02-15-2007 04:11 PM - edited 02-21-2020 02:52 PM
I just got a new ASA 5510 Base Model and I have some questions I would love some help on.
1) I was under the impression that the ASA 5510 could support 250 VPN Peers. When I do a show version on this new unit I am told VPN Peers are only 50. I would like to have more than 50 L2L VPN Tunnels and RA clients connected at one. Where did I mess up with this understanding?
2) I am running ASA Software Version 7.0(6) this is how it was shipped to me. I hear that 7.2 is the latest? Can I get this upgrade from Cisco?
02-16-2007 09:21 AM
Hi,
1) The ASA 5510 supports 250 if your software version is 7.1 or higher.
2) You should be able download it from Cisco if you have a valid smartnet contract. If you don't have a smartnet contract then you can still buy the software from your reseller as a one-off upgrade.
HTH
Andrew.
02-19-2007 09:32 AM
Thank you for the comments. This has me really confused because the folks over at CDW are telling me that the 5510 will only do 150 IPSec peers IF I have the security plus upgraded installed. Even then they are saying that 7.0 is terrible (then why ship with it?) and I should upgrading to 7.1 in the very least... which requires a Smartnet..
Right now my ASA says I am licensed to 50 (no S.Plus on 7.0)
The upgrade to s.plus is $700 + !!!
So my question is in your experience you have seen the licensing on this device allow for 250 w/o the S.Plus upgrade just running 7.1 ?
THANKS!
02-20-2007 04:27 AM
Hi,
There a couple of points here which are a bit tricky - the first is the software versioning of PIX/ASA software. If we have a look at how it work in IOS (It would be useful if there was an equivalent paper for PIX/ASA...)
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_white_paper09186a008018305e.shtml
The basic idea is that if you go from 7.0(1) to 7.0(2) you're getting more software fixes and less new features but if you go from 7.0(1) to 7.1(1) you're getting more major new features but less software fixes. On PIX/ASA there seems to be a fairly clear choice between stability and features. Don't forget that the 3 trains have releases independent of each other so it doesn't necessarily follow that the highest numbered release was the latest one, let alone the most stable one. Before 7.2(2) was released last November the latest release was 7.0(6) and we actually standardised on this because all releases above 7.0(6) were giving us issues (especially the 7.1 versions). We're trialling 7.2(2) at the moment and it seems to be as solid as 7.0(6) so that also looks like a good choice.
With that in mind we need to look at the feature sets of the various releases, and currently 7.2(2) gives you 250 maximum concurrent IPsec sessions whether or not you have the Security Plus license. I think this change happened during one of the 7.1 releases. If you only have 7.0 then you get 50 as standard and can upgrade to 150 if you have a security plus license. (With 7.2(2) you still need the security plus license to get failover and vpn load balancing - but not to get the 250 sessions.)
As to upgrading - it's possible 7.0(6) was actually the "latest" release when you purchased your box and unless you specified a particular version when you bought it this is what you normally get (you can ask for any version you like at no charge when you buy it initially). You really need smartnet for the ASA because the standard Cisco warranty is rubbish (90 days only and you wait 10 days for a replacement) so unless it's a test network you're pretty much forced to buy smartnet to be sure of a fast replacement (or any replacement at all after 90 days..) Also, the cost of a smartnet contract for a year if you only need NBD replacement is less than the cost of a one-off software upgrade AND you get to download any version you like for the year AND you can also log calls directly with the TAC.
So, I'd recommend buying a smartnet contract and then go through the release notes to find a suitable release to download - sounds like 7.2(2) might be what you need - at the very least you should be upgrading to get more sessions rather than sticking to 7.0 and buying a security plus license. (Because both the one-off upgrade and the security plus license are probably more expensive than smartnet!)
HTH - plz rate if useful
Andrew.
02-20-2007 03:30 PM
Thank you for the very detailed and informative response. I am glad to know that I can / should be able to specify what IOS version we need at the time of ordering. Can one order directly from Cisco or must you go through a reseller for this to happen?
What frustrates me is that this was purchased this month and it only came with 7.0 and thus we are limited. I hope this is not standard practice from CDW as when you order a product you expect to have the latest software at that time.
Once again thank you, thank you, thank you. Very good answer!!
Thank you again!
02-20-2007 05:40 PM
Andrew,
I can't believe a CCIE like yourself
recommanding others to use version 7.2(2).
Pix/ASA running version 7.x is a piece of crap.
7.x is full of bugs. All 7.x versions are
designated as "ED". In other words, they are
"beta" code. 7.0(6) is closed to be GD.
Until then, I would not roll out 7.x in a
production environment. Version 7.1.x and
version 7.2x are extremely buggy. I can
tell you this. Version 7.0.x alone has over
700 bugs.
If you need a real firewalls, go with Juniper
or Checkpoint firewalls. If you decide to
stay with Cisco, use the pix instead of ASA
and run version 6.3(5). At least version 6.3(5) is stable and less buggy.
I can give you an example, in version 7.2(2)-2
you can do "show run + q" to stop the config
and the box reboot. Lovely.
David
CCIE Security
02-21-2007 03:16 PM
David,
Thanks for your entertaining response - are you suggesting that we should also replace all our supervisor 720 modules? They have a similar number of bugs and also have only ED versions currently. As it happens (in our large service provider network) we run many vendors equipment, including those you mentioned plus many others.
One of the reasons we chose ASA was for the GTP/GPRS inspection code - so I'm interested to hear what your recommendation is for an alternative product?
Most folks on the forums live in the real world and have real world networking issues to be solved and your response isn't helpful in the least - do you refuse to use windows/unix/mac/etc. because of the number of bugs?
Andrew.
02-21-2007 07:50 PM
Andrew,
I realize that every vendors, checkpoint,
Juniper and cisco have bugs in the code. I am
not a Security expert but I, like yourself,
work for a large service security service
provider and I can tell you that Pix/ASA has
the most bugs that I have run into. Because
of issues like this that I am having a job
that pays quite well so I am not complaining.
That being said, I would think a big player
such as cisco would roll out code that are
reasonable "stable". I would not think that
cisco would roll out version 7.2.2-2 code
that resulted in "show run + q" equal reboot.
That is very poor quality, IMHO.
I've worked with Checkpoint for the past six
years and when Checkpoint roll out NG with AI
R55. In the past 3+ years, they only 18
release patches, called HFAs for version NG
with AI R55. In contrast, within version
7.1.x alone with cisco you have almost like 26
different releases. That I found to be
completely unacceptable.
When I rolled out pix 7.0(6) a few months ago
and I ran into issues, Cisco TAC told me "well
this is ED code, if you want something
go with 6.3(5)". This is 2007 and I don't
want to use 2003 technologies, isn't it too
much to ask from cisco for a stable release?
I do not know anything about GTP/GPRS to make
an educate comment on this topic.
Checkpoint TAC really sucks and I like Cisco
TAC a lot because Cisco TAC is much responsive
to customer need but it seems like Cisco
doesn't know anything when it comes to
security products. When I was preparing for
the Security lab I was using Cisco IDS 4.1,
this product is a piece of junk. It took
almost 5 mins to apply a change and sometimes
it would not accept changes. How can you
call an ASA a secure firewall, when by
default, the "no nat-control" is enabled, and
that traffics from the high level can traverse
the low level by default?
Juniper and Checkpoint would not let you get
away with that. Their mantra is quite the
opposite. Everything is dropped unless
explicitly allowed.
David
CCIE Security
02-22-2007 05:00 AM
This is the response that I get back from
cisco TAC:
"Hi David,
I passed your previous comments onto the Business Unit Director, and
some others in his team. We are aware of quality issues in the
7.1/7.2 releases which we have been working hard to resolve."
Now if you know that you have quality issues,
why do you still release these codes to the
general public, that I don't understand. I
used to like cisco a lot until they do stuffs
like this.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: