03-19-2014 05:56 AM - edited 03-11-2019 08:58 PM
Dear Members,
I have received a query from one of our clients and they are insterested in replacing CISCO2911-SEC/K9 with ASA5512-X.
They are not running any voice services on the exisitng router. Please suggest me if this replacement will be possible?
Below is the current configuration of both Router and Firewall.
Router
Line Number | Item Name | Description | Quantity |
1.0 | CISCO2911-SEC/K9 | Cisco 2911 Security Bundle w/SEC license PAK | 2 |
1.1 | PWR-2911-AC | Cisco 2911 AC Power Supply | 2 |
1.2 | CAB-ACU | AC Power Cord (UK) C13 BS 1363 2.5m | 2 |
1.3 | PI-MSE-PRMO-INSRT | Insert Packout - PI-MSE | 2 |
1.4 | S29UK9-15204M | Cisco 2901-2921 IOS UNIVERSAL | 2 |
1.5 | HWIC-2FE | Two 10/100 routed port HWIC | 4 |
1.6 | EHWIC-4ESG | Four port 10/100/1000 Ethernet switch interface card | 2 |
1.7 | SL-29-IPB-K9 | IP Base License for Cisco 2901-2951 | 2 |
1.8 | HWIC-BLANK | Blank faceplate for HWIC slot on Cisco ISR | 2 |
1.9 | ISR-CCP-EXP | Cisco Config Pro Express on Router Flash | 2 |
1.10 | MEM-2900-512MB-DEF | 512MB DRAM for Cisco 2901-2921 ISR (Default) | 2 |
1.11 | MEM-CF-256MB | 256MB Compact Flash for Cisco 1900 2900 3900 ISR | 2 |
1.12 | SL-29-SEC-K9 | Security License for Cisco 2901-2951 | 2 |
1.13 | SM-S-BLANK | Removable faceplate for SM slot on Cisco 290039004400 ISR | 2 |
Firewall
Line Number | Item Name | Description | Quantity |
Products | |||
5.0 | ASA5512-SSD120-K9 | NGFW ASA 5512-X w/ SW 6GE Data 1GE Mgmt AC 3DES/AES SSD 120G | 2 |
5.1 | ASA-IC-6GE-CU-A | ASA 5512-X/5515-X Interface Card 6-port 10/100/1000 RJ-45 | 2 |
5.2 | SF-ASA-X-9.1.3-K8 | ASA 9.1.3 Software image for ASA 5500-X Series5585-XASA-SM | 2 |
5.3 | SF-ASA-CX-9.2-K8 | ASA 5500 Series CX Software v9.2.1 | 2 |
5.4 | ASA5512AWI1Y | ASA 5512-X AVCWSE IPS 1Year | 2 |
5.5 | ASA-RAILS | ASA 5512-X -- ASA 5555-X Rail Kit | 2 |
5.6 | CAB-ACU | AC Power Cord (UK) C13 BS 1363 2.5m | 2 |
5.7 | ASA-VPN-CLNT-K9 | Cisco VPN Client Software (Windows Solaris Linux Mac) | 2 |
5.8 | ASA5500-ENCR-K9 | ASA 5500 Strong Encryption License (3DES/AES) | 2 |
5.9 | ASA-ANYCONN-CSD-K9 | ASA 5500 AnyConnect Client + Cisco Security Desktop Software | 2 |
5.10 | ASA5500X-SSD120INC | ASA 5512-X through 5555-X 120GB MLC SED SSD (Incl.) | 2 |
5.11 | ASA5512-MB | ASA 5512 IPS Part Number with which PCB Serial is associated | 2 |
6.0 | L-ASA5512-SEC-PL= | ASA 5512-X Sec. Plus Lic. w/ HA Sec Ctxt more VLAN + Conns | 1 |
Your immediate response would be highly appreciated.
Regards,
Farhan.
Solved! Go to Solution.
03-19-2014 06:25 AM
It mostly depends on what features they're using on the 2911. There's a fair amount of feature overlap in the basics but there are also dozens of things you can do with an ASA that you can't do with a router (and vice versa).
The ASA is a poor router and the 2911 is not primarily a firewall. If they're doing DMVPN with their 2911, the ASA cannot do that. If they're doing BGP routing that too cannot be done by the ASA.
By the way this is a volunteer community forum, the only currrency exchanged is goodwill and the points we give each other for useful answers. "immediate response" is a service you get from paid support like the Cisco TAC.
03-20-2014 07:39 AM
Hi Farhan,
Above all the other comments ASA will work perfectly where web and application filtering is required. I implemented some of those boxes and they have this new CX module desgnated for all the web filtering, works like a charm. VPN wise also good of course however not as many VPN technology option as with the router, WAN failing over from the primary ISP to the secondary and backwards also works great, even with the VPN switching between the ISPs. Not sure why you need an extra 6xGE card for ASA, it has already 6xGE ports built in. Also would suggest to buy the web and apps filtering license for 3 years, is much cheaper. You don't really need Sec Plus license unless you will be running multi-context environment, be aware some limitations with that.
If you won't be running any voice services or any VPN and routing protocols on the router that aren't supported on ASA, ASA is the right choice. Be aware that for any dynamic routing or ip sla features on the router you will also need a DATA license which I don;t see on your BOM.
Good luck!
03-19-2014 06:25 AM
It mostly depends on what features they're using on the 2911. There's a fair amount of feature overlap in the basics but there are also dozens of things you can do with an ASA that you can't do with a router (and vice versa).
The ASA is a poor router and the 2911 is not primarily a firewall. If they're doing DMVPN with their 2911, the ASA cannot do that. If they're doing BGP routing that too cannot be done by the ASA.
By the way this is a volunteer community forum, the only currrency exchanged is goodwill and the points we give each other for useful answers. "immediate response" is a service you get from paid support like the Cisco TAC.
03-19-2014 10:34 PM
Thanks Marvin. I really appreciate the efforts you have put in towards this service. I am sorry for the request for immediate response since I had to submit a response to our client and wanted to get the answers asap.
Regards,
Farhan.
03-20-2014 07:39 AM
Hi Farhan,
Above all the other comments ASA will work perfectly where web and application filtering is required. I implemented some of those boxes and they have this new CX module desgnated for all the web filtering, works like a charm. VPN wise also good of course however not as many VPN technology option as with the router, WAN failing over from the primary ISP to the secondary and backwards also works great, even with the VPN switching between the ISPs. Not sure why you need an extra 6xGE card for ASA, it has already 6xGE ports built in. Also would suggest to buy the web and apps filtering license for 3 years, is much cheaper. You don't really need Sec Plus license unless you will be running multi-context environment, be aware some limitations with that.
If you won't be running any voice services or any VPN and routing protocols on the router that aren't supported on ASA, ASA is the right choice. Be aware that for any dynamic routing or ip sla features on the router you will also need a DATA license which I don;t see on your BOM.
Good luck!
03-19-2014 06:32 AM
The first question you have to ask yourself is if you can transfer all used features of the router to the ASA.
For example if you are having multiple ISPs connected with some fancy routing, or if you are running protocols not supported on the ASA. Also if your VPNs use DMVPN, FlexVPN, VTIs/DVTIs, then you can't migrate that to the ASA as these features are not supported there.
For basic internet-connectivity and security, the ASA-X could be really the better choice then a router.
But instead of using the 5512-X with SecPlus license you should also evaluate to buy the 5515-X which has the same list price as 5512+SecPlus but is a little bit faster.
03-19-2014 10:44 PM
Thanks Karsten for your feedback. I will get these thoughts transferred to the client and will get back to you if required.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: