Solved

Switch from Watchguard to Cisco VPN firewalls

Posted on 2008-06-24
6
1,208 Views
Last Modified: 2013-11-16
I currently use a combination of Watchguard's x700, SOHO 5 &  6, edge x15, edge 10 & 20 e series products.  Were looking into moving to Cisco's ASA 5500 series products, specifically the 5510 and 5505 to hopefully provide better site to site VPN connections and potentially security.
 
Has anyone interconnected these devices via a VPN connection?  

Any advice on Cisco's ASA series devices, manageability, ease of use, options, reliability?  I've used several other VPN products but not Cisco so I have no idea what to expect.  

We use WG's x700 at our main site so we would replace it with Cisco's 5510.  Any advice?  They both look like the base models have almost the same feature set.

Thanks for any help!
0
Comment
Question by:Quagmire2
6 Comments
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 35 total points
ID: 21864284
I haven't used Watchguard's before, but I've setup several site-to-site vpn's with the ASA 5510's.  Its really pretty easy.  Although I've only done it the cli way, the ASDM (GUI) has been much improved in the new code so its fairly easy to do it there.

The cli way, you just need to add an acl for the traffic for site1 to site2, add the same entries to your nat0 acl (this is the acl you use to apply to the nat (inside) 0 command so that the NAT process is skipped).  Then add the crypto/isakmp commands and finally the tunnel-group.

If all sites have a static IPs its a snap; if some have dynamic IPs its only slightly harder.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 21864286
I do not understand what you want to know:
 Do you wish to know if you can replace X700 with ASA, OR
 You wish to know if you can create tunnels between ASA and other WG products (interoperability)

Well the answer is YES for both the above questions.

ASA is a product from the market leader and would give you all the features you wish. If you are looking at manageability using a simplified GUI; I always refer WG (I would say more of a personal choice!)

Please let know if you need more inputs about a specific thing.

Thank you.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 35 total points
ID: 21864651
I sell/install/use ASA almost exclusively. The VPN Wizard makes it super simple to setup site-site vpns. Unlike most Cisco products, it actually has a very useful GUI interface. Top 10 pie-charts and everything. The reliability and security of the product is untouchable. I wholeheartedly endorse the complete ASA product line.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Quagmire2
ID: 21865656
dpk_wal,
Since this is unknown terrritory, I would like to know that the ASA 5510 is going to have all the features that the x700 has and more.  I know that with the 5510 I will not be able to have both intrusion prevention and web content filtering since these are SSM modules and it can only handle one unlike the WG x700 that you install a feature key.  Without the intrusion prevention and web blocker(web content filter), will the ASA match up and exceed the x700 w/ fireware pro?

The other question was about creating VPN tunnels between the 2 different vendors devices.  I've created tunnels between WG and other vendor products and it took a while to figure out what settings would work between the 2.  I know that IPSec is supposed to be a standard, but it seemed that it would only work a few ways and not every option such as 3des, Des, MD5 or SHA1 and Diffie-Helman Group created a tunnel.  Are there going to be any gotcha's that I will find between the ASA series and WG products since we would gradually migrate from WG to Cisco?
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 55 total points
ID: 21865938
Frankly the IPS protection provided by WG is rather feeble I would say; frankly all you can do in WG is put IP in blocked list; or auto block source of packets not handled. Not true IPS at all.

As far as content filtering goes, I would say it does some modest amount of web filtering using surfcontrol (though many customers dont like the categorization) and with HTTP proxy you can control the file types that get downloaded and can do proxy on the packets and do deep-inspection.

I am not sure if this is available in ASA out of box; think it should be; in PIX they had something called fixup which was equivalent to HTTP-Proxy called in WG terms; may be lrmoore would be able to throw some light on this (already told am not too literate on ASA).

As far as VPN tunnels go,  the VPN tunnel comes up; the settings might be a hit and trial sometimes; but frankly if both the ends are configured alike then getting VPN tunnel up is no biggy.

The only thing I see is if you are using DVCP [WG prorietory VPN protocol] then there might be some glitches when migrating; otherwise none.

Thank you.
0
 

Author Comment

by:Quagmire2
ID: 21866071
We used to use the DVCP option several years ago, 2002,  but WG actually told us to migrate to manual BOVPNs.  

I set it up again about 6 months ago but with the release of several software versions in a short period of time, I was iritated that I had to resetup each device after the updates.  
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now