We have 4 servers (mail, web, ftp, dns) that we'd like to put behind a firewall (they have public IPs right now). The firewall should be able to
a) support relatively heavy traffic (200+ hosted web sites and as many mail domains). b) be able to support multiple IP addresses (100+) assigned to the outside interface and map them to the server interface natted IPs.
Which PIX firewall (or other appliance) would be appropriate for our needs ? Also, do you know of any utilities that would support real-time traffic monitoring (bandwith usage etc. ) and work well with PIX?
I will not claim to be the most knowledgeable person on these forums but in my opinion I would go with an ASA 5520. If redundancy is major concern of yours and your companys then I would suggest getting a pair of ASA 5520s and placing them in an Active/Standby configuration. This will allow you to be completely redundant in case an interface failure or if the ASA goes down completely. As far as monitoring tools the ASA does have some built in de-bugging and logging features that may be able to help, but also snmp is a pretty standard technology for real time monitoring of your firewall. Just because it took me a while to set it up I included the snmp configuration at the bottom for you to check out. This is the configuration on our ASA 5520 currently and we use Paessler SNMP Helper (http://www.paessler.com).
snmp-server host Inside 192.168.x.x community XXXXX
^--- sets up only host 192.168.x.x can obtain snmp data
Again I am not positive this will help you make your decision but it should point you in the right direction. The reason I didnt suggest a PIX is because it is an older technology (relatively compared to the ASA) so its better to buy the most recent equipment. Of course your budget for this project will be a deciding factor =)
Good luck with your research (please rate this post if it helped you out at all)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :