I have a potential customer who has two sites. At each site they currently have a Cisco PIX firewall that provides firewall services with NAT, remote access VPN to one site and a L2L VPN between the sites. Also, they have a Cisco 1700 router at each site that handles routing between the two sites over a E1 serial link and routing towards the PIX firewalls. They only have one subnet at each site. They want to move all the services running on the PIX and 1700s at each site to Cisco 891 ISRs which they own already. The link between the sites will become a 10MB leased line. I am concerned as to whether this 891 ISR’s is powerful enough for the features required. Also I would propose to use Zone Based Firewalls on the ISRs and if this is the case am I right that as the ISR is essentially a firewall I would have to create zones for the uplink interfaces and apply policies.
I wander whether an ASA at each site would be a more suitable solution.
I vote for ASA on both sites.
What PIX firewalls are these? If these are 515s then you can just upgrade there to 8.0.4 and that should work just fine.
If these are 501s or 506s then they can only run 6.3 code and we have announced EOL for that.
I would lean towards the 891. I've always believed in the the fewer number of devices the better and the ASA's can't terminate serial connections. The 891 can support up to 30Mb of IPSec traffic, so the 10MB link should not be a problem. Check the link for more info (around page 50).
What about the question about the zones, would I have to create Zone Pairs for Inside/Outside, Inside/Uplink and Outside/Uplink (I'm quite new to ZFW).
FYI - Serial connectivity is not an issue as their Internet terminates on RJ45, also I would use the ASA to replace both the PIX and 1700. Finally, I made a mistake the up-link is 100MBits/s.
The 100MB is replacing the E1. It will be used to connect two sites together. I have a diagram somewhere which I will send.
Note, I have come into this a long way down the line and was not involved in any planning.
Are there any backup circuits, do you run multicast or anything 'odd'? I like the ASA and it fits well until you have some quirky services where a router starts to pay off. If you try and push 100mb, that will be a pretty big box!
There will be no backup circuits, the plan is to use a L2L VPN for backup. There will be no requirement for multicasting.
Either an ASA or a router will work, it will come down to preference and what box fits best. It's very hard for us to give you a definitive product. Are you working with a Cisco partner? I still standby by using a router, but I suggest you work with a Cisco partner to work through all of your requirements and the applications you use to narrow down which will be better.
Thanks for the information, there are obviously advantages and disadvantages of using either ASA appliances or ISR routers. I am just trying to fathom which is best for the customer.
I work for a Cisco partner and contacted the PDI service to try and ascertain whether the 800 series routers the customer already owns would be the best fit solution. There answer was somewhat ambiguous and stated that an ASA may be the best solution.
Following the PDI reply, I felt it best to enquire on the NetPro forums to see if others had had a similar experiences and to evaluate their views.
I am trying to weigh up whether it is more cost effective for the customer to use an ISR router with ZFW or ASAs.
The customer is a small prospect with little resource so I want to install a solution that is cost effective and easy to manage bearing in mind their lack of experience with Cisco products particularly ISR routers. Furthermore I am trying to reduce professional service costs in relation to their migration (That is it would be easier to migrate from a PIX to an ASA than to incorporate ZFW).
I extensive experience with ASA appliances and know they would provide all the features required by the customer, but do not want to rule out the ISR routers that were already recommended to them by a previous "provider" that failed to complete a solution for them.
Although I have configured ZFW in the past, I simply want to be sure this would be the best solution.
This email (and any attachment) is confidential and may be legally privileged. It is intended solely for the use of the individual or entity to whom it is addressed. If you received this message in error please tell us by reply (or telephone the sender) and delete all copies on your system. Any review, dissemination, distribution, copying or other use of this communication or the information in it is strictly prohibited. The sender does not accept liability for any errors or omissions
Whilst Nowcomm have taken reasonable precautions to ensure that any attachments to this email has been swept for viruses, we cannot accept liability for any damage sustained as a result of software viruses and would advise that you carry out your own virus checks before opening any attachment.
HELP THE ENVIRONMENT - THINK BEFORE YOU PRINT! Do you really need to print a copy of this email? If you do need to print remember to consider economy printer settings.