Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need recommendations for firewall and vpn replacement

We've got a pair of PIX 525s in active/standby mode, plus a pair of VPN 3005 concentrators (one active, one redundant using vrrp) for IPSec VPN connections (both LAN-to-LAN and Remote Access, 3DES). I'm trying to generate a proposal to replace all 4 devices with more current equipment.

From Cisco's website, it looks like the ASA 5520 is the recommended replacement for the PIX 525 and there's an SSL/IPSec VPN Edition recommended for replacing the 3005s. The SSL/IPSec VPN edition seems to be a fair bit more expensive than the other version... Can just the a pair of ASA 5520s handle the job of what we're using now, or do we really need the more expensive version?

Also, I've seen mention of a Technology Migration Plan from Cisco. Would this apply here, or is it even still evailable?



New Member

Re: Need recommendations for firewall and vpn replacement

Hi Steve,

The ASA-5520 will support up to 450Mbps firewall throughput, 225Mbps VPN throughput while supporting up to a maximum of 750 concurrent IPSec/SSL VPN connections (with relevant SSL licenses). Ultimately a pair of these should be able to handle the role of the PIX-525 and VPN-3005 combined without an issue; however you really need to base this decision on whether they will support your future needs too?

Do the above figures meet your needs and if not the ASA-5540 will give you more with 650Mbps firewall throughput, 325Mbps VPN throughput and support for up to 5000 IPSec VPNs or 2500 SSL VPNs (with relevant SSL licenses).

The cost difference with SSL/IPSec edition is due to the SSL VPN licenses which are an additional cost. If you plan to continue to use the IPSec VPN clients then stay with the firewall edition. You can add SSL VPN licenses to the firewall edition at a later date if you wish.

In terms of the TMP you would need to check with your Cisco reseller/Cisco account manager.



CreatePlease login to create content