Hello,
I am relatively comfortable with the PIX 6.3(4) software CLI and VPN configuration on the PIX. I am less comfortable with the PDM, simply because I don't use it very often, but I can stumble my way around and find what I need. I know NOTHING about ASA software command syntax, and have yet to actually touch the CLI or web interface of an ASA. I am looking for any advice/suggestions/warning
s relative to replacing my two core PIXes with ASAs. I am making this change because my PIXes are EOL, and I cannot afford downtime if one of them fails. I have a contractor available to do the work, but would rather do it myself if I can. Security is of the utmost concern, as we are a healthcare organization.
We have two PIXes that we are planning to replace with ASAs. I would like any and all advice/suggestions/warning
s about doing so. Here is what we are doing:
1. We have a 515R running 6.3(4) that we intend to replace with a 5510, undetermined version. This PIX is the core for a remote site that actually consists of 5 of our remote locations and is simply encrypting traffic back to our core ROUTER using 3DES encryption. It is also acting as a local DHCP server for the remote sites for 100+ devices. There are about 20-30 additional devices with static IP addresses at this location. Ultimately we may wish to consider adding a second 5510 for failover purposes. We are presently NOT running the 515R in failover.
2. We have a 515UR also running 6.3(4) that we intend to replace with a 5520, also undetermined version. This PIX is our core firewall and presently has 4 of its 6 physical interfaces in use. They arre Outside (Internet), Inside (connected to our core router, which then gets to our Core LAN), and two other connections for our remote VPN sites. We presently have a number of software VPN clients using the Cisco Systems VPN Client software as well as 4 vendors using nailed up VPN tunnels. 3 of the VPN tunnels arre to PIXes, the 4th is to a Cisco 3005 VPN concentrator. We are presently connecting our remote site PIXes via PIX to ROUTER VPN, because of our need to send data unencrypted back out tthe same physical connection that the VPN terminates on, and this could not be done with version 6 of the VPN software. So our remote site's VPN connections are presently passing through our core PIX and terminating on the "outside" interface of our Cisco 3745 router. We intend to move ALL of our VPN connectivity to the PIX so that our router can focus on routing and not encrypting. Ultimately we may wish to consider adding a second 5520 for failover purposes. We are presently NOT running the 515UR in failover.
I cannot think of anything else right now. I would be willing to post my configs if necessary, but I figure I'll wait and see what answers/suggestions/warnin
gs I get before doing that.
Thanks in advance for your time.
Jonathan
Start Free Trial
