Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
637
Views
11
Helpful
6
Replies

Simple & fast firewall

XavierRobin
Level 1
Level 1

‎04-08-2013 12:56 AM - edited ‎03-11-2019 06:24 PM

Hi there,

I want to connect a windows 7 machine (A) to a SLES server (B) located in a physically different location. However I don't want A to be reachable by any other machine.

The only way I can see to do that is to put a hardware firewall in front of A. I saw the ASA 5505 might be able to do that. However according to the specs it can only reach 150 Mbps, and I would like to retain the 1Gbps (or near-1Gbps) connectivity of the network. In addition I only really need 2 ports.

What would you recommend for this setup? Perhaps something other than a firewall could do the job?

Best wishes,

Xavier

Labels:
0 Helpful
6 Replies 6

sean_evershed
Level 7
Level 7

‎04-08-2013 01:32 AM

Do you only want to protect one device?

If so I'm not sure why you would need to go the expense of buying a firewall for this job.

You could write an ACL an apply it to the interface used by the Windows 7 PC.

XavierRobin
Level 1
Level 1
In response to sean_evershed

‎04-08-2013 01:55 AM

The problem is that the computer is provided as-is by the supplier, and I have no way to change anything on it - security must be external. Thanks for the suggestion anyway.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni

‎04-08-2013 01:37 AM

Hi,

The original ASA5500 dont officially support the throughput that you are looking for OTHER THAN the very high end models starting from 5550. Atleast to my understanding.

However, the new ASA5500-X series first model already promises 1Gbps throughput.

Here is a PDF of the specs of the new ASA5500-X series.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf

Naturally it would be quite an invenstment considering it would only serve a single device.

I think they have already released the dates for End of Sale and End of Life for the original ASA5500 series. Though to my understanding the ASA5505 still continues to sell so well that they havent set an EOS/EOL for it. And I have not gotten any information if they are going to make a X -model of the ASA5505 which would make sense.

When you say that the host and server are in different physical location do you mean totally different sites? If so do you actually have a 1Gbps capable connection between these sites?

You also say that no other machine should be able to connect to the host but still need the 1Gbps connectivity. Or do you mean that the host itself will still be connecting to other local hosts on its local network  (even though they cant connect to the host) and therefore needs the 1Gbps connectivity?

- Jouni

XavierRobin
Level 1
Level 1
In response to Jouni Forss

‎04-08-2013 02:14 AM

By different sites I actually mean different buildings on the same site, linked with 1Gbps connectivity. A won't connect to any other machine at all. B is connected to a 10Gbps network so connections with other hosts (a data storage server + a few ssh / http connections) shouln'd be a major issue.

We need a high throughput to move TB of data quickly. You're right the ASA 5512-X looks good but a bit expensive, however it could do the job. Do you think they could release a 5505-X anytime soon? And how difficult is it to setup?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to XavierRobin

‎04-08-2013 02:46 AM

Hi,

Last time I spoke about the new models with Cisco (which was 1-2 weeks ago) they had no information about a replacing model for ASA5505 so I wouldnt hold my breath. And furthermore we dont know what the performance numbers for that model would be. But I would guess they would probably be lower than the ASA5512-X.

With regards to how difficult they are to setup I cant really say. My own answer would be kind of biassed and wouldnt really be based on any kind of comparison between different manufacturers as I personally only configure Cisco firewalls.

The ASAs do have the graphical user interface called ASDM which has some basic setup wizards to get the basic configurations for firewall and VPN functionality. It naturally is also probably the easiest way to configure the firewall for someone that is new to the Cisco firewall. Then again if you are familiar with the Cisco routers and switches I would imagine the CLI configuration format wouldnt hold any big challenges as long as you got familiar with the NAT configuration format. (Which would be pretty simple in your case I guess)

I personally learned the Cisco firewalls the hard way through the command line interface and its still the way I use primarily to configure the firewalls.

Then again I am pretty sure you if you would decide to go with some Cisco firewall that you would get configuration help here on the CSC though in that case I highly suggest that you get familiar with the CLI configuration format or atleast not shy away from inserting the mentioned configurations through the CLI.

I guess Seans setup would also work and would be the simplest way to do it. Simply building an ACL on the interface where the device is connected to if possible. Naturally using a separate firewall would provide a lot more visibility and control to the connection to and from the host. But as I said and you noticed, it kinda feels that ASA5512-X would contain more than you need for your setup and in that sense you would be paying for more than you need.

- Jouni

XavierRobin
Level 1
Level 1
In response to Jouni Forss

‎04-08-2013 05:43 AM

Thanks. I will see if I can have ACLs on the interface, that would probably be the simplest solution if it appears possible.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card