Possible to replace a PIX 506e with ASA?

Unanswered Question
Jun 17th, 2008

My company has three PIX 506e which do a site-to-site VPN. It works great. We are looking at replacing one of the PIX, due to a bad fan. Whereas PIX is EOL soon, we are looking at the ASA 5500 series. Which one will work will our current setup?

Some more details:

PIX Version: 6.3(4)

PDM Version: 3.0(3)

Total memory: 32MB

Total flash: 8MB

Licensed features: 3DES-AES

Unlimited inside hosts

Unlimited IKE peers

Max physical interfaces: 2

Max interfaces: 2

I can respond with more information if needed. Thanks for any responses.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 06/17/2008 - 11:16

Willie

Yes you could replace the 506 with an ASA device. Have a look at the ASA model comparison sheet - an ASA 5505 would do for you but you may want to consider a higher spec device.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

One thing to be aware of is that the ASA devices do not support v6.x, they only support v7 or v8 so the configuration will be somewhat different. There are a lot of good configuration docs on Cisco website though.

Jon

willie.gillespie Tue, 06/17/2008 - 11:55

Thank you for your response, Jon.

What is the best way to upgrade our current PIX devices to v7 or v8? We don't have a current support plan through Cisco or a vendor, but I imagine that we would need to purchase one to do that.

Would that be recommended? Or would we be paying just as much to get the service plan as buying new devices?

JORGE RODRIGUEZ Wed, 06/18/2008 - 13:34

Willie,

You still have time to plan migration to ASA, best bet is to run all these question through a cisco partnet sales rep to provide you with all the obtions there is for support plans.

For reference, to obatin Software support for example you do need smartnet services, not only you get software updates but also TAC support and/or unit replacement in event of hardware failure.

Go to partner locator page to locate partner

http://www.cisco.com/web/partners/index.html

You can go through the list of PIX models for EOL/EOS dates, sort of gives you an idea of deadlines to better plan your migration.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notices_list.html

EoS/EOL for the PIX 506E

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/ps4336/prod_eol_notice0900aecd80731dfa.html

Rgds

-Jorge

Jon Marshall Wed, 06/18/2008 - 14:49

Willie

One other point. Pix 506E devices cannot be upgraded to v7.x or v8.x. The minimum Pix firewall that can be upgraded is Pix 515E so if you want to go to v7.x you will need to replace your 506E's.

As Jorge mentioned you could look to trade in.

Jon

willie.gillespie Wed, 06/18/2008 - 13:55

Thank you both for your replies. Do either of you know how I mark a conversation resolved?

Farrukh Haroon Wed, 06/18/2008 - 18:47

This is the direct link to the PIX >> ASA trade-in, but I hope it is valid in your case (if the PIX is functional):

http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/net_promotional_program0900aecd80346456.html

Once you decide to upgrade, keep this link handy (even tough it might not be that useful for a PIX 506):

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808554ed.shtml

Regards

Farrukh

Actions

This Discussion