[c-nsp] ASA or Router?

Ben Steele ben at internode.com.au
Fri Mar 21 21:34:01 EDT 2008 

I concur with the 2801/2811 being the better choice than an ASA in  
this scenario, just make sure you have the AIM-VPN module with it.

The only benefit I can see the ASA giving you is more advanced deep  
packet inspection(compared to CBAC), even then you really need the SSM  
module in the ASA to really take full advantage of that and when you  
are talking about (what appears to be) a private VPN between HQ and  
remote sites I don't see that being more important than all the extra  
QoS and IP features the router is going to give you.

The only time I would really consider an ASA over a router is when  
firewalling is the primary function of the device, their routing  
features, while getting better are still lacking(someone pleeease add  
policy routing as a feature on them) which can make it a tough choice  
to choose the ASA in some scenario's.

Ben

On 22/03/2008, at 6:37 AM, Kaj Niemi wrote:

> Hi,
>
>
> The ASA doesn't support DMVPN so if that's a hard requirement at the  
> HQ you need to get an IOS box. Should you choose the ASA and if the  
> G.SHDSL circuit requires termination (no managed CPE from the  
> provider) you would additionally need the 1803 you mentioned or  
> another with a WIC. The 1800 series routers will be able to encrypt  
> all traffic on the line (and then some). Note that the fixed 1800  
> series routers have a maximum of 50 supported IPSec tunnels while  
> the non-fixed ones (1841, 1861) have higher.
>
> The IOS box will do most of the things the ASA would - and you  
> haven't indicated any ASA specifics - so from a technology  
> management standpoint it might be wise to invest into one platform  
> instead of two.
>
>
> On Mar 21, 2008, at 21:31, Rupert Finnigan wrote:
>>
>
>
>> I've been pondering something over in my head for a while, and  
>> can't reach a
>> decision and so am interested in what others experiences might be.
>>
>> I'm currently working on a topology to link a number of retail units
>> together back to head-office that'll support VoIP, email (pop3) and  
>> EPOS
>> related traffic - basically the traffic requirements per store will  
>> be very
>> low. However, I expect there to eventually be 60-80 stores.
>>
>> I'm going to put 1801w routers in each store, as they're perfectly  
>> taylored
>> to the needs of a small-ish Retail location, and run DMVPN to  
>> handle the
>> spoke to spoke VoIP traffic.. What I'm still trying to decide on is  
>> what to
>> put at the head-office hub end. I need something to concentrate the  
>> VPN
>> tunnels, and to terminate a SDSL line and so am thinking either a  
>> ASA 5510
>> with a 1803 router, or a just a 2800 series router. At present  
>> we've got
>> something to terminate "road-warrior" clients and so that isn't a
>> consideration.
>>
>> Just interested in various options/comments or any pointers anyone  
>> can
>> offer..
>
>
>
>
>
> HTH
>
> Kaj
> -- 
> Kaj J. Niemi
> <kajtzu at basen.net>
> +358 45 63 12000
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list