Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
404
Views
0
Helpful
2
Replies

Buying new ASA, Need Advice

Go to solution
imanco671
Level 1
Level 1

‎08-17-2011 09:41 AM - edited ‎03-04-2019 01:18 PM

Hello Community,

I am in the market to buy an ASA switch, I am looking at the ASA 5510.

I have 1 fiber ISP line which they have given me two different WAN addresses. Each of these WAN addresses has a range of external IP addresses.

I also have a backup T-1 line which I would like to start using as a backup.

So my current config is as follows:

Single line running into my Cisco PIX. Has 2 NICS on the inside interface. One is for a WAN address of 69.x.x.x.x. and the other is my 172.x.x.x.x WAN address.

The 69.x.x.x.x address is running to a DMZ switch and from there it is being picked up by two Watchguard firewalls which feeds two different internal subnets.

The 172.x.x.x.x address is running to a Sonicwall firewall which feeds a internal subnet.

I would like to wipe out all the Watchguards and Sonicwalls and just have a single Cisco ASA fdevice.

What are your suggestions to use these 2 different WAN addresses and my backup T-1 line?

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎08-17-2011 10:12 AM

John

Apologies, tried to answer your last post in previous thread but browser kept hanging.

Firstly the ASAs only support ethernet connecitvity as does your Pix so you need to take that into account with your WAN connections.

If you are only buying  single ASA device then it doesn't really matter but in case you wanted to upgrade to 2 firewalls then you should get the Security Plus license. Without it you won't be able to do failover.

You should hopefully know by now that handling multiple subnets on the outside interface is no problem for the ASA. You don't need secondary addressing and you don't have to assign an IP out of the range to an interface to use the range for natting.  The ASA will support a backup line but it's important to note that the ASA cannot support multiple default-routes out of different interfaces, although it can support multiple default-routes out of the same interface. Also the ASA does not support PBR which is an often requested feature. PBR allows you to send some traffic over one link and some over another link based on the source IP address of the packets.

Following on from our last discussion the use of additional subnets would be a lot easier for the ASA than it appeared to be for the WatchGuards. However i would still rethink the design at some stage ie. it seems unnecessary to have a public subnet between the WatchGuards and the pix especially as it seems to be a purely transit subnet ie. there are no devices between the pix and the WatchGuard.

In fact, there seems to be little use for a subnet at all between the 2 unless you deploy servers into it which is the common practice ie. if you provide external access to some of your servers you want these servers to be in between your firewalls so that once the server has been accessed there is still a firewall between the server and your LAN. However if the LAN also needs to access the server it can get difficult. That is why you often see this design in enterprise environments ie. they can afford additional servers purely for the dmz.

Anyway just some things to think about and like i said last time not something to be rushed into. 

Back to the actual request !  You need to make sure that the WatchGuards are not doing anything out of the ordinary ie. using special features because if they are you need to make sure that feature is also on the ASA. The ASA is primarily a stateful firewall with some application inspection. I don't know what application inspection the WatchGuards are capable of but they may have been chosen for that specific purpose.

Finally, attached is a link to the ASA datasheet so you can see throughput/VPN connections etc. supported by each device -

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎08-17-2011 10:12 AM

John

Apologies, tried to answer your last post in previous thread but browser kept hanging.

Firstly the ASAs only support ethernet connecitvity as does your Pix so you need to take that into account with your WAN connections.

If you are only buying  single ASA device then it doesn't really matter but in case you wanted to upgrade to 2 firewalls then you should get the Security Plus license. Without it you won't be able to do failover.

You should hopefully know by now that handling multiple subnets on the outside interface is no problem for the ASA. You don't need secondary addressing and you don't have to assign an IP out of the range to an interface to use the range for natting.  The ASA will support a backup line but it's important to note that the ASA cannot support multiple default-routes out of different interfaces, although it can support multiple default-routes out of the same interface. Also the ASA does not support PBR which is an often requested feature. PBR allows you to send some traffic over one link and some over another link based on the source IP address of the packets.

Following on from our last discussion the use of additional subnets would be a lot easier for the ASA than it appeared to be for the WatchGuards. However i would still rethink the design at some stage ie. it seems unnecessary to have a public subnet between the WatchGuards and the pix especially as it seems to be a purely transit subnet ie. there are no devices between the pix and the WatchGuard.

In fact, there seems to be little use for a subnet at all between the 2 unless you deploy servers into it which is the common practice ie. if you provide external access to some of your servers you want these servers to be in between your firewalls so that once the server has been accessed there is still a firewall between the server and your LAN. However if the LAN also needs to access the server it can get difficult. That is why you often see this design in enterprise environments ie. they can afford additional servers purely for the dmz.

Anyway just some things to think about and like i said last time not something to be rushed into. 

Back to the actual request !  You need to make sure that the WatchGuards are not doing anything out of the ordinary ie. using special features because if they are you need to make sure that feature is also on the ASA. The ASA is primarily a stateful firewall with some application inspection. I don't know what application inspection the WatchGuards are capable of but they may have been chosen for that specific purpose.

Finally, attached is a link to the ASA datasheet so you can see throughput/VPN connections etc. supported by each device -

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

Jon

0 Helpful

Go to solution
imanco671
Level 1
Level 1
In response to Jon Marshall

‎08-18-2011 07:12 AM

Thanks Jon!!!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card