cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1330
Views
0
Helpful
9
Replies

Can ASA5550 act as a WAN edge router?

pgmanno
Level 1
Level 1

Hello,

If my ISP brings ethernet into the building via duplex LC multimode fiber can I use the ASA5550 as the first device from the WAN or do I need some type of router for this?  I realize I'll need an SFP to get to duplex LC, but I'm not sure if I need a router, or if the ASA can function as a router for this application.

Thanks,

Paul

2 Accepted Solutions

Accepted Solutions

Reza Sharifi
Hall of Fame
Hall of Fame

Hi Paul,

ASAs only support Ethernet, so, if the provider hand off an Ethernet connection, you are good to go.  No T1, DSL, T3,etc... is supported.  As you noted all you need is the SFP and the MM fiber patch cord.

HTH

Reza

View solution in original post

darren.g
Level 5
Level 5

Paul Manno wrote:

Hello,

If my ISP brings ethernet into the building via duplex LC multimode fiber can I use the ASA5550 as the first device from the WAN or do I need some type of router for this?  I realize I'll need an SFP to get to duplex LC, but I'm not sure if I need a router, or if the ASA can function as a router for this application.

Thanks,

Paul

As Reza said, it can, provided your ISP handoff is Ethernet. You will need an appropriate SFP and fibre-optic leads, als as Reza said.

The question of whether or not you *should* remains open, however.

ASA's only support static, OSPF, EIGRP or RIP routing - if you want to use BGP you'll need a proper router - it will work fine if you only have a single public IP and a single static route - if you want to play with multiple uplinks you're in for a world of hurt trying to get your ISP(s) to send you OSPF rather than BGP.

Cheers.

View solution in original post

9 Replies 9

Reza Sharifi
Hall of Fame
Hall of Fame

Hi Paul,

ASAs only support Ethernet, so, if the provider hand off an Ethernet connection, you are good to go.  No T1, DSL, T3,etc... is supported.  As you noted all you need is the SFP and the MM fiber patch cord.

HTH

Reza

darren.g
Level 5
Level 5

Paul Manno wrote:

Hello,

If my ISP brings ethernet into the building via duplex LC multimode fiber can I use the ASA5550 as the first device from the WAN or do I need some type of router for this?  I realize I'll need an SFP to get to duplex LC, but I'm not sure if I need a router, or if the ASA can function as a router for this application.

Thanks,

Paul

As Reza said, it can, provided your ISP handoff is Ethernet. You will need an appropriate SFP and fibre-optic leads, als as Reza said.

The question of whether or not you *should* remains open, however.

ASA's only support static, OSPF, EIGRP or RIP routing - if you want to use BGP you'll need a proper router - it will work fine if you only have a single public IP and a single static route - if you want to play with multiple uplinks you're in for a world of hurt trying to get your ISP(s) to send you OSPF rather than BGP.

Cheers.

Hi Darren and Reza,

Thank you both for your replies.

So, is there another product that I should consider instead of the ASA?  Perhaps an ISR or something similar?  I need, obviously, routing, SSL VPN, and firewall capabilities.  Or, perhaps just adding a router into the mix would be the best option.  I realize there is some added risk in looking for a all-in-one unit instead of distributing responsibility across multiple units, but at the same time I'd like to minimize cost.

Thanks again for your help.

Paul

Hi Paul,

For firewall capabilities and VPN, SSL. etc..ASA is a good choice.  The thing that I would separate is the routing.  Depends on your requirement and the size of the Ethernet pipe being hands off to you, you can get a small 2900 router which comes with 10/100/1000 connections onboard ports.  then connect one port to the provider and one to the firewall.  With the right IOS license, the router is capable of running all routing protocols.

Here is the data sheet for the 2900 series:

http://www.cisco.com/en/US/prod/collateral/routers/ps10537/data_sheet_c78_553896.html

HTH

Paul Manno wrote:

Hi Darren and Reza,

Thank you both for your replies.

So, is there another product that I should consider instead of the ASA?  Perhaps an ISR or something similar?  I need, obviously, routing, SSL VPN, and firewall capabilities.  Or, perhaps just adding a router into the mix would be the best option.  I realize there is some added risk in looking for a all-in-one unit instead of distributing responsibility across multiple units, but at the same time I'd like to minimize cost.

Thanks again for your help.

Paul

You haven't said what kind of routing you need - as long as it's *not* BGP then the ASA will do everything you want with resources to spare, depending on the size of your ethernet pipe (if you're throwing a gigabit ethernet connection into it, you'll run into throughput problems, but for less than about 400 meg you're laughing).

You can do what you want with a router, but again Reza beat me to it (damn time zones! :-0) in saying it depends on how big your pipe is, and what kind of VPN's you want. You can run IPSEC pretty easily on a 2900, but I don't know about SSL/User VPN's (which you CAN do on the ASA) - and, of coruse, the 2900 will run all routing protocols 9with the right software license), but it mgiht struggle if you want to run a full BGP table with multiple peers.

What speed link are you looking at, and what kind of routing do you need? Do you have your own BGP AS and subnet, or will you just be using providor allocated, non portable subnets?

Cheers.

Hi Darren,

I'm looking at 1Gbps fiber.  It will be a provider allocated, non-portable subnet.  Basically, RCN will be dropping fiber to the building and I'll be connecting to that.  They will issue me a block of IP addresses, and I'll configure the ASA, NAT and DNS to provide multiple internal hosts on various public IPs.  I don't know what routing protocol RCN is using (probably BGP), and I am looking into an option of them managing the router for me (since I am not proficient in configuring routers).  I thought that I might be able to leverage the features of the ASA to eliminate the cost of a ISP managed router.  The ISP is offering a 2901.  Oh, and SSL VPN is required since I don't want to have to deal with client deployments.  We'll be having people worldwide connecting to us and SSL-VPN is going to save me a world of headache.

Thanks,

Paul

Paul Manno wrote:

Hi Darren,

I'm looking at 1Gbps fiber.  It will be a provider allocated, non-portable subnet.  Basically, RCN will be dropping fiber to the building and I'll be connecting to that.  They will issue me a block of IP addresses, and I'll configure the ASA, NAT and DNS to provide multiple internal hosts on various public IPs.  I don't know what routing protocol RCN is using (probably BGP), and I am looking into an option of them managing the router for me (since I am not proficient in configuring routers).  I thought that I might be able to leverage the features of the ASA to eliminate the cost of a ISP managed router.  The ISP is offering a 2901.  Oh, and SSL VPN is required since I don't want to have to deal with client deployments.  We'll be having people worldwide connecting to us and SSL-VPN is going to save me a world of headache.

Thanks,

Paul

hi Paul.

The ASA 5550 won't cope with a 1 Gb/s full duplex connection - maximum firewall throughput on that model is 1.2 Gbps - you have to halve that to get full duplex, which leaves you only 600 Mb/s throughput in each direction - clearly not enough for your link speed.

Similarly, the 2901 won't even go *close* to 1 Gb/s throughput - a 2901 is good for only about 167 Mb/s throughput - half of that gives you only about 84 Mb/s full duplex - not even 10% of your link. To get that kind of throughput you'd need to go to an ASR1000 or a 7200 with an NPE Gen2 route engine.

If you're looking at a 1 Gb/s connection with throttled or less bandwidth, your ASA should do it - if your ISP gives you a single IP address at their end of the fibre to route everything to you'll only need static routing - or maybe OSPF if you subnet a bit inside and want to talk to a lot of internal subnets via your inside interface - but if you really need BGP, or if you're going to be pushing that 1 Gb/s throughput (colour me envious if you are!), then the ASA just won't cut it, and you'll need to look into a router - maybe an ASR1001 - I can see they do IPSec, but I don't know about SSL - although if you *really* need SSL VPN, you could put in an appliance behind the router to allow for that.

Cheers.

Darren,

Thanks for the heads up.  I was told by my retailer (CDW), and their support guys that this box would handle the 1Gbps full duplex connection; Clearly it's not the case.  I will, for some periods of time, be utilizing the full 1Gbps link (transporting 4k resolution uncompressed video files from facility to facility) and I made it clear that I need that kind of speed.  Well, guess I'll be on the phone with them in the morning to get some answers and possibly return this unit.

Thanks again for your help.

Paul

Paul Manno wrote:

Darren,

Thanks for the heads up.  I was told by my retailer (CDW), and their support guys that this box would handle the 1Gbps full duplex connection; Clearly it's not the case.  I will, for some periods of time, be utilizing the full 1Gbps link (transporting 4k resolution uncompressed video files from facility to facility) and I made it clear that I need that kind of speed.  Well, guess I'll be on the phone with them in the morning to get some answers and possibly return this unit.

Thanks again for your help.

Paul

Paul.

The specifications for the 5550 show it will handle a total throughput of 1.2 Gb/s - which is probably what they saw and went "Oh,t hat'll do it!". Trouble is, that's *total* throughput - and if you're bringing data in at 1 Gb/s you've only got 200 Mb/s left for outbound data.

The device might still do the job if your traffic is mainly unidirectional, or asymmetric - I.E. more inbound than outbound, or more outbound than inbound - but if you're running in *both* directions at full line rate, you're going to hit bottle necks.

The throughput specifications for the various ASA models can be found here

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd802930c5.html

Good luck getting your money back!

Cheers.

Review Cisco Networking for a $25 gift card