Well the time has come to upgrade our Pix 515E's in production. So I have a few design questions.
We also use a 3015 concentrator to handle all of our inbound VPN and site - site sessions.
Approx 150 remote users and 20 site - sites.
Our main internet link is 70Mbps.
Currently the PIX handles all inbound and outbound traffic, as well as 3 additional web dmzs that hosts our web front end.
So not a huge implementation.
We have approx 500 in house clients that are intervlan routed through our 6513E, which is then routed to the inside of the Pix.
So my questions are
1 - Do I go with a pair of ASA5520's in failover mode
2 - I like having the VPN sessions on a seperate device but its more admin / cost...Any issues putting it all on the same ASA ?
3 - Looking to incorporate an IPS solution in the ASA. I think I can buy an IPS module for it ? Is this the best way to go ?
My other option would be to consolidate it all in the 6513E chassis using the FW blade.
Are there any limitations going this route ?
Is it still the ASA IOS on the blade. Is it a limited feature set ?
If I go the blade route, what are my IPS options ?
Any help would be appreciated.