RE: Security appliance question ASA 5550 vs. VPN 3080

From: Kulcsár
Date: Fri Nov 03 2006 - 14:10:43 ART

• Next message: Adhu Ajit: "ip pim spt threshold infinity"
• Previous message: Scott Morris: "RE: IE Core WB Lab 3 Task 4.5"
• Maybe in reply to: cstubbs@tampabay.rr.com: "Security appliance question ASA 5550 vs. VPN 3080"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

ASA pros:

ASA is more secure as it is a firewall. You can do application inspection on VPN traffic or optionally use AIP-SSM for IPS purposes, or use CSC-SSM for antivirus, anti-spyware and file blocking.

VPN3000 default settings are extremely unsecure (for example a bunch of management protocols are enabled).

ASA ACLs are stateful, VPN3000 ACLs are not. You always have to configure both directions, which is a great mess.

ASA is easier to manage using the plain old CLI. The web gui of CVPN is ugly - sometimes you get crazy to find a feature in the menus.

The ASA also has web gui - ASDM.

You cannot account configuration changes with VPN3000 using tacacs+. It does not have a CLI.

There is real active/standby failover with ASA - you only have to configure the primary unit. With VPN3000 you have to configure both units separately.

ASA supports VPN stateful failover while VPN3000 doesn't.

It's easier to debug ASA with CLI than debug VPN3000 web gui.

ASA configs are human-readable. VPN3000 configs look like a messed-up Windows ini file: impossible to edit.

You can cut and paste ASA configs.

VPN3000 pros:

PPTP is not supported on ASA.

Encryption throughput for VPN3080 is 100 Mbps, while ASA550 has 425 Mbps. However, the maximum number of tunnels is 10,000 for VPN3080 and only 5,000 for ASA550.

Regards,
Andras

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of WorkerBee
Sent: Friday, November 03, 2006 4:41 PM
To: cstubbs@tampabay.rr.com
Cc: ccielab@groupstudy.com
Subject: Re: Security appliance question ASA 5550 vs. VPN 3080

ASA does an ugly way of doing RRI "Reverse Route Injection" of host routes unlike VPN 3k, it can inject subnet.

ASA cannot perform QoS over tunnel interfaces.

VPN3k GUI is much nicer and richer in support.

On 11/3/06, cstubbs@tampabay.rr.com <cstubbs@tampabay.rr.com> wrote:
> Guys,
> For an enterprise network what are the pros and cons or desired hardware solution for a VPN termination appliance, ASA 5550 VS. VPN 3080 Concentrator? To me the performance level looks even, but the software features on the ASA seem limited vs. the VPN concentrator. Any thoughts?
>
>
>
> Chris
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Adhu Ajit: "ip pim spt threshold infinity"
• Previous message: Scott Morris: "RE: IE Core WB Lab 3 Task 4.5"
• Maybe in reply to: cstubbs@tampabay.rr.com: "Security appliance question ASA 5550 vs. VPN 3080"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART