PIX 520 Replacement

Unanswered Question
May 26th, 2008
User Badges:

Hi there,


I have PIX 520 that I want to replace, I assume the new replacement is ASA. My question is which model. I use the PIX simply as a firewall. I do not want to under-engieenr the solution. So I will probably will require min three interfaces inside, outside and DMZ.


Thanks in advance for your help.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
JORGE RODRIGUEZ Mon, 05/26/2008 - 17:05
User Badges:
  • Green, 3000 points or more

Nabeel,


Bellow pdf provides migration guide from PIX 500 series to ASA5500 series.


PIX520 equivalent upgrade to asa is asa5520 but from what you have indicated needing only inside,outside and DMZ you probably are looking at the ASA5510, you still need to conduct thourough assesment and baseline of your currently PIX520 such Ipsec vpns tunnels currentl utilization if any, look at bellow comparison table and total ASA firewall Mbps throughput.


PIX/ASA upgrade path chart

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd8053258b.pdf



Lastly you may want to check models performance throughput.

ASA comparison chart

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html


HTH

-Jorge

nyousif Mon, 05/26/2008 - 19:59
User Badges:

Hi Jorge,


Thanks for the info, what is the best way to baseline my connection and firewall uitilazation. again thanks in advance for your help

JORGE RODRIGUEZ Mon, 05/26/2008 - 21:39
User Badges:
  • Green, 3000 points or more

There are number of tools out there, pdm has a built-in monitoring tool tab which you can use to monitor pix cpu usage, xlate , regular connections, Ipsec connections etc.. you could setup graphical monitoring and let it run for a week to sort of get you overall pix utilization baseline.


You could also use PRGT to monitor the physical ports ethernet utilization, example would be the inside interface connecting to a switchport , monitor switchport through PRTG.

http://www.paessler.com/ , prtg is not free but they have demo allowing to monitor two or three physical ports free.



Or if you have an internal snmp server you could also configure snmp to pool pix stats http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a13.shtml#intro

HTH

Rgds

-Jorge

PLS rate any helpful post if it helped



tj.mitchell Tue, 05/27/2008 - 12:53
User Badges:
  • Bronze, 100 points or more

Don't forget about a failover interface since the ASA uses an Ethernet interface not the serial cable..


TJM


pls rate if post was helpful..

Actions

This Discussion