Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Firewall recommendation

Hello all,

We have 4 servers (mail, web, ftp, dns) that we'd like to put behind a firewall (they have public IPs right now). The firewall should be able to

a) support relatively heavy traffic (200+ hosted web sites and as many mail domains). b) be able to support multiple IP addresses (100+) assigned to the outside interface and map them to the server interface natted IPs.

Which PIX firewall (or other appliance) would be appropriate for our needs ? Also, do you know of any utilities that would support real-time traffic monitoring (bandwith usage etc. ) and work well with PIX?

Thanks very much in advance for your answers!


New Member

Re: Firewall recommendation


I will not claim to be the most knowledgeable person on these forums but in my opinion I would go with an ASA 5520. If redundancy is major concern of yours and your companys then I would suggest getting a pair of ASA 5520s and placing them in an Active/Standby configuration. This will allow you to be completely redundant in case an interface failure or if the ASA goes down completely. As far as monitoring tools the ASA does have some built in de-bugging and logging features that may be able to help, but also snmp is a pretty standard technology for real time monitoring of your firewall. Just because it took me a while to set it up I included the snmp configuration at the bottom for you to check out. This is the configuration on our ASA 5520 currently and we use Paessler SNMP Helper (

snmp-server host Inside 192.168.x.x community XXXXX

^--- sets up only host 192.168.x.x can obtain snmp data

snmp-server community xxxxx

^--- open to everyone if you want

snmp-server location Home-Office

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

Again I am not positive this will help you make your decision but it should point you in the right direction. The reason I didnt suggest a PIX is because it is an older technology (relatively compared to the ASA) so its better to buy the most recent equipment. Of course your budget for this project will be a deciding factor =)

Good luck with your research (please rate this post if it helped you out at all)


CreatePlease login to create content