Solved: It mostly depends on what

Syed Farhan Ali · ‎03-19-2014

Dear Members,

I have received a query from one of our clients and they are insterested in replacing CISCO2911-SEC/K9 with ASA5512-X.

They are not running any voice services on the exisitng router. Please suggest me if this replacement will be possible?

Below is the current configuration of both Router and Firewall.

Router

Line Number	Item Name	Description	Quantity

1.0	CISCO2911-SEC/K9	Cisco 2911 Security Bundle w/SEC license PAK	2
1.1	PWR-2911-AC	Cisco 2911 AC Power Supply	2
1.2	CAB-ACU	AC Power Cord (UK) C13 BS 1363 2.5m	2
1.3	PI-MSE-PRMO-INSRT	Insert Packout - PI-MSE	2
1.4	S29UK9-15204M	Cisco 2901-2921 IOS UNIVERSAL	2
1.5	HWIC-2FE	Two 10/100 routed port HWIC	4
1.6	EHWIC-4ESG	Four port 10/100/1000 Ethernet switch interface card	2
1.7	SL-29-IPB-K9	IP Base License for Cisco 2901-2951	2
1.8	HWIC-BLANK	Blank faceplate for HWIC slot on Cisco ISR	2
1.9	ISR-CCP-EXP	Cisco Config Pro Express on Router Flash	2
1.10	MEM-2900-512MB-DEF	512MB DRAM for Cisco 2901-2921 ISR (Default)	2
1.11	MEM-CF-256MB	256MB Compact Flash for Cisco 1900 2900 3900 ISR	2
1.12	SL-29-SEC-K9	Security License for Cisco 2901-2951	2
1.13	SM-S-BLANK	Removable faceplate for SM slot on Cisco 290039004400 ISR	2

Firewall

Line Number	Item Name	Description	Quantity
Products
5.0	ASA5512-SSD120-K9	NGFW ASA 5512-X w/ SW 6GE Data 1GE Mgmt AC 3DES/AES SSD 120G	2
5.1	ASA-IC-6GE-CU-A	ASA 5512-X/5515-X Interface Card 6-port 10/100/1000 RJ-45	2
5.2	SF-ASA-X-9.1.3-K8	ASA 9.1.3 Software image for ASA 5500-X Series5585-XASA-SM	2
5.3	SF-ASA-CX-9.2-K8	ASA 5500 Series CX Software v9.2.1	2
5.4	ASA5512AWI1Y	ASA 5512-X AVCWSE IPS 1Year	2
5.5	ASA-RAILS	ASA 5512-X -- ASA 5555-X Rail Kit	2
5.6	CAB-ACU	AC Power Cord (UK) C13 BS 1363 2.5m	2
5.7	ASA-VPN-CLNT-K9	Cisco VPN Client Software (Windows Solaris Linux Mac)	2
5.8	ASA5500-ENCR-K9	ASA 5500 Strong Encryption License (3DES/AES)	2
5.9	ASA-ANYCONN-CSD-K9	ASA 5500 AnyConnect Client + Cisco Security Desktop Software	2
5.10	ASA5500X-SSD120INC	ASA 5512-X through 5555-X 120GB MLC SED SSD (Incl.)	2
5.11	ASA5512-MB	ASA 5512 IPS Part Number with which PCB Serial is associated	2
6.0	L-ASA5512-SEC-PL=	ASA 5512-X Sec. Plus Lic. w/ HA Sec Ctxt more VLAN + Conns	1

Your immediate response would be highly appreciated.

Regards,

Farhan.

Marvin Rhoads · ‎03-19-2014

It mostly depends on what features they're using on the 2911. There's a fair amount of feature overlap in the basics but there are also dozens of things you can do with an ASA that you can't do with a router (and vice versa).

The ASA is a poor router and the 2911 is not primarily a firewall. If they're doing DMVPN with their 2911, the ASA cannot do that. If they're doing BGP routing that too cannot be done by the ASA.

By the way this is a volunteer community forum, the only currrency exchanged is goodwill and the points we give each other for useful answers. "immediate response" is a service you get from paid support like the Cisco TAC.

View solution in original post

remi-reszka · ‎03-20-2014

Hi Farhan,

Above all the other comments ASA will work perfectly where web and application filtering is required. I implemented some of those boxes and they have this new CX module desgnated for all the web filtering, works like a charm. VPN wise also good of course however not as many VPN technology option as with the router, WAN failing over from the primary ISP to the secondary and backwards also works great, even with the VPN switching between the ISPs. Not sure why you need an extra 6xGE card for ASA, it has already 6xGE ports built in. Also would suggest to buy the web and apps filtering license for 3 years, is much cheaper. You don't really need Sec Plus license unless you will be running multi-context environment, be aware some limitations with that.

If you won't be running any voice services or any VPN and routing protocols on the router that aren't supported on ASA, ASA is the right choice. Be aware that for any dynamic routing or ip sla features on the router you will also need a DATA license which I don;t see on your BOM.

Good luck!

View solution in original post

Marvin Rhoads · ‎03-19-2014

It mostly depends on what features they're using on the 2911. There's a fair amount of feature overlap in the basics but there are also dozens of things you can do with an ASA that you can't do with a router (and vice versa).

The ASA is a poor router and the 2911 is not primarily a firewall. If they're doing DMVPN with their 2911, the ASA cannot do that. If they're doing BGP routing that too cannot be done by the ASA.

By the way this is a volunteer community forum, the only currrency exchanged is goodwill and the points we give each other for useful answers. "immediate response" is a service you get from paid support like the Cisco TAC.

Syed Farhan Ali · ‎03-19-2014

Thanks Marvin. I really appreciate the efforts you have put in towards this service. I am sorry for the request for immediate response since I had to submit a response to our client and wanted to get the answers asap.

Regards,

Farhan.

remi-reszka · ‎03-20-2014

Hi Farhan,

Above all the other comments ASA will work perfectly where web and application filtering is required. I implemented some of those boxes and they have this new CX module desgnated for all the web filtering, works like a charm. VPN wise also good of course however not as many VPN technology option as with the router, WAN failing over from the primary ISP to the secondary and backwards also works great, even with the VPN switching between the ISPs. Not sure why you need an extra 6xGE card for ASA, it has already 6xGE ports built in. Also would suggest to buy the web and apps filtering license for 3 years, is much cheaper. You don't really need Sec Plus license unless you will be running multi-context environment, be aware some limitations with that.

If you won't be running any voice services or any VPN and routing protocols on the router that aren't supported on ASA, ASA is the right choice. Be aware that for any dynamic routing or ip sla features on the router you will also need a DATA license which I don;t see on your BOM.

Good luck!

Karsten Iwen · ‎03-19-2014

The first question you have to ask yourself is if you can transfer all used features of the router to the ASA.

For example if you are having multiple ISPs connected with some fancy routing, or if you are running protocols not supported on the ASA. Also if your VPNs use DMVPN, FlexVPN, VTIs/DVTIs, then you can't migrate that to the ASA as these features are not supported there.

For basic internet-connectivity and security, the ASA-X could be really the better choice then a router.

But instead of using the 5512-X with SecPlus license you should also evaluate to buy the 5515-X which has the same list price as 5512+SecPlus but is a little bit faster.

Syed Farhan Ali · ‎03-19-2014

Thanks Karsten for your feedback. I will get these thoughts transferred to the client and will get back to you if required.

Replace Cisco 2911-SEC/K9 with ASA5512-X