12-19-2012 03:23 PM - edited 03-11-2019 05:39 PM
I am helping out a former colleague of mine on a project to migrate a single Checkpoint firewall over to a single ASA 5510, no VPN, just firewall. The checkpoint firewall has 8 physical interface so the ASA 5510 also support physical 8 interfaces so thiw will be a one-to-one swap. At the moment, I don't have an ASA 5510 to test my theory so I am going to throw it out here. The checkpoint firewall is a SPLAT running on an powerfull IBM Server with 8 CPU dual cores with 32GB of RAM and it has 1200 rules with over 120,000 objects with some of the crazy NATs but it works so we will just leave it at that. There are not that much traffics going across the firewall so there are no need to put in an ASA 5585
I use the cisco conversion tool to do the policy conversion from Checkpoint to Cisco, I get about 1.5 million lines in the configuration. A lot of it has to do with Checkpoint having no concept of interface security level while ASA does. I am sure I can optimize it to cut down the number of lines in the configuration; however, that is not my main concern at the moment. The customer goal is that at the time when cutover from Checkpoint to Cisco ASA, they want everything to be perfect, meaning that it will work like magic.
My question is that can the ASA 5510 handle 1.5 million lines of configuration? Are there any limitations on this? I know there are limitations with FWSM but since I don't have an 5510 to test, I have to ask
Thank you in advance.
12-19-2012 03:43 PM
Hi,
Can't say I have ever had a firewall setup which would have had anywhere near that amount of rules/configurations. Would be interesting to see what kind of rules are configured to get such a massive configuration. Is the configuration made up mostly of ACL rules or why would it be so large?
I guess I could always drop some really massive configuration on an ASA and see how it behaves or if it gives any warning.
By the way, I assume you would be getting the additional expansion card for the ASA5510 as it to my understanding aby default has only 4 physical interfaces + 1 management port that can be used for normal purposes also. The expansion card would bring another 4 ports to the ASA5510. (Atleast I am under the impression that all models from 5510 to 5550 support the expansion module, while 5550 actually has it by default)
I guess this would be something to which someone from Cisco could maybe answer. I don't think even the datasheets list any values for what you are looking for.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide