Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

changing VPN solutions to ASA5520

I have a Nortel VPN solution but I am going to an ASA solution. I am looking for feed back as to things that have worked and things that have not. I am just starting design so i am open to anything and look forward to your comments.


Re: changing VPN solutions to ASA5520

With PIX/ASA version 7.0 and later, a new feature is introduced that allows the PIX to support hairpinning in a VPN environment.

When the PIX/ASA is the hub in a VPN environment, this feature supports spoke-to-spoke VPN communications as it provides the ability for encrypted traffic to enter and leave the same interface. If the traffic is un-encrypted, it is dropped.There is another new feature in PIX version 7.0 that allows traffic to flow between two interfaces of the PIX that have the same security level

You can get more information regarding ASA 5520 from this link

New Member

Re: changing VPN solutions to ASA5520

We are in the process of migrating form a Nortel Contivity 2700 series to two 5520 ASA's.

In the process, we decided to move from IPSEC to SSL VPN.

Some notes:

- Makes sure that you are on at least 8.0.3(9) version. It fixes alot of issues with the SSL VPN.

- There some routing things that could be done on the Nortel, that cannot be done on the ASA. It's not a dealbreaker, but it has to do with the fundamental design of the ASA (as a security device) vs Contivity (Router + Security device)

- in SSL VPN mode, make sure to test all your apps with the default DTLS option. We ended up running into problems with our outlook clients and SAP Gui clients. Disabling DTLS sped up performance tremendously.

Good Luck!

CreatePlease login to create content