Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SA540 Questions

Hi Guys,

We have an opportunity to replace a competitor's router with a Cisco Security Appliance. I have a few questions about the SA540. I am on the edge between recommending a SA540 or a ASA5505/5510. I will try to address my SA questions  in this forum and find the appropriate forum for the ASA questions.

The customer has approx 15-20 users, but there is very high security availability requirements. Single site, with users accessing the network remotley. The customer uses Dual WAN and is requesting Active/Active WAN connectivity.

1. According to the Datasheet, it supports Load Balancing and Failover (via the optional port for dual WAN). Is the optional support an added feature? Am I to understand that it will concurrently use both WAN services?

2. Is there any support for having two SA540s in Active/Standby? So, should there be a hardware failure, it would fail over the SA automatically, transparent to the end users? That may not be a deal breaker, as the customer is saying that buying a spare to have on hand and a manual reconnect may be acceptable. But, I am trying to present value.

3. I see no this device that we have SSL VPNs available. I am trying to determine what level of VPNs are available on this appliance. On the ASA you have three different options of SSL vpns: Client, Thin Client, and Clientless. Are all three available on this appliance?

This question assumes the active/active dual WAN.

4. There current device has an issue and I'd like to be able to say that we aren't going to have the issue on this device. The issue is that a user authenticates with a website, then (while using it) the router switches them to the other WAN service, so they have to reauthenticate. So, how do I go about addressing that? Are there any quantifable metrics that I can use to address that?

For example, I would like to tell the customer that once an internal IP requested internet, that internal IP will continue to use the same WAN service until there is a 5 minute period of inactivity. That's just an example. I don't know if it does that or if that level of information is available. or maybe it uses some other method of determining where to send a packet.

5. I don't see any support for authenticating VPN users via LDAP?

6. The Datasheet says that it supports 16 VLans. Does this mean that we can do 2 WAN connections, a DMZ, and 13 internal subnet/vlans, provided we don't exceed 16 total VLans?

7. Is there any support for IP Phone proxy. This feature on the ASA allows you to connect your phone anywhere with internet connectivyt and it find the ASA and uses the ASA to proxy to an internal call manager.

At any rate, any advice would be appreciated.

Everyone's tags (3)

Re: SA540 Questions

1.  The Optional port can be configured as a WAN port, a LAN port, or a DMZ port.  When configured as WAN, it can be configured to do load balancing or failover.  It can use both WAN ports at the same time.  You can bind different types of traffic to use each port if you would like as well.

2.  Currently, there is no hardware failover.  It would be a manual unplug, plugin the new box.

3.  The SSLVPN comes in 2 modes.  Full tunnel and port fowarding tunnel.

4.  I haven't tried this exactly, but you can bind traffic to use a particular port.  You could force all https: traffic to use the WAN and ftp traffic to use the optional port.

5.  There is support for it for SSLVPN users.  For VPN users, you can use a radius server for authentication.

6.  16 local VLANs.  DMZ and WAN are seperate.

7.  Currently we do not have a IP Phone Proxy for this system.  It would require a hardware client on the side of the end user.

Let me know if you have any other questions.

Re: SA540 Questions

As a clarification on question 3, it is a Thin Client that we have.  It operates in two modes, Full Tunnel and Port Forwarding.

CreatePlease login to create content