Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX 520 Replacement

Hi there,

I have PIX 520 that I want to replace, I assume the new replacement is ASA. My question is which model. I use the PIX simply as a firewall. I do not want to under-engieenr the solution. So I will probably will require min three interfaces inside, outside and DMZ.

Thanks in advance for your help.

5 REPLIES

Re: PIX 520 Replacement

Nabeel,

Bellow pdf provides migration guide from PIX 500 series to ASA5500 series.

PIX520 equivalent upgrade to asa is asa5520 but from what you have indicated needing only inside,outside and DMZ you probably are looking at the ASA5510, you still need to conduct thourough assesment and baseline of your currently PIX520 such Ipsec vpns tunnels currentl utilization if any, look at bellow comparison table and total ASA firewall Mbps throughput.

PIX/ASA upgrade path chart

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd8053258b.pdf

Lastly you may want to check models performance throughput.

ASA comparison chart

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

HTH

-Jorge

Community Member

Re: PIX 520 Replacement

Hi Jorge,

Thanks for the info, what is the best way to baseline my connection and firewall uitilazation. again thanks in advance for your help

Re: PIX 520 Replacement

There are number of tools out there, pdm has a built-in monitoring tool tab which you can use to monitor pix cpu usage, xlate , regular connections, Ipsec connections etc.. you could setup graphical monitoring and let it run for a week to sort of get you overall pix utilization baseline.

You could also use PRGT to monitor the physical ports ethernet utilization, example would be the inside interface connecting to a switchport , monitor switchport through PRTG.

http://www.paessler.com/ , prtg is not free but they have demo allowing to monitor two or three physical ports free.

Or if you have an internal snmp server you could also configure snmp to pool pix stats http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a13.shtml#intro

HTH

Rgds

-Jorge

PLS rate any helpful post if it helped

Community Member

Re: PIX 520 Replacement

Jorge,

Thanks for all your help

Bronze

Re: PIX 520 Replacement

Don't forget about a failover interface since the ASA uses an Ethernet interface not the serial cable..

TJM

pls rate if post was helpful..

321
Views
10
Helpful
5
Replies
CreatePlease to create content