Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Recommendations on IPSec hardware

I'll have a total of 3 physical sites, 2 of which will aggregate to Site 2 via Single Mode fiber.

Site 1 -> Site 2

Site 3 -> Site 2

I have implemented site-to-site VPN's before, but this seems a bit different to me. I'll need to connect from Site 1 to Site 3 going through Site 2. These links need to be encrypted as well. I assume a firewall placed at Site 2 would be capable of decrypting/encrypting if a request is made from Site 1 to Site 3?

In terms of logical topology, is it common/best practice to NAT a routable IP into a private address space for use behind the firewall?

This is going to be a private network which will not be connected to any other public or private network.

My hardware choices are;

ASA 5510, 5520, 5540

I am looking at the product lists for the ASA series. I have some specific questions regarding throughput. I am confused at the numbers below. I understand the firewall throughput, but what about the VPN throughput. In Cisco terms, does VPN also equal Encryption/IPSec? How can I determine my throughput with encryption configured?

ASA 5510:

Firewall Throughput Up to 300 Mbps

Maximum Firewall and IPS Throughput

Up to 150 Mbps with AIP SSM-10

Up to 300 Mbps with AIP SSM-20

VPN Throughput Up to 170 Mbps

In terms of hardware, the ASA 5550 supports 4 SFP fiber ports. Is there a module I can put into one of the lower end ASA's to get fiber SFP ports? If not, I assume the only other way to connect fiber to an ASA is through a transceiver, correct?

I would also appreciate any configuration/implementation guides you might know of for firewall encryption.

Sorry for the long winded post, thanks in advance for any help/advice.

CreatePlease to create content