Firewall Options
-
Got an old ASA 5510 that works fine, but needs a firmware update. The reason we need to be updated is for it to work for Azure, which will hold our data (1DC, 1 fileserver...easy beans). In order to get this update, you have to be on a Smartnet contract. I'm wondering if this isn't the best way to spend the $$$. We are talking a few servers and a VOIP phone system onsite.re
Any ideas? Would you keep what is working and go with Smartnet, or ditch it and get a cheaper firewall?
-
In what way does the ASA not work? Why not bypass this with free software or an EdgeRouter?
-
Right now, everything works fine. Was told that in order to have a site to site connection, I need to be a 8.3 firmware. I think I'm on 8.1.
To be honest, I haven't looked at alternatives yet. The past 3 jobs have all had 5510's, so that's all I've known for like the past 10 years or whatever LOL.
Alternative ideas are welcome!!
-
5510s are fine, I'm not implying anything. Just that the cost to keep them working is probably really high when alternatives might be free or cheap.
-
@scottalanmiller said in Firewall Options:
5510s are fine, I'm not implying anything. Just that the cost to keep them working is probably really high when alternatives might be free or cheap.
I understand and didn't say you were implying anything.
That's what I'm thinking!! Free though? Hmmm...I didn't think there were any free alternatives.
-
@Son-of-Jor-El said in Firewall Options:
@scottalanmiller said in Firewall Options:
5510s are fine, I'm not implying anything. Just that the cost to keep them working is probably really high when alternatives might be free or cheap.
I understand and didn't say you were implying anything.
That's what I'm thinking!! Free though? Hmmm...I didn't think there were any free alternatives.
VPN tech is "always" free
There are only two really major VPN types out there, IPSec and SSL. Cisco just uses standard IPSec, not aware of anything proprietary, that's why it can talk to "anything". Why Azure is a problem, no idea. -
-
@scottalanmiller said in Firewall Options:
@Son-of-Jor-El said in Firewall Options:
@scottalanmiller said in Firewall Options:
5510s are fine, I'm not implying anything. Just that the cost to keep them working is probably really high when alternatives might be free or cheap.
I understand and didn't say you were implying anything.
That's what I'm thinking!! Free though? Hmmm...I didn't think there were any free alternatives.
VPN tech is "always" free
There are only two really major VPN types out there, IPSec and SSL. Cisco just uses standard IPSec, not aware of anything proprietary, that's why it can talk to "anything". Why Azure is a problem, no idea.So, is it possible that the firmware update isn't needed and they are blowing smoke up my ass?
-
@Son-of-Jor-El said in Firewall Options:
@scottalanmiller said in Firewall Options:
@Son-of-Jor-El said in Firewall Options:
@scottalanmiller said in Firewall Options:
5510s are fine, I'm not implying anything. Just that the cost to keep them working is probably really high when alternatives might be free or cheap.
I understand and didn't say you were implying anything.
That's what I'm thinking!! Free though? Hmmm...I didn't think there were any free alternatives.
VPN tech is "always" free
There are only two really major VPN types out there, IPSec and SSL. Cisco just uses standard IPSec, not aware of anything proprietary, that's why it can talk to "anything". Why Azure is a problem, no idea.So, is it possible that the firmware update isn't needed and they are blowing smoke up my ass?
Unless there is a known bug in the ASA firmware that causes issues with Azure, sure sounds like it.
-
In any case - a Ubiquiti Edge Router is approximately $100 - what's the issue in buying one of these?
-
@Dashrender said in Firewall Options:
@Son-of-Jor-El said in Firewall Options:
@scottalanmiller said in Firewall Options:
@Son-of-Jor-El said in Firewall Options:
@scottalanmiller said in Firewall Options:
5510s are fine, I'm not implying anything. Just that the cost to keep them working is probably really high when alternatives might be free or cheap.
I understand and didn't say you were implying anything.
That's what I'm thinking!! Free though? Hmmm...I didn't think there were any free alternatives.
VPN tech is "always" free
There are only two really major VPN types out there, IPSec and SSL. Cisco just uses standard IPSec, not aware of anything proprietary, that's why it can talk to "anything". Why Azure is a problem, no idea.So, is it possible that the firmware update isn't needed and they are blowing smoke up my ass?
Unless there is a known bug in the ASA firmware that causes issues with Azure, sure sounds like it.
Interesting!
-
@Son-of-Jor-El said in Firewall Options:
@scottalanmiller said in Firewall Options:
@Son-of-Jor-El said in Firewall Options:
@scottalanmiller said in Firewall Options:
5510s are fine, I'm not implying anything. Just that the cost to keep them working is probably really high when alternatives might be free or cheap.
I understand and didn't say you were implying anything.
That's what I'm thinking!! Free though? Hmmm...I didn't think there were any free alternatives.
VPN tech is "always" free
There are only two really major VPN types out there, IPSec and SSL. Cisco just uses standard IPSec, not aware of anything proprietary, that's why it can talk to "anything". Why Azure is a problem, no idea.So, is it possible that the firmware update isn't needed and they are blowing smoke up my ass?
Possible, but more likely Cisco lacks some flexibility and you need something more robust. They probably only added the needed power with that update. Just a guess.
-
@Dashrender said in Firewall Options:
In any case - a Ubiquiti Edge Router is approximately $100 - what's the issue in buying one of these?
Just a lack of knowledge on them, that's all.
-
@Dashrender said in Firewall Options:
@Son-of-Jor-El said in Firewall Options:
@scottalanmiller said in Firewall Options:
@Son-of-Jor-El said in Firewall Options:
@scottalanmiller said in Firewall Options:
5510s are fine, I'm not implying anything. Just that the cost to keep them working is probably really high when alternatives might be free or cheap.
I understand and didn't say you were implying anything.
That's what I'm thinking!! Free though? Hmmm...I didn't think there were any free alternatives.
VPN tech is "always" free
There are only two really major VPN types out there, IPSec and SSL. Cisco just uses standard IPSec, not aware of anything proprietary, that's why it can talk to "anything". Why Azure is a problem, no idea.So, is it possible that the firmware update isn't needed and they are blowing smoke up my ass?
Unless there is a known bug in the ASA firmware that causes issues with Azure, sure sounds like it.
I would guess more of a limitation on settings. Like not having a way to configure an uncommon option that is necessary.
-
I am asking the person who said I needed the update what SPECIFIC issue causes us to do the update. Let's see what they say.
-
You should look at what's been patched in that newer version of the firmware - that to me is a bigger reason to either purchased SmartNet or move away from the ASA.
-
End of support is coming up fast on the 5510 - http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eol_C51-727283.html.
-
So, I got the following response on why I need 8.3: Based on the debugging information, lack of proper ikev2 support appears to be involved in the connectivity failures. Unless the device is upgraded to firmware version 8.3 or later, but I you cannot use it to establish a site-to-site tunnel to Azure
-
@Son-of-Jor-El said in Firewall Options:
So, I got the following response on why I need 8.3: Based on the debugging information, lack of proper ikev2 support appears to be involved in the connectivity failures. Unless the device is upgraded to firmware version 8.3 or later, but I you cannot use it to establish a site-to-site tunnel to Azure
So the answer is... the 5510 doesn't have proper IKEv2 support. What year is this?
-
Cisco, only 12 years behind. Just great.
