Hello - I support a Non-Profit that is setting up a new remote office for a new program in another county. For this new program, we need to have traffic traverse data drops between the new remote office and another partner's site. Traffic between these sites will be VOIP phones (remote office), WWW, SharePoint 2013(with lots of Word Doc and Excel file moves between sites). We'll have about 40 users in the main office and 10 users in the new remote office.
Currently both the Partner site and our Main site have Cisco ASA 5510 devices. I'm thinking that picking up a Cisco 2901 for the remote office and setting up a IPSEC VPN tunnels between the three sites would meet the requirements.
My question is configuration based: I am hoping that the ASA in our main office will be able to support this added workload. An option would be to move our ASA 5510 out to the new remote office and then put the new 2901 at our main office. My main concern would be work involved with the initial setup. Would it be worth the extra work to swap these devices at the start?
Our current ASA seems to meet our current needs and only struggles when we have a waves of Scanning Attacks pass. It's odd that several times a week I see a major spike in Scanning Attack counts from a wide-variety of IP address. I have the Threat-Detection set to a strict level and shun this activity. The ASA CPU never goes above 15% and Memory is fine. Bandwidth seems to be most impacted during these Scanning Attack storms. We are using Comcast and have a business plan that is 27/7 ( MBs down/up); I'm working on upgrading that link speed to 75/15.
Should I leave the Main Office ASA in place and put the 2901 out at the remote office? Upgrading the Main Office ASA down the road. Or, should I invest the time now and move the ASA out to the Remote office and Replace it with the 2901?
Also, would moving the ASA configuration over to the new 2901 be super intensive work wise? If I go down this route, I'm hoping I can work with the Cisco support team to assist during the migration.
Thanks for chiming in on this one. Current requirements for our ASA5510 are Firewall functions, Basic Threat Detection (I would like to strengthen more), VLAN Services (DHCP + DNS), and AnyConnect VPN connections. We'll also be adding two IPSec tunnels to two branch offices.
I'm thinking I could get an equivalent security posture out of a 2951 as the ASA5510 using the limited feature set we have implemented. Am I way off target with this thinking? Also, I'm thinking the 2951 will handle the IPSEC VPN encryption much better than the ASA.
What are your thoughts about going this route:
a) Move the current ASA5510 out to our new branch office.
b) Pick up a ASA5512-X with the security framework to put in the main office. I'm thinking that ASA comes with a AIP SSM card installed.
Lastly, it looks like the AIP SSM cards would be a good add for the existing ASA5510.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...