Add ASA 5510 to my network

Frank McCourry
Frank McCourry used Ask the Experts™
on
Ok Cisco experts, I need an opinion, and If I know anything about this group, you have opinions.

We are a web hosting and application development company, our current Internet connection is protected by a Cisco 2620XM router using access lists to limit access to our network.

So far we have been well serviced by this unit and it's configuration, however we are noticing that CPU utilization is high and that a targeted udp flood can bring it to it's knees.  So we are considering adding an ASA 5510 to handle the access control, thus relieving the CPU.

My questions are, what other benefits are there to doing this?  Should I continue to use the 2620 as a router and use the ASA only as a firewall or should I just move all functions to the ASA?  What IOS version an features should I get to ensure we have Intrusion detection and can still provide all services such as Web, FTP, SMTP, POP3, DNS and VPN connections without paying for feature I do not need such as anti-virus and anti-malware?

So may options... so little time to research them all.  Your good advice is welcomed!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Frank McCourryV.P. Holland Computers, Inc.

Author

Commented:
I forgot to mention,  We have 3 seperate networks, two behind the first, so the Cisco 260 feeds a Cisco 3600 and a Cisco 1700.  My plan is to put all of their WAN interfaces on facing our ISP.  This will also relieve some CPU utilization.  If we add the ASA, my hope is that it would perform the firewall functions for all 3 units.
Commented:
A firewall will provide you with deeper inspection of network traffic, which in turn can provide more options for security, then a plain router can.  If your network security needs are being met with the existing router's ACL's, then you may not see any value in a firewall's options for setting up DMZ's, IPS, IDS, NATing, VPN, etc.

It's your choice whether the 2620 is in front, or behind, the firewall.  If the router is in front of the firewall, then it can be configured to block unwanted traffic, such as port scans, from ever reaching the firewall, which can act as the root of the 3 internal networks.  If the router is behind the firewall, then all network security needs can be performed by the firewall and the router can serve as the root of the internal networks.
Frank McCourryV.P. Holland Computers, Inc.

Author

Commented:
Thanks for you insight.  I'm really surprised I didn't get more input on this....

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial