Remote-Access VPN's; ASA 5520 or Cisco 2811?

Unanswered Question
Aug 23rd, 2007


I have been tasked with the implementation of a firewall and remote-access VPN solution.

We have procured a pair of ASA5520 firewalls with AIP-20 IPS modules. We also have procurred a 2811 router, with VPN module.

Which would be a better solution? To setup the remote access VPN's on the ASA firewalls, or on the 2811 router? I plan to place the router between the firewalls and the ISP.

It is my understanding, that you lose some functionality of the ASA devices when/if you configure them for VPN termination... I also want to utilize the IPS modules to monitor as much traffic as possible.

Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Thu, 08/23/2007 - 09:46

The biggest advantage of terminating vpn's on an ios router over a pix/asa is the QoS capabilities in IOS are far superior than pix/asa. If this is not an issue, I would recommend the asa. You should be able to monitor decrypted traffic using the IPS modules on the asa device, maybe someone else can verify this?

Jay Young Fri, 08/24/2007 - 04:54

As srue said the QoS capabilities are better with IOS, however please take into consideration that the encrypted packets still have to go over the internet where you have no control of QoS. With the 7.x code and there are certain QoS features like LLQ and policing, usually they are enough for most applications.

In regards to using the AIP module, if you use the ASA as the termination point you will be able to send traffic to the module just fine. If you use the IOS then the AIP module won't be able to look at the vpn tunnel (as it will be encrypted).


This Discussion