Daedroth Posted March 11, 2019 Share Posted March 11, 2019 I work in a school and we need to reconfigure an old Cisco ASA 5512-X for routing and firewall purposes. Despite the ASA having 1GbE ports, it's throughput is limited depending on what it is doing. According to Cisco's specifications, it's throughput for different services are: ASA IPS throughput:250 Mbps (extra hardware not required) Next-generation firewall throughput (multiprotocol):200 Mbps Triple Data Encryption Standard/Advanced Encryption Standard (3DE/AES) VPN thoughput:200 Mbps We have a 200Mb up/200Mb down Internet connection and do perform web-filtering (performed on a separate device) that decrypts, inspects and re-encypts the data on the fly. I want the ASA configured purely as a router and firewall so that only certain required ports are open and others can be configured if/when required. My question: Is this ASA actually going to throttle the connection to 200Mbs, rather than the combined 400Mbs we receive? Zahra Khorsand 1 Share Link to comment Share on other sites More sharing options...
+BudMan MVC Posted March 11, 2019 MVC Share Posted March 11, 2019 looking at the spec sheet https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html You can see that its "stateful" throughput is listed as 500mbps for stuff like tcp.. Read the the notes for 2, the max is note one which says only UDP traffic. So if your not going to use any of its other higher end features - and just as a stateful firewall.. Then it should be able to handle your 200/200 connection. Which doesn't equal 400 btw Its 200 down and 200 up.. Zahra Khorsand and Daedroth 2 Share Link to comment Share on other sites More sharing options...
Daedroth Posted March 11, 2019 Author Share Posted March 11, 2019 25 minutes ago, BudMan said: looking at the spec sheet https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html You can see that its "stateful" throughput is listed as 500mbps for stuff like tcp.. Read the the notes for 2, the max is note one which says only UDP traffic. So if your not going to use any of its other higher end features - and just as a stateful firewall.. Then it should be able to handle your 200/200 connection. Which doesn't equal 400 btw Its 200 down and 200 up.. Cheers or the info! Are any of these other higher end features going to be required for my setup or are they just niceties? I wasn't sure about how 200/200 was calculated in this respect. So I can both download and upload at 200Mbs at the same time, right? Or is it 'up to 200Mb' in each direction? So if I'm downloading at 150Mb, my upload will be limited to 50Mb and visa versa? (Internet technologies is usually out of my wheelhouse, but we have no money to get anyone in so it falls to me I guess! I just need to make sure I get everything right!) Link to comment Share on other sites More sharing options...
+BudMan MVC Posted March 11, 2019 MVC Share Posted March 11, 2019 Keep in mind that when you download your going to eat up part of your upload with ACKS.. And same your uploading part of your download pipe is going to be eaten up with acks coming from the other end.. This basic of how tcp works. You would have to do the math on how much upload would be "required" in acks to hit 200Mbps down, etc. So depending on how hard they limit you or how close you actually get to 200 on what your total upload/download at the same time could be, etc. That 5512 has lots of bells and whistles - and many of them require special licensing, etc. But there shouldn't be any "requirement" to use them, etc. Pretty sure those devices are all end of sale, etc. Where did you get this box - how do you have it licensed, etc. "Firepower" services require licensing.. https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Licensing_the_Firepower_System.html The following topics explain how to license the Firepower System. About Firepower Feature Licenses Service Subscriptions for Firepower Features Classic Licensing for the Firepower System Assign Licenses to Managed Devices Firepower License and Service Subscription Expiration Daedroth 1 Share Link to comment Share on other sites More sharing options...
Daedroth Posted March 11, 2019 Author Share Posted March 11, 2019 7 minutes ago, BudMan said: Keep in mind that when you download your going to eat up part of your upload with ACKS.. And same your uploading part of your download pipe is going to be eaten up with acks coming from the other end.. This basic of how tcp works. You would have to do the math on how much upload would be "required" in acks to hit 200Mbps down, etc. So depending on how hard they limit you or how close you actually get to 200 on what your total upload/download at the same time could be, etc. That 5512 has lots of bells and whistles - and many of them require special licensing, etc. But there shouldn't be any "requirement" to use them, etc. Pretty sure those devices are all end of sale, etc. Where did you get this box - how do you have it licensed, etc. "Firepower" services require licensing.. https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Licensing_the_Firepower_System.html The following topics explain how to license the Firepower System. About Firepower Feature Licenses Service Subscriptions for Firepower Features Classic Licensing for the Firepower System Assign Licenses to Managed Devices Firepower License and Service Subscription Expiration Ah, OK. The 5512 is EOL, it was purchased back in 2015 by a third party who ripped out our old wired network and fitted a new one. At the time, the ASA was needed. A couple of years later, we changed ISP and they provided their own Juniper router instead. Now we've moved ISP again and they don't provide a router as part of their contract. Luckily we kept the ASA in storage. It's unlikely we got any of the extra features licensed at the time, even if we did, I would imagine that the licenses would have expired by now (I know for certain that they haven't been renewed in the past couple of years). Zahra Khorsand 1 Share Link to comment Share on other sites More sharing options...
+BudMan MVC Posted March 11, 2019 MVC Share Posted March 11, 2019 So you know something as small as a sg1100 would prob work for you https://www.netgate.com/solutions/pfsense/sg-1100.html I can say for a FACT!!!! that would be a 1000x easier to configure And for sure could easy handle 200/200 without any concerns at all. Daedroth 1 Share Link to comment Share on other sites More sharing options...
Mindovermaster Moderator Posted March 11, 2019 Moderator Share Posted March 11, 2019 6 minutes ago, BudMan said: So you know something as small as a sg1100 would prob work for you https://www.netgate.com/solutions/pfsense/sg-1100.html I can say for a FACT!!!! that would be a 1000x easier to configure And for sure could easy handle 200/200 without any concerns at all. I second this. He told me all about it... (will get this next month) Daedroth 1 Share Link to comment Share on other sites More sharing options...
Daedroth Posted March 11, 2019 Author Share Posted March 11, 2019 5 minutes ago, BudMan said: So you know something as small as a sg1100 would prob work for you https://www.netgate.com/solutions/pfsense/sg-1100.html I can say for a FACT!!!! that would be a 1000x easier to configure Interesting. I have a feeling that the third party we had in were having us on at the time. So would a device like that handle the 200/200 line or the up to 500 concurrent devices we may have accessing at any one time? Link to comment Share on other sites More sharing options...
+BudMan MVC Posted March 11, 2019 MVC Share Posted March 11, 2019 Sure it would.. Contact their sales if you have specific concerns.. They do sell bigger boxes, say the 3100 for a couple 100 more.. You could also just put pfsense on your own hardware Daedroth 1 Share Link to comment Share on other sites More sharing options...
sc302 Veteran Posted April 1, 2019 Veteran Share Posted April 1, 2019 The 5512-x without IPS will handle 500Mb/s no problem. With IPS it chokes. The ASA isn't quite dead yet, but it doesn't have much longer to live (support wise). I have two 5512-x's in place today and am looking at replacing them with firepower 2110 devices. If you know ASA, the 5512-x isn't too hard to configure. If you don't know ASA, it is a steep learning curve. Daedroth 1 Share Link to comment Share on other sites More sharing options...
Daedroth Posted April 4, 2019 Author Share Posted April 4, 2019 On 4/1/2019 at 8:58 PM, sc302 said: The 5512-x without IPS will handle 500Mb/s no problem. With IPS it chokes. The ASA isn't quite dead yet, but it doesn't have much longer to live (support wise). I have two 5512-x's in place today and am looking at replacing them with firepower 2110 devices. If you know ASA, the 5512-x isn't too hard to configure. If you don't know ASA, it is a steep learning curve. Cheers. I don't know ASA, so it was interesting. I managed to configure my default routes, NAT rules and access rules. When we switched our services over to the new provider using the ASA. Internet access was working fine (including filtering), however access to internal resources such as email (AD FS), RDS and a web server weren't. I did all I could to get it working to no avail. Since this is a live system, we had to get it sorted as soon as possible. I had to involve a third party IT solutions/support company who had expertise in this sort of thing. They managed to get it sorted and it turns out that the routing that is in place on my core switch was causing problems for the ASA. They made some amendments and now it's all working. I'm glad we got them in, even it's meant we have to pay out a few hundred because it's not something I would have been able to sort by myself. sc302 1 Share Link to comment Share on other sites More sharing options...
Recommended Posts