I currently manage an office building that has 42 internal networks and I have a single linux firewall/gateway to the internet. I am looking to replace it possibly with an asa 5505 firewall, but I thought I should check with those more familiar with the product if this is a good fit for my network. I don't have a need for vpn, but my linux box is capable of that. The biggest need in my firewall is the ablility for 1-1 Nat translations by port and by IP address. I also need the ability of the device to handle multiple public ip addresses. Does anyone have any thoughts? Will I need a device with a lot of licenses, or is that just for vpn? Thanks in advance for your help.
To suggest an ASA you would need to tell more about your bandwidth, number of interfaces required, no of concurrent connections, IPS module required? Etc.
This is a quick comparison:
I currently connect to a 10 Meg connection. I would guess the maximum users on the network would be 100 to 150 computers, none of which require a vpn connection. My linux box currently has intrusion detection and prevention, but I had to disable the prevention side of the software since some users were unable to view certain websites. I'm not sure my network requires this service, but it was a cheap upgrade to my linux operating system so I purchased it. Is the linux box, (I use Clark Connect) a more robust solution, or is and ASA the better way to go?
I noticed that the base model only came with 10 licenses. Are the licenses only for VPN access or do I need a license for every computer in the internal network so that it can access the internet?
They are for simultanious VPN connections, not based on inside machine IP addresses (as with the PIX 501/506)
As Farrukh has suggested for what you are looking for an ASA would fit your requirements, more specifically the 5505.
"I currently connect to a 10 Meg connection. I would guess the maximum users on the network would be 100 to 150 computers, none of which require a vpn connection. My linux box currently has intrusion detection and prevention, but I had to disable the prevention side of the software since some users were unable to view certain websites. I'm not sure my network requires this service, but it was a cheap upgrade to my linux operating system so I purchased it. Is the linux box, (I use Clark Connect) a more robust solution, or is and ASA the better way to go?"
Here is my 2c:
Your linux box which I suspect runs iptables
and some customization of Snort as IDS/IPS.
Iptables can perform complext NAT with such
ease that I don't think ASA can provide this
function. Furthermore, when it comes to
troubleshooting, tcpdump on Linux is a much
better tool than ASA capture utilities.
That being said, supports for Linux firewalls
like yours are not as great as Cisco TAC
support. In other words, if things do not
go well with the ASA, you can blame it on
Cisco. With your customize linux firewall,
you're ultimately responsible for it.
Andrew, maybe I'm misunderstanding what you're saying, but does an ASA 5505 10 user base license not restrict the total number of outoing 'internet' connections in addition to the number of VPN sessions?
Sorry - you are correct, for some reason I when I replied to that particular post I read the table matrix wrong, and confused simultaneous VPN's to concurrent users, my apologies.
For the number of inside users/ip addresses you would need the 5505 - 50 Base License for what you want to achieve.....if you choose the Cisco ASA.
you do NOT need a 50-Base License. Even
with a 50-Base license, will it be able to
support 100-150 users on your internal network
if all of them decide to access the Internet
at the same time?
Here is what I would do:
1- Go with the cheapest ASA 5505 and 10 user
2- place the ASA in front of the Linux firewall,
3- Port Address Translation (PAT) or as linux
calls it, IP masquerading, everyone to the
5- To the ASA, it will see everything just
from a single IP of the Linux firewall,
6- Everything you need to STATIC nat, you can
place the servers in front of the Linux
firewall but behind the ASA. Think of the
network between the Linux firewall and the
ASA as the DMZ,
That way you're much more secure and have a
two-tier firewall solutions with minimum
cost. Why pay more when you do not have to?
I would prefer to not use the Linux firewall since I feel it is not as reliable as this cisco firewall appliance. The specs say that you can have 10,000 concurrent connections. I figured that was for computers on the internal network and the 10, 50, or unlimited was for VPN. Can anyone clarify this?
Just to clarify for you
Concurrent Firewall Conns:-
The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with one host and one dynamic translation for every four connections.
In routed mode, hosts on the inside (Business and Home VLANs) count towards the limit only when they communicate with the outside (Internet VLAN). Internet hosts are not counted towards the limit. Hosts that initiate traffic between Business and Home are also not counted towards the limit. The interface associated with the default route is considered to be the Internet interface. If there is no default route, hosts on all interfaces are counted toward the limit. In transparent mode, the interface with the lowest number of hosts is counted towards the host limit. See the show local-host command to view the host limits.