4

I'm using a Cisco ASA 5505 50-user firewall in a co-location facility. The systems at this location are performing monitoring of additional remote sites (also running Pix or ASA devices) I've established site-to-site tunnels, but have hit the hard-limit of the device under its current licensing scheme. The ASA 5505 model is limited to 10 simultaneous IPsec tunnels.

I am curious about my options here. Ideally, I'd like to be able to handle 15-20 connections. From research, it appears that I can add an additional Security Plus license to expand to 25 VPN tunnels. The other option seems to be moving to a Cisco ASA 5510.

Given that I have a small number of systems at the colo, is moving to an ASA 5510 just to gain extra VPN functionality overkill? Are there any downsides (hardware/performance/etc) to upgrading the ASA 5505 to the 25-VPN option? Are there any other options I've missed?

ewwhite
  • 197,159
  • 92
  • 443
  • 809

4 Answers4

5

If you can imagine a situation where you might need over 25 tunnels, go for the 5510; no sense in throwing the extra money at a 5505 security plus license if it won't sustain your needs in the long run.

That said, if 15-20 is all you'll ever need, then it's a lot more cost effective to get the license upgrade.

Cisco's limits on the devices are pretty arbitrary; they have very little to do with performance constraints on the ASA, and everything to do with having a lot of false barriers in place to force you to go with a more expensive device. I wouldn't expect any performance issues with the 5505, until you're saturating those 100mb interfaces.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • You're correct about the performance in the sense that you will never ever reach the CPU cap with 100mbit/s interfaces. However, the "limits" are there for a reason.. If the interfaces were unlimited then the CPU would struggle with performance, and Cisco would get a bad rep for delivering slow firewalls. I understand why they impose the limits :) – pauska Jul 05 '11 at 15:20
  • 1
    @pauska Sure, but look at, for instance, the connection tracking limits; it's purely a RAM thing, but the 5510 has a 5x higher limit than the 5505 despite shipping with identical RAM (pre-8.3, anyway), and both limits are massively increased (2.5x) by a simple license upgrade. The Vlan limits are another good example. I guess the "money grab" explanation seems more plausible to me than that they're imposing the limits as "training wheels" to prevent us from overloading our devices. – Shane Madden Jul 05 '11 at 16:09
  • Ah.. I was thinking purely about the performance limits, not in features (like VLAN). You're right about those, Cisco wants your dollars (and sometimes lots of them). – pauska Jul 05 '11 at 16:16
5

Upgrading to the 5510 just for the VPN tunnels is overkill, yes.

There are however a few options that you'd might like to have in the future, wich only ASA5510 and above can support:

  • Stateful failover (active/active or active/passive, the latter becoming extremely popular)
  • 125.000 connections on the 5510 compared to 25.000 connnections on the 5505
  • 3 times the network throughput. Perhaps you want to add another network/vlan on the ASA one day, and intra-VLAN speeds needs to be a bit quicker than 100mbit/s? I've been in that situation several times..
  • Content Security, Anti-malware, Anti-virus etc (the SSM modules)
  • Etherchannel support - VERY useful if you're using stacked switches (like 3750) as a backbone
  • Much, much better cooling with dual fans. This could be quite important for you depending on the enviroment where these are running.

I hope this helps you, allthough I know there is quite the difference in pricing.

pauska
  • 19,620
  • 5
  • 57
  • 75
  • 2
    +1 on the cooling, actually - for such a small device, 5505s cook. One correction, though; active/passive is available on the 5505 with the security plus license, it's just not stateful like the other models. – Shane Madden Jul 05 '11 at 15:22
  • I had no idea that 5505 could support stateless failover, I'll update my answer. Thanks! – pauska Jul 05 '11 at 15:25
  • Informative. I'm using 5510 and 5520 units at the main sites, so I'd really just be upgrading for the higher number of VPN tunnels. All in, the 5510 is a much nicer unit, but I'm now looking at the price difference between the license upgrade for the 5505 and a used 5510. – ewwhite Jul 05 '11 at 15:41
1

if you dont mind the haggle of swapping out equipment, then i would say the 5510. but if you get flack for taking anything down, then doing the license upgrade would do you fine too. not to throw a monkey wrench into the idea through, but if you are looking for another possibility for failover, you could go with some cisco 2800 routers and do DMVPN. dynamic routing, for each site to site (if needed) but just dropping in my 2 pennies

Will - TechToolbox
  • 29
  • 1
1

I would be tempted to put the money into a 5510. Check out the model comparison here: http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range

Note that there are actual hardware differences between the models. My 5505 has a Geode 500 MHz CPU, while my 5510 has a Pentium 4 Celeron 1600 MHz CPU.

20 active VPN tunnels will push a CPU pretty hard, and it will likely max out on the 5505 before the 100Mb interfaces themselves are full. Much depends on how much data you are sending through the tunnels, and whether they are 3DES or AES (AES is more CPU efficient).

Jeremy Frank
  • 11
  • 2