Solved: Which ASA to pick

Difan Zhao · ‎10-13-2011

Hi experts,

I need your advice badly on this... One of our clients is trying to pick an ASA as a gateway to Internet. The ISP Internet Pipe will be 100mbps. The ASA will also handle max 100 remote access IPSec VPN sessions. It will do fair amount of NAT/PAT, filtering, ...etc. My questions are:

1. The datasheet says that 5510 can handle 300mbps throughput. Is it just for one direction so the bi-direction throughput will be just 150mbps? Is the 170mbps VPN traffic throughput included in the 300mbps total throughput or it is addition?

2. How real is this "300mbps" throughput? In reality how much can it reach? Will 5510 be enough for our usage?

3. Regarding to the redundancy/failover, does all the 5500 series (except 5505) models do the same? For example, in order to achieve active/active, do I have to have two security contexts running no matter what model I use (even 5580) or the higher models actually can do active/active easily?

4. Please list the features that the higher models support but not by the 5510 (except just the performance difference)... I'm trying to save their cost but I don't want to miss anything which will cause them to upgrade in the future.

Thanks!

Difan

lance_brown · ‎10-13-2011

It is a total of 300Mbps; so it could be 200/100, 150/150, 100/200, 1/299, etc. If they really think they will be using the full pipe in both directions, they could bump up to the 5520. That 300Mbps also says "up to" and that is the key there. In the best of conditions, it can reach that.

The firewall won'thandle 300Mbps of firewall and 170Mbps of VPN for a total of 470. It also says "up to" 170Mbps. This should help you out:

http://www.hacom.net/kb/ipsec-performance-cisco-asa-5510-measured-iperf

You can see what the test results were for the 5510 and the 5520. That is not to say that Cisco is wrong when claiming "up to" 170Mbps, just that depending on the test, it may or may not get that high.

Also, keep in mind that traffic is usually more biased in one direction that both. So if someone has a 100Mbps pipe, one direction will be used more heavily than the other.

As for the failover, it depends on the license you buy. The Security Plus on the 5510 unlocks it so you have Active/Active. You will need two firewalls and identical at that; model, interfaces, software, license, etc. Context wise, that is up to you if you want to use them.

The feature set is pretty much the same across the models.

View solution in original post

lance_brown · ‎10-13-2011

It is a total of 300Mbps; so it could be 200/100, 150/150, 100/200, 1/299, etc. If they really think they will be using the full pipe in both directions, they could bump up to the 5520. That 300Mbps also says "up to" and that is the key there. In the best of conditions, it can reach that.

The firewall won'thandle 300Mbps of firewall and 170Mbps of VPN for a total of 470. It also says "up to" 170Mbps. This should help you out:

http://www.hacom.net/kb/ipsec-performance-cisco-asa-5510-measured-iperf

You can see what the test results were for the 5510 and the 5520. That is not to say that Cisco is wrong when claiming "up to" 170Mbps, just that depending on the test, it may or may not get that high.

Also, keep in mind that traffic is usually more biased in one direction that both. So if someone has a 100Mbps pipe, one direction will be used more heavily than the other.

As for the failover, it depends on the license you buy. The Security Plus on the 5510 unlocks it so you have Active/Active. You will need two firewalls and identical at that; model, interfaces, software, license, etc. Context wise, that is up to you if you want to use them.

The feature set is pretty much the same across the models.

Difan Zhao · ‎10-13-2011

Thank you Lance!

I just thought of something I need you to confirm:

Multiple security contexts won't work with remote access VPNs, correct? So I can't use Active/Active failover no matter what model I choose, correct?

If yes then I can't expect two ASA to share the load. Any one has to be good enough to handle the entire load.

Am I right??

thanks!

lance_brown · ‎10-13-2011

The use of multiple contexts and VPN will not work as one issues would be how to split the licensing up across them? If the license allows 200 and you have 10 contexts, you can't get 200 for everyone of them and 20 may not work either. So, VPN doesn't work with multiple contexts.

Failover is separate from contexts though, there are limitations depending on what you want to do. Even the 5505 supports failover (albeit active/standby) but it doesn't support contexts at all. Active/Active does require the use of multiple contexts, so if you wanted VPN, then Active/Standby would need to be used in single context mode at that.

From what you have described, there is no reason to use multiple contexts. Single mode would work just fine and allow you to have Active/Standby with VPN. If you need multiple contexts, the question is what are you trying to accomplish?

Difan Zhao · ‎10-13-2011

Thank you Lance! You made very clear explaination. I was thinking about using multiple contexts because that I wanted both ASAs to share the load so they can better support the 100mbps pipe.

I will probably recommend a 5520 in this case unless they don't have buget for it. I will use Active/Standby to achieve redundancy.

Thank you for the help!