Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 6 subscribers
  • Views 11532 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best approach for replacing existing Cisco ASAs with UTMs and the Reds

Jimmy Chen1

I have following scenario.

1. Cisco ASA Site to Site VPN between the HQ and the branches

We want to replace the Cisco ASAs with the Sophos UTMs and the Reds and wants know what is the best approach to go about doing this.

There are couple approaches that I am thinking of doing and that I am trying to verify whether it will work
 
  1. Install the Sophos UTMs in parallel with the Cisco ASAs.  On Cisco ASAs, reroute the traffic that needs to go to the Red to the Sophos UTMs.  Slowly migrate the NAT rules from the Cisco ASAs to the UTMs.
  2. Install the Sophos UTMs behind the Cisco ASAs by creating another network between the Cisco ASAs and the Sophos UTMs.  Basically doing double NATTING or routing.
  3. Install the Sophos UTMs behind the Cisco ASAs using transparent/bridge/mixed mode.  What features will not work in this mode?

What are the some of the advantages and disadvantages of these approaches?

What do you guys recommend?

Really appreciate some comments on these.

Thank you!



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Jimmy, and welcome to the UTM Community!

    You didn't say how many branch office you have nor which SG appliance you're considering.  RED tunnels are resource-intensive.  Your reseller should be able to size correctly for you, so be sure they have skin in the game.

    I will usually recommend an SG 115 with Network Protection instead of a RED 50.  Faster, cheaper and more flexible.  For small offices with less than 10 PCs, a RED 15 is a cost-effective solution if you don't need faster throughput.

    I agree with the suggestion to use your 1st approach.  When bridging, you cannot do QoS.  I also dislike double-NAT, so if you want to try your 2nd approach, I would recommend using public IPs with no NAT.

    Cheers - Bob

Reply
  • 0

    Hi, Jimmy, and welcome to the UTM Community!

    You didn't say how many branch office you have nor which SG appliance you're considering.  RED tunnels are resource-intensive.  Your reseller should be able to size correctly for you, so be sure they have skin in the game.

    I will usually recommend an SG 115 with Network Protection instead of a RED 50.  Faster, cheaper and more flexible.  For small offices with less than 10 PCs, a RED 15 is a cost-effective solution if you don't need faster throughput.

    I agree with the suggestion to use your 1st approach.  When bridging, you cannot do QoS.  I also dislike double-NAT, so if you want to try your 2nd approach, I would recommend using public IPs with no NAT.

    Cheers - Bob

Children
No Data