Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
484
Views
0
Helpful
6
Replies

Router or ASA

Go to solution
Abdelilah Benrida
Level 1
Level 1

‎12-03-2013 02:09 PM

Hi every body,

I work in a company which has around 60 users,actually we have an old  fortinet firewall with an old IOS  version,we have some problems with vpn tunnel.

We decided that we must change this firewall and put something else in it place.

so i'm responsable for this changement,and can't take a decison about which device i should put,a Cisco Router or an ASA Firewall.

In the future we will build one IPsec tunnel between our company's headquarter and an other headquarter which have its own Cisco Router for vpn.

We want also having differents client to site vpn tunnels between our headquarter and many outside users.

So are this informations corrects:?

1) With a Cisco Router, Ipsec vpn tunnel are possible without any annual license to pay?

2)With ASA, Ipsec vpn tunnel are possible with an annual license which we should pay?

3) IF i buy an ASA and build my Ipsec tunnels,and stop paying the annual license,my Ipsec tunnels would disappear our stay there,are there any        problems to expect?

i have difficulties to take any decision, so what do you think?please i need some arguments to defend the best choice.and convince the others.

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎12-03-2013 02:26 PM

Hi,

Sorry to say that I am not really familiar with the Router side of Cisco nowadays. In the past I haven't had to worry about the VPN functionality of the Cisco routers but its my understanding that the routers are becoming more license based as are the switches. (For example our ASR1000 routers seem to need a separate VPN licensing)

I will let someone more familiar with Cisco routers explain the specifics about them. Somehow I never seem to find any specific information about them compared to Cisco ASA for example.

With an ASA you wont need any licensing when building IPsec L2L VPN and Client VPN. You can build as many IPsec VPNs as the platform supports.

With regards to the VPN Client I will have to say that the IPsec Client is pretty much replaced by the SSL VPN Client called AnyConnect which DOES require separate licensing to use. From what I have seen the old Cisco IPsec VPN Client software works even with the newer operating systems but its not something that is recomendable to use anymore. Although there are non Cisco options for IPsec VPN Client also.

My personal opinion would be to use Cisco ASA firewall for your purpose. Firewalling and VPN is easier to manage than with the Routers. Though Cisco Routers would provide you with more options and flexibility with regards to VPNs. I just personally consider the ASA firewalls more user friendly for your purpose though my opinion is naturally a bit biased as I have used Cisco firewalls mostly and not the routers really.

So to answer your questions shortly

1.) As its related to Cisco Routers I will prefer someone with more expirience with them answer this. To my understanding you will need to have some Security license to use VPNs on the routers but the models I have handled have always supported VPNs.

2.) With Cisco ASA the device supports as many IPSec VPN Client or L2L VPN as the chosen platform supports. No Licensing required.

3.) As the previous answer already mentioned. No licensing related to IPsec VPN amount. Only the hardware limit so you wont have to pay even once for any license related to IPsec VPN to work.

Here is a datasheet of the original ASA 5500 Series (which is being replaced by new ASA 5500-X series)

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf

Here is a datasheet of the new ASA5500-X Series

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf

Both document list the IPsec VPN limit of the device models

Have a look at the above options. To be honest with your user amount you could probably manage with a lower end ASA model. In the original ASA5500 series the lowest model is the ASA5505 (With ASA5505 model you would need Unlimited User license or Security Plus license to support your user amount, Base License only supports 10 users). On the new ASA5500-X Series the model ASA5512-X is the lowest end model (no replacement model for ASA5505 yet)

Hope this helps

- Jouni

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎12-03-2013 03:12 PM

As Jouni already mentioned, there is no anual licensing for VPN, not for the ASA and also not for the IOS-router. If your focus is more on firewalling and remote-access-VPNs, then I would go for the ASA. If you only need client-based VPN, the ASA is also cheaper then the router because of the different AnyConnect licensing.

Choosing the right model: Keep in mind that the 5505 only supports 25 concurrent users in the SecPlus-Version. As you are talking about "many" VPN-users, that amount is probalby too small. The 5512-X with up to 250 VPN-Users will probably fit your needs in a better way.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Abdelilah Benrida

‎12-04-2013 01:11 AM

Hi,

Yes, there will be NO licenses to pay for when using the IPsec VPN whether it is a L2L VPN or Client VPN.

The above setup is possible and is a very typical setup for anyone using VPNs with ASAs.

I would also say that you will have a lot easier time finding help with configurations and troubleshooting here at Cisco Support Community when you are using an ASA. Though that naturally shouldnt be a deciding factor alone.

Hope this helps

Feel free to ask more if needed

- Jouni

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Abdelilah Benrida

‎12-04-2013 01:27 AM

The only additional license you need for the ASA is AnyConnect Essentials and AnyConnect Mobile if you also wan't to use touch-devices like iPads or so. But these are no periodic licenses. They are bought once for the ASA.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎12-03-2013 02:26 PM

Hi,

Sorry to say that I am not really familiar with the Router side of Cisco nowadays. In the past I haven't had to worry about the VPN functionality of the Cisco routers but its my understanding that the routers are becoming more license based as are the switches. (For example our ASR1000 routers seem to need a separate VPN licensing)

I will let someone more familiar with Cisco routers explain the specifics about them. Somehow I never seem to find any specific information about them compared to Cisco ASA for example.

With an ASA you wont need any licensing when building IPsec L2L VPN and Client VPN. You can build as many IPsec VPNs as the platform supports.

With regards to the VPN Client I will have to say that the IPsec Client is pretty much replaced by the SSL VPN Client called AnyConnect which DOES require separate licensing to use. From what I have seen the old Cisco IPsec VPN Client software works even with the newer operating systems but its not something that is recomendable to use anymore. Although there are non Cisco options for IPsec VPN Client also.

My personal opinion would be to use Cisco ASA firewall for your purpose. Firewalling and VPN is easier to manage than with the Routers. Though Cisco Routers would provide you with more options and flexibility with regards to VPNs. I just personally consider the ASA firewalls more user friendly for your purpose though my opinion is naturally a bit biased as I have used Cisco firewalls mostly and not the routers really.

So to answer your questions shortly

1.) As its related to Cisco Routers I will prefer someone with more expirience with them answer this. To my understanding you will need to have some Security license to use VPNs on the routers but the models I have handled have always supported VPNs.

2.) With Cisco ASA the device supports as many IPSec VPN Client or L2L VPN as the chosen platform supports. No Licensing required.

3.) As the previous answer already mentioned. No licensing related to IPsec VPN amount. Only the hardware limit so you wont have to pay even once for any license related to IPsec VPN to work.

Here is a datasheet of the original ASA 5500 Series (which is being replaced by new ASA 5500-X series)

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80285492.pdf

Here is a datasheet of the new ASA5500-X Series

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/at_a_glance_c45-701635.pdf

Both document list the IPsec VPN limit of the device models

Have a look at the above options. To be honest with your user amount you could probably manage with a lower end ASA model. In the original ASA5500 series the lowest model is the ASA5505 (With ASA5505 model you would need Unlimited User license or Security Plus license to support your user amount, Base License only supports 10 users). On the new ASA5500-X Series the model ASA5512-X is the lowest end model (no replacement model for ASA5505 yet)

Hope this helps

- Jouni

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎12-03-2013 03:12 PM

As Jouni already mentioned, there is no anual licensing for VPN, not for the ASA and also not for the IOS-router. If your focus is more on firewalling and remote-access-VPNs, then I would go for the ASA. If you only need client-based VPN, the ASA is also cheaper then the router because of the different AnyConnect licensing.

Choosing the right model: Keep in mind that the 5505 only supports 25 concurrent users in the SecPlus-Version. As you are talking about "many" VPN-users, that amount is probalby too small. The 5512-X with up to 250 VPN-Users will probably fit your needs in a better way.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Abdelilah Benrida
Level 1
Level 1

‎12-04-2013 01:02 AM

Thank you for the replies.

So by choosing ASA there is no periodic license to pay.and i can have the following design :

                                          |------------IPSEC tunnel---------------|Cisco Router|{headquarter}

{headquarter} ASA------|------------IPSEC tunnel---------------|Cisco client  |{user}

                                          |------------IPSEC tunnel---------------|Cisco client  |{user}

                                          etc...

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Abdelilah Benrida

‎12-04-2013 01:11 AM

Hi,

Yes, there will be NO licenses to pay for when using the IPsec VPN whether it is a L2L VPN or Client VPN.

The above setup is possible and is a very typical setup for anyone using VPNs with ASAs.

I would also say that you will have a lot easier time finding help with configurations and troubleshooting here at Cisco Support Community when you are using an ASA. Though that naturally shouldnt be a deciding factor alone.

Hope this helps

Feel free to ask more if needed

- Jouni

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Abdelilah Benrida

‎12-04-2013 01:27 AM

The only additional license you need for the ASA is AnyConnect Essentials and AnyConnect Mobile if you also wan't to use touch-devices like iPads or so. But these are no periodic licenses. They are bought once for the ASA.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Abdelilah Benrida
Level 1
Level 1

‎12-04-2013 01:52 AM

Thank you very much,i think ASA is the best choice and you gave me arguments.

thank you JouniForss and karsten.iwen


0 Helpful
Customers Also Viewed These Support Documents