Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Firewall / VPN design question

Well the time has come to upgrade our Pix 515E's in production. So I have a few design questions.

We also use a 3015 concentrator to handle all of our inbound VPN and site - site sessions.

Approx 150 remote users and 20 site - sites.

Our main internet link is 70Mbps.

Currently the PIX handles all inbound and outbound traffic, as well as 3 additional web dmzs that hosts our web front end.

So not a huge implementation.

We have approx 500 in house clients that are intervlan routed through our 6513E, which is then routed to the inside of the Pix.

So my questions are

1 - Do I go with a pair of ASA5520's in failover mode

2 - I like having the VPN sessions on a seperate device but its more admin / cost...Any issues putting it all on the same ASA ?

3 - Looking to incorporate an IPS solution in the ASA. I think I can buy an IPS module for it ? Is this the best way to go ?

My other option would be to consolidate it all in the 6513E chassis using the FW blade.

Are there any limitations going this route ?

Is it still the ASA IOS on the blade. Is it a limited feature set ?

If I go the blade route, what are my IPS options ?

Any help would be appreciated.



Super Bronze

Re: Firewall / VPN design question


1 - Well you could always have the other one as the actual Firewall and the other one as the VPN device (then ofcourse no Failover) This again though would leave you without a backup device for the main firewall (or the VPN for that matter). Though I got the picture this was already the case with current PIX515E and VPN concentrator?

2 - We have both kind of setups. Firewall and VPN services together and both on separate devices. My personal preference is that they are kept separate. This simplifies, to me atleast, handling each device. When they dont contain alot of configurations that are tied to eachother

Then again we have setups where we have maybe 20 L2L-VPNs and tens of SSL VPN Client users and the Firewall functionality in the same Failover ASA pair and they work just as fine.

So far the only problem/lacking thing the ASAs is the fact that you can't really do PBR or they arent VRF aware which would help alot in some situations. (I know they aren't meant to be routers )

Though we do also have a VPN modules for 7600 -series that let us use VRFs to our advantage.

3 - I think Cisco just released models of ASAs that will replace the 5510 - 5550 range of current ASAs. They have builtin IPS in every model I think. Think the models are 5512-X, 5515-X, 5525-X, 5545-X and 5555-X

Here is a link to FAQ of the ASA service module for 6500 -series

It states that VPN configurations aren't available for it I think. I was under the impression though that with future software upgrades it will start supporting VPN also.

I guess the ASA module is going to replace the current FWSM for 6500 -series

CreatePlease to create content