Cisco ASA 5505 - need more site-to-site VPNs

licensing ipsec cisco cisco-asa cisco-vpn

Solution 1:

If you can imagine a situation where you might need over 25 tunnels, go for the 5510; no sense in throwing the extra money at a 5505 security plus license if it won't sustain your needs in the long run.

That said, if 15-20 is all you'll ever need, then it's a lot more cost effective to get the license upgrade.

Cisco's limits on the devices are pretty arbitrary; they have very little to do with performance constraints on the ASA, and everything to do with having a lot of false barriers in place to force you to go with a more expensive device. I wouldn't expect any performance issues with the 5505, until you're saturating those 100mb interfaces.

Solution 2:

Upgrading to the 5510 just for the VPN tunnels is overkill, yes.

There are however a few options that you'd might like to have in the future, wich only ASA5510 and above can support:

  • Stateful failover (active/active or active/passive, the latter becoming extremely popular)
  • 125.000 connections on the 5510 compared to 25.000 connnections on the 5505
  • 3 times the network throughput. Perhaps you want to add another network/vlan on the ASA one day, and intra-VLAN speeds needs to be a bit quicker than 100mbit/s? I've been in that situation several times..
  • Content Security, Anti-malware, Anti-virus etc (the SSM modules)
  • Etherchannel support - VERY useful if you're using stacked switches (like 3750) as a backbone
  • Much, much better cooling with dual fans. This could be quite important for you depending on the enviroment where these are running.

I hope this helps you, allthough I know there is quite the difference in pricing.

Solution 3:

if you dont mind the haggle of swapping out equipment, then i would say the 5510. but if you get flack for taking anything down, then doing the license upgrade would do you fine too. not to throw a monkey wrench into the idea through, but if you are looking for another possibility for failover, you could go with some cisco 2800 routers and do DMVPN. dynamic routing, for each site to site (if needed) but just dropping in my 2 pennies

Related

Chef: import definitions from other cookbooks
SSH "Access denied" before I'm prompted for password
EC2: maximum shutdown time exceeded
How to get (AD) LDAP person entry by SID?
Adding websites to nginx without restarting nginx
Dump MYSQL databases to induvidual files
Should redundant servers have exactly the same configuration, or slightly different?
trigger a php script when an email is received
Sharing a switch with both internal and external interfaces
How can i easily password protect a site in Apache/Windows?
Is it dangerous to leave an ssh connection open in a terminal for long periods of time?
AD One-Way Trust between Child and Parent Domains