ASA or 2911 ISR?
benbuiltpc
Member Posts: 80 ■■□□□□□□□□
in Off-Topic
We're going to be adding a second ISP at work. I've been pretty sure that I wanted to go with the ASA 5510, but then I find out that policy based routing is not available. So, with the ASA, my understanding is I can have as many subinterfaces/VLANs/networks as I want but can only define a default and backup route. I need to define rules such that:
Network A with protocol X goes over WAN1, existing firewall
Network A with protocol Y goes over WAN1, new firewall
Network B default route is WAN2, new firewall
Network C default route is WAN2, new firewall
etc.
(The "new" and "existing" firewalls will both be trunked to a Cat 3560-X, hopefully giving me parallel access to both WANs)
So, I'm considering the 2911 ISR with security. Is there anything the ASA will give me that the 2911 won't? I'm not looking for load balancing or failover.
Network A with protocol X goes over WAN1, existing firewall
Network A with protocol Y goes over WAN1, new firewall
Network B default route is WAN2, new firewall
Network C default route is WAN2, new firewall
etc.
(The "new" and "existing" firewalls will both be trunked to a Cat 3560-X, hopefully giving me parallel access to both WANs)
So, I'm considering the 2911 ISR with security. Is there anything the ASA will give me that the 2911 won't? I'm not looking for load balancing or failover.
Comments
-
networker050184
Mod Posts: 11,962 Mod
Take a look at the Palo Altos. I've been working with them a bit lately and I like them much more than the ASA. They do support PBR also.An expert is a man who has made all the mistakes which can be made. -
Lizano
Member Posts: 230 ■■■□□□□□□□
A Fortigate or a Sonicwall will also do that if budget is a constraint. There are several options out there, I've never tried what you are requesting with a 2911 ISR. Just curious, why not looking for failover if you have 2 WAN links? -
it_consultant
Member Posts: 1,903
benbuiltpc wrote: »We're going to be adding a second ISP at work. I've been pretty sure that I wanted to go with the ASA 5510, but then I find out that policy based routing is not available. So, with the ASA, my understanding is I can have as many subinterfaces/VLANs/networks as I want but can only define a default and backup route. I need to define rules such that:
Network A with protocol X goes over WAN1, existing firewall
Network A with protocol Y goes over WAN1, new firewall
Network B default route is WAN2, new firewall
Network C default route is WAN2, new firewall
etc.
(The "new" and "existing" firewalls will both be trunked to a Cat 3560-X, hopefully giving me parallel access to both WANs)
So, I'm considering the 2911 ISR with security. Is there anything the ASA will give me that the 2911 won't? I'm not looking for load balancing or failover.
This only works properly 2 ways, hot standby routing protocol or load balanced / bonded WAN links. Either way you are going to have to rethink your strategy. As others have mentioned, there are plenty of brands (I would use Juniper or Meraki) which can handle the link balancing for you in one device. In a HSRP environment you will want two similar devices.