Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Remote-Access VPN's; ASA 5520 or Cisco 2811?


I have been tasked with the implementation of a firewall and remote-access VPN solution.

We have procured a pair of ASA5520 firewalls with AIP-20 IPS modules. We also have procurred a 2811 router, with VPN module.

Which would be a better solution? To setup the remote access VPN's on the ASA firewalls, or on the 2811 router? I plan to place the router between the firewalls and the ISP.

It is my understanding, that you lose some functionality of the ASA devices when/if you configure them for VPN termination... I also want to utilize the IPS modules to monitor as much traffic as possible.

Thank you.


Re: Remote-Access VPN's; ASA 5520 or Cisco 2811?

The biggest advantage of terminating vpn's on an ios router over a pix/asa is the QoS capabilities in IOS are far superior than pix/asa. If this is not an issue, I would recommend the asa. You should be able to monitor decrypted traffic using the IPS modules on the asa device, maybe someone else can verify this?


Re: Remote-Access VPN's; ASA 5520 or Cisco 2811?

As srue said the QoS capabilities are better with IOS, however please take into consideration that the encrypted packets still have to go over the internet where you have no control of QoS. With the 7.x code and there are certain QoS features like LLQ and policing, usually they are enough for most applications.

In regards to using the AIP module, if you use the ASA as the termination point you will be able to send traffic to the module just fine. If you use the IOS then the AIP module won't be able to look at the vpn tunnel (as it will be encrypted).

CreatePlease to create content