Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 6 subscribers
  • Views 11531 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best approach for replacing existing Cisco ASAs with UTMs and the Reds

Jimmy Chen1

I have following scenario.

1. Cisco ASA Site to Site VPN between the HQ and the branches

We want to replace the Cisco ASAs with the Sophos UTMs and the Reds and wants know what is the best approach to go about doing this.

There are couple approaches that I am thinking of doing and that I am trying to verify whether it will work
 
  1. Install the Sophos UTMs in parallel with the Cisco ASAs.  On Cisco ASAs, reroute the traffic that needs to go to the Red to the Sophos UTMs.  Slowly migrate the NAT rules from the Cisco ASAs to the UTMs.
  2. Install the Sophos UTMs behind the Cisco ASAs by creating another network between the Cisco ASAs and the Sophos UTMs.  Basically doing double NATTING or routing.
  3. Install the Sophos UTMs behind the Cisco ASAs using transparent/bridge/mixed mode.  What features will not work in this mode?

What are the some of the advantages and disadvantages of these approaches?

What do you guys recommend?

Really appreciate some comments on these.

Thank you!



This thread was automatically locked due to age.
Parents
  • 0

    Hello Jimmy,

    I agree with Nick, we used approach #1 and every step went without a hitch.

    Something I did was to go through my ASA config line by line and create a spreadsheet with all my NAT statements, port-forwarding statements etc. and made sure when I built the UTM configuration I had the equivalent line from the ASA included in the UTM.

    As far as the remote offices are concerned, the nature of the RED devices are "plug-n-play" so you should be able to, once configured on the UTM's, be able to plug them into the Internet connection at the remote office, RED contacts the cloud, gets it's config, reboots and connects back to the host UTM. Done.

    The key for me was mapping my ASA config to my UTM line by line with the spreadsheet as a guide.

    Take care

    todd

Reply
  • 0

    Hello Jimmy,

    I agree with Nick, we used approach #1 and every step went without a hitch.

    Something I did was to go through my ASA config line by line and create a spreadsheet with all my NAT statements, port-forwarding statements etc. and made sure when I built the UTM configuration I had the equivalent line from the ASA included in the UTM.

    As far as the remote offices are concerned, the nature of the RED devices are "plug-n-play" so you should be able to, once configured on the UTM's, be able to plug them into the Internet connection at the remote office, RED contacts the cloud, gets it's config, reboots and connects back to the host UTM. Done.

    The key for me was mapping my ASA config to my UTM line by line with the spreadsheet as a guide.

    Take care

    todd

Children
No Data