Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Setting up new Branch Office - NonProfit

Hello - I support a Non-Profit that is setting up a new remote office for a new program in another county.  For this new program, we need to have traffic traverse data drops between the new remote office and another partner's site.  Traffic between these sites will be VOIP phones (remote office), WWW, SharePoint 2013(with lots of Word Doc and Excel file moves between sites).  We'll have about 40 users in the main office and 10 users in the new remote office.  

Currently both the Partner site and our Main site have Cisco ASA 5510 devices.  I'm thinking that picking up a Cisco 2901 for the remote office and setting up a IPSEC VPN tunnels between the three sites would meet the requirements. 

My question is configuration based:  I am hoping that the ASA in our main office will be able to support this added workload.  An option would be to move our ASA 5510 out to the new remote office and then put the new 2901 at our main office.  My main concern would be work involved with the initial setup. Would it be worth the extra work to swap these devices at the start?

Our current ASA seems to meet our current needs and only struggles when we have a waves of Scanning Attacks pass. It's odd that several times a week I see a major spike in Scanning Attack counts from a wide-variety of IP address.  I have the Threat-Detection set to a strict level and shun this activity.  The ASA CPU never goes above 15% and Memory is fine.  Bandwidth seems to be most impacted during these Scanning Attack storms.  We are using Comcast and have a business plan that is 27/7 ( MBs down/up); I'm working on upgrading that link speed to 75/15.

Should I leave the Main Office ASA in place and put the 2901 out at the remote office?  Upgrading the Main Office ASA down the road.  Or, should I invest the time now and move the ASA out to the Remote office and Replace it with the 2901?

Also, would moving the ASA configuration over to the new 2901 be super intensive work wise?  If I go down this route, I'm hoping I can work with the Cisco support team to assist during the migration.

Thanks!

Everyone's tags (7)
4 REPLIES

Setting up new Branch Office - NonProfit

Hello, Peter.

If you have frequent network attacks from outside, I guess it would be a wise choice to stay with ASA.

I'm not sure, if ASA5510 could handle encryption at 75M... so my primary concern would be a capacity.

If you are satisfied with your current IPSec design, then I would try to be consistent and buy one more ASA.

If you plan to migrate to routers (you might need some features that you miss with ASA), then the best would be to start applying new "purchase policy - ISR2".

PS: if you are concerned about network attacks then try to change public IP-address, and reveiw ASA configuration (it might be attracting attackers by some openned port).

PS2: for IPSec at 75M I would suggest to buy at least 2921.

New Member

Re: Setting up new Branch Office - NonProfit

Hi MikhailovskyW,

Thanks for chiming in on this one.  Current requirements for our ASA5510 are Firewall functions, Basic Threat Detection (I would like to strengthen more), VLAN Services (DHCP + DNS), and AnyConnect VPN connections.  We'll also be adding two IPSec tunnels to two branch offices.

I'm thinking I could get an equivalent security posture out of a 2951 as the ASA5510 using the limited feature set we have implemented.  Am I way off target with this thinking? Also, I'm thinking the 2951 will handle the IPSEC VPN encryption much better than the ASA. 

What are your thoughts about going this route:

a) Move the current ASA5510 out to our new branch office.

b) Pick up a ASA5512-X with the security framework to put in the main office.  I'm thinking that ASA comes with a AIP SSM card installed.

Lastly, it looks like the AIP SSM cards would be a good add for the existing ASA5510.  

Thanks again.  PR

Re: Setting up new Branch Office - NonProfit

Hello, Peter.

I guess ASA would be more compliant with your overall design and requirements than ISR2 (2951).

Also I guess that ASA will be better for IPSec support (unless you need to run routing protocols over VTI tunnels) and threat mitigation (that you are concerned of).

ASA5510 has reached end-of-sale date (http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/eol_C51-727283.html)

Not sure about 5512-X (has no contexts, less performance), but 5515-X could be a best option (refer to the link).

New Member

Re: Setting up new Branch Office - NonProfit

I placed a bid on a used ASA 5525X and the seller agreed to a fair price.  To be sure, my research is telling me that this device will aptly handle the requirements for

1) IPSEC VPN Encryption to two branch offices.

2) VOIP phone QOS configuration to ensure phones in the branch office (via ASA 5525 <--> ASA5510) will perform reliably. The branch office will have < 10 end users.

Thanks for your time and feedback, PR

339
Views
0
Helpful
4
Replies
CreatePlease login to create content