VPN with existing Firewall ASAs

bnidacoc · ‎03-16-2009

We have a pair of 5520 ASAs in A/S. We have an old Cisco VPN solution which needs replaced. Please keep in mind this is NOT a sales opportunity, considering the financial climate need I say more.

I am currently an advocate of having our existing ASAs perform L2L (non-GRE) and corp laptop RA services in lieu of other solutions which may involve resurrecting EOS PIXes. Considering that the ASAs with IPS modules are rated to 225Mbps (IIRC) and our committed rate with our ISPs adds up to FAR less than that, I think it would not be harmful to combine FW services and L2L/RA services onto the same in-support and redundant hardware.

Please let me know what you think?

Richard Burts · ‎03-16-2009

Bob

I have implemented ASAs acting as firewalls. And I have implemented ASAs acting as replacements for the old VPN concentrator. And they work well for both purposes.

I have not yet implemented both functions on the same ASA. But my experience so far leads me to believe that the ASA would do reasonably well doing both as you propose. And I would certainly want to use the ASA for both rather than go back to an old PIX.

So for now I would advocate doing both firewall and VPN on the same ASA. (and when conditions improve and a sales opportunity may exist - I would advocate for a separate ASA to do VPN and the pair to do firewall).

HTH

Rick

HTH

Rick