Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 28 subscribers
  • Views 8684 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best method for replacing existing ASA 5505 firewalls?

Greg Francis

I have two offices, both with Cisco ASA 5505 firewalls with a VPN linking the two offices. Our main office is 45 staff while our smaller office has limited personnel use (sporadically occupied during week) and serves as our backup DR site. Firewall policies on the ASA's are pretty straightforward. 

I have purchased an XG 210 for the main office and an XG 115 for the small office. Both have Enterprise Protect. Initially, I just want to replicate what the ASAs are doing and then I'll expand into the additional features of the XG firewalls as I learn more about their capabilities.

My question is on initial deployment. I can have some flexibility with our small office because I can just let staff know to work in the main office during the migration. I have a bigger concern about backup replication to the remote office so want to minimize the downtime of the site-to-site VPN.

I'm looking for suggestions on deployment. I figure I'll start with the small office during the work week, get the XG 115 setup there, recreate the site-to-site VPN between the two locations so backups can then occur again, and then over the weekend, I'll use the experience I gained from the XG 115 install to do the XG 210 in our main office. 

1) Does this sound like a reasonable migration plan?

2) Are there any issues (or guides) to setting up a site-to-site IPSEC VPN between Sophos XG and Cisco ASA 5505? 



This thread was automatically locked due to age.
  • +1

    Hi Greg,

    Welcome to Sophos!

    In regards to your migration, I would actually suggest a different approach to this. If you can schedule enough downtime on the weekend, I would instead recommend doing a complete XG to XG migration. You would be able to leave the existing Cisco ASA tunnel in place, while you worked on the configuration and migration of the XGs and getting them setup to test. It may not be worth the time of troubleshooting if the tunnel migration between the ASA and the XG do not go smoothly, since you are going to completely migrate both sites anyways.

    With an XG to XG VPN tunnel, you have similar default IPsec policies to utilize, and also have 2 other tunnel options (RED and SSL) instead of IPsec since they are both XG's. You would then be able to test all 3 of the tunnel types to find out which option suits your administrative needs.

    Sophos XG Firewall: How to set a Site-to-Site IPsec VPN connection using a preshared key

    Sophos XG Firewall: How to configure Site-to-Site RED Tunnels

    Sophos Firewall: How to set up a Site-to-Site SSL VPN

    Regards,

    FloSupport | Community Support Engineer

  • 0 in reply to FloSupport

    Thanks for the response.

    I'm all for leaving the Cisco tunnel untouched during the migration, but I'm not sure how I'm able to leave the existing tunnel in place while I'm building the Sophos tunnel. I might be able to do it at our main site because we have multiple external IPs that I can utilize. The smaller site has a single external IP.

    How can I have both products in place simultaneously?

  • 0 in reply to Greg Francis

    Sophos v17 IPSEC VPN is unstable and needs more caution during migration.

    If possible make sure both the XG firewalls have SFOS 16.05.8 MR8 firmware before creating tunnels.

  • +1 in reply to Greg Francis

    Hey  

    In that case, you might not have the luxury to have both in place at the same time (Test LAN's on both sites, multiple external IPs). However, i'd still advise performing the migration completely. Please reach out to me via thread or PM if you still had any further questions.

    Also I forgot to link our KB article regarding our recommended settings for IPsec profiles, if you decide to go with that method of a VPN tunnel.

    Best,

    FloSupport | Community Support Engineer

  • 0 in reply to FloSupport

    Thanks for the suggestion. Doing a cut over migration is probably the way to go with the conversion of the smaller site tomorrow and then the main site either tomorrow night or Saturday morning. Our main backup system is in the main site and will just queue up replication to the remote DR site until after the new VPN is established. I'll just want to be as quick as possible in bringing the main site online to get the new VPN established. The good thing about this is that the ASA configurations will be unaltered and can be brought back online if necessary if I run into too many issues with the Sophos XG deployment.