PIX Assistance

Unanswered Question
Sep 19th, 2007

I am extremely new to Cisco Pix and I've been asked to look into purchasing a possible upgrade to ours. I currently have a 515E which I am going to send to another site once I get the new one. My Pix is primarily used for VPN access to my network. Once I get the new one I'd like to set up a site-to-site VPN for failover. I need assistance on which device to choose. Should I go with another 515E, the 525, or look into the ASA firewalls?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
mfreijser Thu, 09/20/2007 - 05:30

I would definitly go for the new ASA firewalls, they are more powerfull and have more expansion options than the Pix series. It wouldn't go for the 525 because just doesn't match the ASA, and the DC power supply is EoL and EoS.

You can replace your existing Pix515E with a ASA5510, more iformation on the ASA can be found here.http://www.cisco.com/en/US/products/ps6120/index.html

I hope this helps!

Please rate if the post is usefull!



cjohnson1279 Thu, 09/20/2007 - 05:35

Thank you for your response. And it does help! Although, here's a question. I am going to send my 515E to another site. If I go with the ASA5510 will I be able to set up a site-to-site VPN for failover?

Thank you again!


mfreijser Thu, 09/20/2007 - 05:46

Offcourse you can make a site-to-site tunnel between a Pix and an ASA :)

What i don't understand is what you mean with the VPN for 'failover'. Do you want to use the site-to-site VPN tunnel as backup for a Leased Line (or something like that)?

You can find more information about configuring ASA's here:



You can find more information about configuring a Pix here:




cjohnson1279 Thu, 09/20/2007 - 05:51

Yes, backup for a leased line. I apologize, this is all trail by fire stuff here. Thanks for your help!

mfreijser Thu, 09/20/2007 - 05:58

No problem!

A site-to-site VPN would make an excellent failover for a Leased Line. Just keep in mind that you'll need a device, like a router, that keeps track of availability of the main route (Leased Line) to the other office.

Please rate if the posts are usefull!



cjohnson1279 Thu, 09/20/2007 - 06:08

We've got a Cisco 2821 on either side of our site-to-site T1 connection. This should suffice, yes?

Also, our backbone is GigE so we are really looking to have all of our devies GigE capable. The ASA5510 comes with the integrated FastE interfaces, is there any GigE expansion capability?

Would the ASA5520 be overkill?

I really appreciate this help.


mfreijser Thu, 09/20/2007 - 06:19

The 2821's are perfect for this! If you want all your devices Gigabit-capabale, you'll need the ASA5520. Only the ASA5520, 5540 and 5550 have Gigabit Ethernet interfaces.

The ASA5520 would be a bit overkill, as a ASA5510 has already more performance than a Pix515E. But you have no other choice if you really want the Gigabit interfaces!

You can compare the ASA's on the following website:




cjohnson1279 Thu, 09/20/2007 - 06:22

Thank you! I really appreciate your help! You've answered all of my questions.

Have a great day!



This Discussion