Cisco ASA to pfSense Migration
- January 13th, 2012
- Posted in Computers
- Write comment
I’ve been a Cisco advocate for many years, all the way from PIX 501′s up to ASA 5520′s and then running along in the router line of 2801′s and a few other models in the mix. We have a corporate network that supports about 220 external staff across about 50 branches that all connect in via IPSEC VPN over the public internet. I have heard all of the naysayers proclaim that what I am doing is impossible and unreliable, yet I have 99.9% uptime across some locations. It’s amazing how well the Cisco ASA device can handle numerous IPSec connections and be an effective firewall as well.
So, with a well running machine that I have setup, I might as well go ahead and take it apart- right? Along with being a heavy Cisco shop I am heavily involved with anything Linux and open source. It’s the logical decision to look at some kind of Linux based solution to any problem. If Linux can’t solve it, it’s not worth solving, right?
Here is where pfSense enters into the solution. We currently have one Cisco ASA 5520 handling our VPN terminations and it’s been doing a remarkable job at it. We’re planning a data center move and along with the move will be some infrastructure changes. One of them was setting up a hot/cold ASA failover solution that will help us be more resilient in hardware failures.
Our issue was the ASA’s we have on hand are really starting to get old (5 years and I start wondering about equipment) and I felt that we needed an upgrade.
I have always played around with pfSense in a small application, running it at home or on a spare network here at work. With the recent upgrade to version 2.0, I felt it was worth a shot to try it out. So, here is my testing setup that I have so far:
What we have are 2 HP Workstations running pfSense in a CARP failover, a HP 5406zl switch on the batting deck ready to be implimented (in a full Layer 3 setup), a 2620 switch running Layer 3 and a 2520 running as my dual internet connection to support CARP.
Believe it or not, this whole setup works great! The HP Workstations are plenty of umph to run pfSense and they both have Intel Quad Port PCI-E NICs which handle all of my traffic.
The next step is to replace the HP Workstations with a set of Dell R210II servers running SSD’s as local storage. Stay tuned!
No comments yet.