Replace PIX506e with SA540 a good idea?

Unanswered Question
Mar 16th, 2010

We are currently using 2 PIX 506e  to link 2 locations on the same domain using a VPN tunnel, and approx 20 VPN clients, max 5 concurrently. I was looking to use 2 SA540 instead to get away from the CLI on the PIX and having to get CISCO support for configuration changes. Is there anywhere to try out the GUI on the 540? Is the SSL VPN a good substitute for the VPN Client?  Does the support included with the 540 includee configuration support? Will a remote VPN client be able to browse acroos the domain to both locations? (they can't now)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Brian Bergin Mon, 03/22/2010 - 15:23

First, I doubt you need a SA540 based on your configuration.  A SA520 is more than enough for your needs.  That being said, SSL VPN is not a clean substitute if you're already using the Cisco VPN Client.  The Cisco VPN client is much more capable, much more relaiblie (doesn't rely on a browser for stability), and doesn't cost you anything (doesn't cost either if you buy a 540, it's included).  IMHO, Cisco has decided to nickle and dime small businesses like they have with large companies and are charging extra for SSL connections past 2 (I think $150 is the quoted price for 25 users on the 520).  QuickVPN is a possiblity, however, many have found it to be less than reliable (based on the last version, we've not had a lot of time to test the new version released in Feb 2010) and often problematic as it requires that the user be an administrator (something not required of any other VPN client I know of).  Cisco's answer to that has been to buy 3rd party VPN software, but my question to Cisco is if a 3rd party can write a real VPN client why can't Cisco???

As for your ASA VPN, you should be able to connect to one ASA and see the other side if your ACLs are setup properly.  Talk to TAC about it.

As for paying Cisco for support, you still only get a 90 day warranty with the SA series so you still have to pay Cisco for support if you want a warranty.

Also, if you have SmartNet there is the PIX Device Manager (PDM) that you can install to give you a Web-GUI to configure the PIX from if you want to get away from the CLI, but I can tell you from many years of experience that no GUI can do what the CLI can do, often in 1/4 the time!

Me personally, I'd either continue to use the 506e's until you out grow them which with what you describe will be some time from now, go to ASA-5505's (similar in cost to the 540's) which offer SSL VPN if you're willing to pay for it as well as the latest "PIX" OS that you can't get on the 506e (if memory serves, the 506e doesn't have the NVRAM to load v7 or v8 so you're stuck on 6.35, right?), or consider Cisco RV082's which are less expensive than either of the 2 alternatives, offer dual WAN like the SA500 series, can easily handle the VPN load, and comes with a 3 year warranty out of the box (, though you still won't be able to route to other side of the VPN when connected to one side.

Brian Bergin Mon, 03/22/2010 - 15:28

Actually, I was reading your post again and really hadn't though my reply through, which I'm not sure why becuase we don't use Cisco's SSL or QVPN tools on their small biz lines, we use Windows Servers to do VPN at many locations.  May I recommend if you have a unified domain, why not consider using one of your domain controllers to do RRAS and have your remote clients VPN to the Windows servers and then you'll be able to see everything you want as they'll have an IP on the LAN?  You'd also get away from the CLI on the 506e's, relieve the 506e's of the VPN stress and transfer that to the servers which even if they're very old can handle dozens of 128-bit PPTP clients at a time.  At that point your 506e's become simple routers and that's about it and the PDM would allow you to do all the config you wanted and when they died you can replace them with any other Cisco device you wanted without having to consider migrating the configuration.

jetta1.8t Tue, 03/23/2010 - 13:12

Thank you for your well considered replies to my post. I have to decided, as you recommended, to stay with the PIX506e's until we outgrow them. The CISCO VPN client is stable, more so it appears, than SSL client or Easy VPN. THe PIX506e is also very stable for the VPN tunnel. For support  have Smart Net to help me through the CLI. So we will stay  with the 506e until moving up to the ASA 5505 or equivalent at that time.


This Discussion