The pix is much more powerful, hardware size, so if you have a big NAT-setup that needs alot cpu-usage i would go with the pix.
But it all depends on your setup, what you need the fw to do, routning eg. and etc.
I'm designing a VPN based network with 10 sites. Each site will have a router and pix or router and router (fw ios).
If I have a router/router combo at each site, I will have redundant carriers terminating at different routers. The routers will terminate IPSec VPNs and also provide firewall services.
If I have a router/pix combo at each site, I will have redundant carriers terminate to one router. The PIX will terminate IPSec VPNs.
Is the only problem with using a router/router setup cpu usage? How do you think the 3800 would deal performance wise, versus the PIX, if it nat'd and ran cbac, in addition to terminate IPSec (w/ VPN accelerator hw).
Thanks for your help!
hmm .. hard to say. How much vpn traffic are you planning to put through the routers/pix ?
what about the price ? isnt it cheaper to get PIXs then 3800 w. vpn hw. cards ?
We will have about 15mb of internet per site. I would say we about 50% will be used for VPN traffic. I'm not too worried about price right now... I'm looking for the best solution.
Honestly, I would go with the 3825s. With the AIM VPN module, that thing can easily handle 10-15 Mb of encryption throughput without breaking a sweat. IOS routers will also give you the most flexibility for site-to-site VPN connectivity. You aren't limited to just static and dynamic crypto maps, you can also take advantage of IPSec VTIs or create a DMVPN amongst your 10 sites.
If you decide to go the firewall route, don't waste your money on a PIX. The ASA 5510 is a much better option than the 515E.
Personally I would never use a router for this type of functionality - the IOS FW just is not as secure as the PIX/ASA.
The ASA is the box to use in this type of scenario. PIX FW, VPN Concentrator, and IDS in one box with good throughput numbers. The VPN Concentrator is Cisco's best VPN box, that's why all of its functionality has been put into the ASA.
What points of strength make the PIX/ASA better in terms of firewalling comapred to IOS FW?
So, for a small branch what is the added value of having a PIX/ASA solution over a Cisco Router with IOS FW feature enabled?
The IOS FW utilizes CBAC (Context Based Access Control) as its FW mechanism while the PIX/ASA utilizes the ASA (Adaptive Security Algorithm). The ASA performs much stronger and faster inspection and is truely stateful in both directions.
CBAC is called stateful but is not stateful when compared to the ASA and does not do anywhere as good inspection. For instance with CBAC it inspect traffic leaving the router and automatically allows the return traffic while the ASA fully inpects in both directions. Overall the PIX/ASA is more secure right out of the box and easier to keep secure.
With PIX 7.x or the ASA appliances, the VPN Concentrators functionality is built in so the router has no VPN advantage.
The PIX/ASA handles NAT far better than the IOS - the PIX/ASA is built for NAT where it is a feature in the IOS.
The PIX/ASA is much faster than a router.
The PIX/ASA tends to be more stable than the IOS.
The IOS has features that have been added where the PIX/ASA have a purpose built OS.
The PIX/ASA is much cheaper than a router.
When using the PIX/ASA you can usually (almost always) by cheap routers to go in front lowering overall cost.
I could probably go on but I think you get the picture.
I completely agree with everything Mark said, except for the part about the router having no VPN advantage.
For site-sto-site VPNs, routers have the most feature-rich capabilities. Good examples of these features include IPSec VTIs and DMVPN. See the following:
I think we may be getting ahead of ourselves here, though. You mentioned that you needed firewall and VPN capabilities. What specifically did you need to do? If you don't intend to use a more advanced VPN setup that only routers support, then go with the ASA; it would be hands-down your best option. 7.1 is supposed to be coming out very soon, which will give the ASA complete parity with the VPN Concentrators. As for the OS being different than IOS, this is true, but 7.x is actually getting closer to IOS with each new release. If you are familiar with IOS, you should be fine with an ASA.
I appreciate all of your responses!
I am open to all solutions and I don't think there is necessarily a right one. Here's how it looks...
These 10-15 sites need 99.99% uptime. I was leaning toward the 2 routers w/ fw ios becuase I am going to have two fractional DS3s from different carriers at each site. With 2 routers I can load balance the circuits and routers and have full redundancy (full mesh vpn). . With the two router & carrier VPN, I can easily lose a circuit or router and remain up. I know I will lose some of the functionality of a PIX or ASA, but I was not sure how much functionality. I was also not sure how much of a performance decrease would occur by running the IOS code with CBAC. For the firewall side, I do not necessary need funtionality such as IPS or network "anti virus".
The obvious benefit of an ASA/PIX would be that these are specifically built for this function. The problem is I will no longer have the router redundancy. From a VPN perspective, it looks like the 3825 can pass process IPSec just as fast as the PIX or ASA.
It almost looks to me like I can flip a coin. One solution provides redundancy with possible limited functionality. The other solution provides more functionality, but less redundancy. I guess I was wondering if the router/router setup would be adequate to provide both performance (packet processing, packet inspection, and VPN speed) similar to a PIX/ASA.
Thank you for your help!!
hi lee i fully agree to ur views. dmvpn which is such a good vpn solution for big vpn setup nor the pix,asa or the vpn concentrator has support for it . plus u can have dual dmvpn setup for redundancy and .plsu u have hsrp running with site to site vpns for instant redundancy and gateway-load balancing also unlike ur pix or asa which has only one working at a time . it only provides redundancy of the box and not of the vpn.the users don't get the gateway redundancy as in pic u can have only pix running in active mode.i personally feel for site to site vpns cisco routers are efficent and powerful in flexibility and limitations wise.
You can achieve that kind of uptime with the PIX/ASA. They can be redundant and the vast majority of your problems will be with the circuits. With that in mind, if you have redundant circuits (as you already planned for) the VPN connections to the PIX/ASA will not go down unless the PIX/ASA goes down; which is rare. I have seen VPN connections to a PIX/ASA failover in just seconds.
Just trying to provide some help as the expensive higher-end routers with expensive IOS licensing might be overkill for only 10-15 L2L VPN connections. The 2800 series with IP only IOS (free license) will handle the bandwidth you are planning for and perform the necessary WAN redundancy.
But one of the things I know it was available on PIX OS Ver. 6.3 but I'm not sure if they have addressed this on version 7.0 or not is that there's no stateful VPN failover (i.e. PIX must renegotiate IPSec tunnels upon failover, which means that parts of the network are down while the new tunnel setups are processed). Please correct me if I'm wrong.
One more point, as far as I know, there is no way to do policy routing in PIX/ASA. So, if you need some kind of advanced routing, the way to go is IOS. However, isn't 3800 a little bit overkill for this task? I'd think in a 2800 series.
with redundant carriers, will you be running bgp?...just a thought..if so, get the 3800's. if not , go with the 2800's. either way, the pix/asa probably is a better choice for a firewall, for the all of the aforementioned reasons.
Here's basically what we decided...
We will have two fractional DS3s... one ISP, but two different local carriers. One 3845 router and one ASA 5510.
We will not run BGP because we will only have one ISP. Most of the time when an outage occurs, it is at the LEC so we decided to have different local carriers with only one ISP. I would like to go with a 2800 series router, but the 3845 is the lowest model that can support two T3 cards.
My only question now is where I should terminate VPN. I am leaning toward the router because there is more flexibility with IOS. Any recommendations for terminating VPN on the ASA? If so, why?
I appreciate the help! You all have been great!!!