations on this device. I have nothing to gain from this post and no reason to promote Cisco at this time. The above is my opinion.

The ISA550W looks promising, but I have a few deal-breakers...

- Can you specify a unique DNS server used for each interface (and DHCP pool) that you create, such as LAN1, LAN2, DMZ

- I saw you tested VPN with what looks like the "Cisco VPN Client" is that in-fact what it comes with, or is that just what you used? The same thing is used with the Enterprise class ASA5505, 5510, and up series.

- Does site blocking (the kind without the subscription/service) allow for * to be defined, meaning, can I block user's trying to visit sites by IP address by putting in...
*.*.*.*0 and *.*.*.*1 through *.*.*.*9 (the ZyWALL USG can do this)

Shame this isn't offered without the subscription nonsense, I just want the box. Is there an online emulator for this model somewhere? Have you considered allowing users to peak at the management interface of model's you've recently reviewed (would require that you have enough static IPs to give each box it's own, and then give out it's username/password after request)
 

JPElectron

Occasional Visitor
Interesting

"good OEM vendor, that is different than the others they have been using in the other RV routers"

...that's both incredibly interesting, and reassuring cause I didn't like anything about the RV series - had used quite a few of those and my top gripe is the random DHCP lockup bug is a real downer.

Thanks for your insight, I'm going to get one to evaluate.
 

david7eagle

New Around Here
RV Routers

Agreed. I worked with the RV routers for almost a year. Save for the RV110W, which is produced by Taiwan's Cybertran, all of the other RVxxxW (120, 180, and 220) routers are basically from the same code base, which is rife with unresolved bugs, by TeamF1. This is common knowledge. You can check multiple posts by less than satisfied customers and consultants on the Cisco Small Business Support Forums about TeamF1.

Do not be surprised is those models are discontinued in the near future. TeamF1 is simply failing to deliver.

The ISA was produced by a different OEM that Cisco hasn't used in quite a while (at least in small biz). A lot of time and effort was put into producing it. Please let us know how it works out for you.

...that's both incredibly interesting, and reassuring cause I didn't like anything about the RV series - had used quite a few of those and my top gripe is the random DHCP lockup bug is a real downer.
 

thiggins

Mr. Easy
Staff member
David - do you have any comments about the RV0XX series?
 

dreid

Regular Contributor
Thank you david7eagle for answering the questions and your insight.

JPElectron:

Three other answers:
1. The ISA550W comes with Cisco VPN Client for remote IPsec and AnyConnect for remote SSL. I used both in my testing.
2. You can create a new DHCP server and pool for each VLAN.
3. Re "site blocking" - The ISA550W firewall does not support wildcards, such as *.
3.a. URL filters are flexible. For example, if you create a rule to filter "yahoo", all sites (www.yahoo.com, mail.yahoo.com, yahoo.net, ....) with yahoo in the URL will be filtered.
3.b. Firewall rules can be set up to filter based on specific IP addresses, ranges of IP addresses, or subnets.
 

david7eagle

New Around Here
RV0XX Routers

The RV042(G), RV082, and RV016 were originally designed under Linksys. Cisco upgraded the hardware and reworked the firmware some after the Linksys purchase.

I found them to be stable and reliable. They are little feature light today (no 802.1Q) but they work well. Other than a few odd quirks that most users won't run into, they are excellent machines that were top of the line when Linksys released them and probably served as a pattern for other vendors.

On another note, where Cisco Small Business really shines is in their line of Marvel produced switches. The Sx300 series is on par with the Cisco catalysts in many respects and I found it to be favorite of medium sized partners. It was not uncommon to see larger deployments using a Cisco enterprise router with Sx300 switches. The latest FW release added even more features, and the platform is very stable overall.


David - do you have any comments about the RV0XX series?
 

YeOldeStonecat

Very Senior Member
I'm looking forward to getting one of these in and spending some "hands on" time with it.

Years ago, the "RV0 series" had been our standard "go to" edge appliance for our small business clients. Since the first Linksys Small Business series RV042, RV082, and RV016 models rolled off the assembly line, we found them to be quite solid units for our SMB clients. Fast, stable, good firewall features for ACLs, easy and useful PPTP VPN server for us to use to remote in for support, fairly decent "site to site VPN tunnels" via its built in IPSec. (yeah once very few months it might need a reboot to bring a tunnel back). However I did hate it's QuickVPN client with a passion! But for the price point, they worked well and we sold and installed hundreds of them.

However, in recent years, we've changed our standards and we really prefer to have UTM appliances at the edge of our SMB clients. In our opinion, the days of plain old NAT routers at the edge of a business network are no longer adequate. We want extra antivirus and malware protection, those additional layers of protection that compliment the desktop/server antivirus have clearly proven themselves to be the direction to go for businesses.

The best product we found for this has been Untangle. However, it's a difficult product to leverage budget-wise for the smaller side of SMBs. Most businesses under 25 can't swing a grand for the edge device..plus annual subscription fees. Or even some smaller hardware that we've used Untangle Lite on, they're around 700 to 800 bucks. 300 to maybe 500 bucks is pretty much the price point for this class of client. Other products in this category, I've not been too crazy about. Fortinet, earlier versions of Sonicwall, not pleased with. Although since the dust has been settling with Dells takeover of Sonicwall I may test those waters again.

BUT back to this product, seems to hit the sweet spot price wise. Kaspersky antivirus...top notch! Combined with the typical other router features of the RV series..I'm looking forward to it.
 

thiggins

Mr. Easy
Staff member
Glad you are looking into it, StoneCat. Please report back on your findings. Thanks!
 

david7eagle

New Around Here
Deployed a 550

Update: I purchased and deployed an ISA550 for a friend. So far, I am very pleased. As someone who has spent countless hours troubleshooting Quick VPN for scores of customers, it was refreshing to be able to so easily deploy the SSL AnyConnect VPN client. Worked well, with only minimal config. No ActiveX or browser settings to worry about.

The business I am helping will be purchasing an ISA570 soon. The user(s) are looking forward to using the AnyConnect client on iPhones/iPads.

I will update this thread with any relevant info I discover. So far, the ISA5xx series looks like a real winner.
 

bender_dk

New Around Here
NAT after anyconnect broken

I´m having problems with a 550W on firmware 1.1.17.

I have set up firewall and NAT rules and they are working from home.

But when I use the anyconnect from a hotel the NAT rules stop working.

I have to reboot the router before they will work again.

Bug or?
 

latechdude

New Around Here
@Bender_dk Did you open a ticket on this with cisco? I am encountering the same issue, even with the new firmware that just came out in the last few days.

I do have multiple public ips, use one ip for management and anyconnect, and another for an email server. When I use anyconnect, it breaks NAT as you describe.

I am not happy with the quality of this product so far. I've been installing Sonicwalls for years, and am used to products that work as advertised. I guess you get what you pay for.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top