Cisco ASA vs Juniper Network SA

  • Hi

    I’m looking for comparison information about SSL VPN feature between Cisco ASA and Juniper Network SA. Could anyone please advice me?

    Thanks a lot,

  • dont want to try to ressuciatate the dead, but, after 7 years, could someone shed some light and point the goods and bads on both sides?

    We are using juniper for 6 years now, we have a total of 6 SA2000 appliances.

    Now that the EOL of SA2000, we have to migrate, either to SA2500 (which will EOL soon), MAG2600 which is compatible with the newest firmwares or migrate to CISCO, F5 etc…

    Should i stay with juniper or should i go with CISCO?

    Any advice would be very much appreciated.

  • hi buddy thanks a lot for ur info. ok u mean to say everything else is same in the idp 10 and idp 50 right. that esp profiler is it supported in idp 10, cause i have seen in the datasheets of both of them almost everything is there except for some like i read in the ip 50 datasheey it has worm-protection, tojan and spyware protection, protection against attack proliferation from infection systems,reconnaissance protection, voip protection .attacker and auit trail reporting. i just want to ask whether these features are also availbale in idp 10.can u tell abt . since u already know a reseller out there can u find the price of idp 10 and idp 50. cause if the features are same in idp 10 and 50 then i will for idp 10 cause i think it will be cheap. could u also tell me if the features are same and i buy idp 10 then how long will juniper support it i mean by making ios for idp 10. i know i am asking a lot questions to buddy. if possible ple help me out so i can make the right decision to buy it. see ya and thanks once again.



  • Sure no problem the major different from the IDP-50 to IDP-10 is the Bypass for the IDP-10 you need to buy another unit looks like a NS5GT box. So if you deploy the box inline and the box fails traffic can still be passed.The IDP-50 is built-in. As far as i know everything else is supported signature and software updates. Man i wish i had some help for you on buying used equipment. Everything i used is from work our reseller is Accuvant. Sometime back i saw some units on ebay for sale. You also have to get a managment server running off either
    Red Hat Enterprise Linux WS or Sun Unix. Oh and yeah you need to get an SA 2000. 😉

  • h buddy thanks for the info. and best of luck for ur exam . so even i need to get a sa 2000 for practise right. do u know from where i could get a used sa 2000 for practise. hey buddy can u help me in buying idp boxes also. could u pls tell me what is the majot differnce in idp 10 and the new idp 50. and if i buy a idp 10 now then how will it be supported by juniper for signature updates and new os of it. is there a major difference in the features of idp 10 and 50 . can u pls write in to me abt it. it will be really helpful to me. thanks. waiting for ur reply.



  • Hey sebastan_bach  yeah the base unit starts at $2500.00 plus  a min of 25 user Lic at $3,500.00 then the SAM Lic $2,396.00 that’s the run down i got a SA700 and it wouldn’t do what i wanted it to do so I had to upgrade to the SA2000 for a total of $9,367.81. And i taking my JNCIA-SSL tomorrow.

  • hi buddy can u tell where could i find one. i am ready to buy. seriously. ok can u tell me. we cannot virtualise the sa box in this series right. we can only do that in sa 4000 right. how much does that. do we have that in the exam and is it deployed . i am new to netscreen i have just started with netscreen firewalls. i have a ns-500 with 25 vsys license in it. waiting for ur reply.

    can u help me in giving some idp abt netscreen idp also. it will really very useful to me . pls. helpe if u can.



  • Engineer

    An SA2000 lists for $2500.  Best bet is to try to get one used.  Even a Neoteris branded box will work just fine and you might get those slightly cheaper.

  • hi thanks for the info. u mean to say ata minimum i need to have the sa 2000 box right for the exam practise. do u do know how much a sa 200o wht a minimum license of 5 users will cost me . any idea on that. thanks once again .waiting for ur reply. see ya



  • Engineer

    $900 for the core.
    I haven’t played with the scaled down SA700, only the 2000,4000 & 6000s.  The test is based on the CNSA course and doesn’t touch the ANSA course.  I don’t see that the SA700 can do JSAM or WSAM which is on the test.

  • hi could someone pls tell me what would be the cost of netscreen 700 series. can we do the jncia paper for ssl with the 700 series ssl box of netscreen. thanks in advance


  • @forcerecon:

    Right but in my book having a dedicated box doing just SSL-VPN is way better then a box being a firewall/IPS. Other companies have did the same thing as juniper. Sonicwall,F5 networks etc.

    I take it a step further by setting up dedicated SSL VPN boxes one-armed inside and pass https traffic through to them via an outside IP address translated at the firewall (instead of using one interface in a DMZ and the other internal). None of the places I’ve done this were particularly high utilization environments. I’m curious to know if anyone has experienced performance problems setting a VPN box up this way.

  • Right but in my book having a dedicated box doing just SSL-VPN is way better then a box being a firewall/IPS. Other companies have did the same thing as juniper. Sonicwall,F5 networks etc.

  • I have worked with both devices.ASA provide SSLVPN client That gives you similar functions like network connect.
    The SSLVPN portal of the ASA is rather a poor one without many customization capabilites (asa version 7.1.1).
    You have to remember that ASA is a new product and juniper SA has been tested successfully with many applications.
    Both devices has similar authentication capabilites.troubleshooting logs are also similar.

    And most important thing - ASA is a firewall that can have IPS capabilites. Juniper SA is not a firewall and not IPS.
    Aner Sagi