Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 6 subscribers
  • Views 11530 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best approach for replacing existing Cisco ASAs with UTMs and the Reds

Jimmy Chen1

I have following scenario.

1. Cisco ASA Site to Site VPN between the HQ and the branches

We want to replace the Cisco ASAs with the Sophos UTMs and the Reds and wants know what is the best approach to go about doing this.

There are couple approaches that I am thinking of doing and that I am trying to verify whether it will work
 
  1. Install the Sophos UTMs in parallel with the Cisco ASAs.  On Cisco ASAs, reroute the traffic that needs to go to the Red to the Sophos UTMs.  Slowly migrate the NAT rules from the Cisco ASAs to the UTMs.
  2. Install the Sophos UTMs behind the Cisco ASAs by creating another network between the Cisco ASAs and the Sophos UTMs.  Basically doing double NATTING or routing.
  3. Install the Sophos UTMs behind the Cisco ASAs using transparent/bridge/mixed mode.  What features will not work in this mode?

What are the some of the advantages and disadvantages of these approaches?

What do you guys recommend?

Really appreciate some comments on these.

Thank you!



This thread was automatically locked due to age.
Parents
  • 0

    Thank you all for the reply!!!  That was really helpful!!!

    We decided to try option 2 since we don't have extra public IP address.  We are going to turn off masquerade and just route instead so we don't have to double NAT.  Will filtering and all other functions still work?

    We just discovered that the Sophos Red does not support PPPoE connection.   Can someone confirm?  PPPoE for WAN is what we are currently using for the ASA at the branches.

Reply
  • 0

    Thank you all for the reply!!!  That was really helpful!!!

    We decided to try option 2 since we don't have extra public IP address.  We are going to turn off masquerade and just route instead so we don't have to double NAT.  Will filtering and all other functions still work?

    We just discovered that the Sophos Red does not support PPPoE connection.   Can someone confirm?  PPPoE for WAN is what we are currently using for the ASA at the branches.

Children
No Data