Replacing VPN3005/PIX 515 with ASA

petersonmd · ‎11-15-2007

Our central office has a VPN 3005 and a PIX 515. The VPN 3005 is the hub for 7 branch offices/spokes - each of which has a PIX 506e. The PIX 515 serves as the firewall for the cental office.

From what I can tell, the ASA devices don't suffer the same routing limitations that the PIXs did. It looks like the ASA will route traffic back out on the same interface that it came in on - for VPN purposes (I don't want a meshed VPN - all VPN traffic should travel through the hub). Would the ASA 5510 give me the capabilities of both older devices wrapped into one single new device?

Thanks!

timkaye · ‎11-25-2007

HI there.

This is actually a limitation with the software. I believe from version 7 you can route traffic back out the same interface.

Obviously the concentrators don't have the limitation either.

petersonmd · ‎11-27-2007

Yes, I'm well aware of the limitations of the v6.x software. My 515 won't support v7.x without hardware upgrades, which is why I was asking about the ASA. If I get an ASA 5510 as a replacement for my PIX 515, would it also eliminate my need for the separate VPN 3005 concentrator? I'm thinking the ASA will serve both functions...

ryanparr9 · ‎12-12-2007

This is the same scenario that I am purchasing the 5510 for. I am replacing a 515 and a 3005 with this one device (with the security bundle to enable the extra ports). If you have implemented and run into issues, please post.

Thanks!