• Advertisement

Replace PIX506e with SA540 a good idea?

Linksys, Netgear, sonicwall, ect. Webbase configurations for routers.

Replace PIX506e with SA540 a good idea?

Postby Guest » Sun Oct 31, 2010 1:03 pm

We are currently using 2 PIX 506e  to link 2 locations on the same domain using a VPN tunnel, and approx 20 VPN clients, max 5 concurrently. I was looking to use 2 SA540 instead to get away from the CLI on the PIX and having to get CISCO support for configuration changes. Is there anywhere to try out the GUI on the 540? Is the SSL VPN a good substitute for the VPN Client?  Does the support included with the 540 includee configuration support? Will a remote VPN client be able to browse acroos the domain to both locations? they can now

Guest
 

Advertisement

Re:Replace PIX506e with SA540 a good idea?

Postby Guest » Sun Oct 31, 2010 1:18 pm

First, I doubt you need a SA540 based on your configuration.  A SA520 is more than enough for your needs.  That being said, SSL VPN is not a clean substitute if you e already using the Cisco VPN Client.  The Cisco VPN client is much more capable, much more relaiblie (doesn rely on a browser for stability), and doesn cost you anything (doesn cost either if you buy a 540, its included).  IMHO, Cisco has decided to nickle and dime small businesses like they have with large companies and are charging extra for SSL connections past 2 (I think $150 is the quoted price for 25 users on the 520).  QuickVPN is a possiblity, however, many have found it to be less than reliable (based on the last version, weve not had a lot of time to test the new version released in Feb 2010) and often problematic as it requires that the user be an administrator (something not required of any other VPN client I know of).  Ciscos answer to that has been to buy 3rd party VPN software, but my question to Cisco is if a 3rd party can write a real VPN client why can Cisco???

 

As for your ASA VPN, you should be able to connect to one ASA and see the other side if your ACLs are setup properly.  Talk to TAC about it.

 

As for paying Cisco for support, you still only get a 90 day warranty with the SA series so you still have to pay Cisco for support if you want a warranty.

 

Also, if you have SmartNet there is the PIX Device Manager (PDM) that you can install to give you a Web-GUI to configure the PIX from if you want to get away from the CLI, but I can tell you from many years of experience that no GUI can do what the CLI can do, often in 1/4 the time!

 

Me personally, Id either continue to use the 506es until you out grow them which with what you describe will be some time from now, go to ASA-5505s (similar in cost to the 540s) which offer SSL VPN if you e willing to pay for it as well as the latest "PIX" OS that you can get on the 506e (if memory serves, the 506e doesn have the NVRAM to load v7 or v8 so you e stuck on 6.35, right?), or consider Cisco RV082s which are less expensive than either of the 2 alternatives, offer dual WAN like the SA500 series, can easily handle the VPN load, and comes with a 3 year warranty out of the box (http://www.cisco.com/en/US/partner/prod/collateral/routers/ps9923/ps9926/data_sheet_c78-501227.html), though you still won be able to route to other side of the VPN when connected to one side.

Guest
 

Re:Replace PIX506e with SA540 a good idea?

Postby Guest » Sun Oct 31, 2010 1:33 pm

Actually, I was reading your post again and really hadn though my reply through, which Im not sure why becuase we don use Ciscos SSL or QVPN tools on their small biz lines, we use Windows Servers to do VPN at many locations.  May I recommend if you have a unified domain, why not consider using one of your domain controllers to do RRAS and have your remote clients VPN to the Windows servers and then youll be able to see everything you want as theyll have an IP on the LAN?  Youd also get away from the CLI on the 506es, relieve the 506es of the VPN stress and transfer that to the servers which even if they e very old can handle dozens of 128-bit PPTP clients at a time.  At that point your 506es become simple routers and thats about it and the PDM would allow you to do all the config you wanted and when they died you can replace them with any other Cisco device you wanted without having to consider migrating the configuration.

Guest
 

Re:Replace PIX506e with SA540 a good idea?

Postby Guest » Sun Oct 31, 2010 3:09 pm

Thank you for your well considered replies to my post. I have to decided, as you recommended, to stay with the PIX506es until we outgrow them. The CISCO VPN client is stable, more so it appears, than SSL client or Easy VPN. THe PIX506e is also very stable for the VPN tunnel. For support  have Smart Net to help me through the CLI. So we will stay  with the 506e until moving up to the ASA 5505 or equivalent at that time.

Guest
 



  • Advertisement


Similar topics

SA540/Restart
Forum: Small Business Security
Author: Anonymous
Replies: 1

Rip and Replace of 3750G to 3750X
Forum: Cisco Switching
Author: Anonymous
Replies: 0

Cisco PIX506E VNC Port redirection
Forum: Cisco Security
Author: Anonymous
Replies: 24

replace HP ProCurve Switches 1800-24G (J9028A)
Forum: Cisco Switching
Author: Anonymous
Replies: 0

Cisco SA540 - Classical Routing Problem - 0.0.0.0 in static Route
Forum: Small Business Security
Author: Anonymous
Replies: 0


Return to Small Business Routers

Who is online

Users browsing this forum: No registered users and 1 guest