All Juniper related discussions.
User avatar
Axis
Post Whore
Posts:
1045
Joined:
Thu Nov 04, 2010 9:55 am
Certs:
CCNA

Replacing ASA5510

Mon Aug 08, 2011 2:12 pm

I guess my main question is how steep is the learning curve with Junos vs IOS?

We're doing a complete network overhaul and currently running an asa5510 which has been great, but we've outgrown it and is now a bottle neck on the network. I'm trying to convince my CIO to go with a SRX240 vs a 5540/5550(would prefer at least 1Gbps firewall throughput) as spending $3k on the 240 would allow us to save quite a bit of money that I could then throw back into the overhaul in other places.
The best part about telling UDP jokes is I don't really care if you get them or not.

willroute4food
Member
Posts:
200
Joined:
Fri Nov 13, 2009 4:42 pm
Certs:
CCIE R&S

Re: Replacing ASA5510

Mon Aug 08, 2011 2:31 pm

I put in a couple of clustered SRX240's a while back. While they are good boxes, you will miss some of the "knobs" that cisco has like ip-tracking (juniper has this but its some clusterf*!@ of a script you have to use). Then there were a couple of other things that would drag this out way too much. To answer your original question about the learning curve...not too bad. If you can do IOS, and have the time to spend behind the junos console you will be ok.

User avatar
Axis
Post Whore
Posts:
1045
Joined:
Thu Nov 04, 2010 9:55 am
Certs:
CCNA

Re: Replacing ASA5510

Mon Aug 08, 2011 3:08 pm

Thanks, they are kind of putting everything into a "rush mode" which is kind of nice because we've needed upgrades for the longest time....however it's not so nice in the fact that I really don't know how much time I'd get to configure it before they wanted it in place. I suppose we can stick with the 5510 until I felt sufficiently comfortable to put the 240 into production. The main thing that had me worried was vpn configuration for remote users. I just recently finished the config on the asa so that all vpn users authenticate via domain credentials through LDAP and run all acl's through the asa.

I find things that say the SRX's worst feature is it's vpn interface or things like http://www.evanhoffman.com/evan/2011/05 ... lient-vpn/ that worry me a bit.

Any thoughts on that? Also, how well do they play in a multi vendor environment(ie cisco and Hp)
The best part about telling UDP jokes is I don't really care if you get them or not.

willroute4food
Member
Posts:
200
Joined:
Fri Nov 13, 2009 4:42 pm
Certs:
CCIE R&S

Re: Replacing ASA5510

Mon Aug 08, 2011 3:18 pm

Ha, funny you mentioned it. When I said 'Then there were a couple of other things that would drag this out way too much.'; I was referring to vpn woes. Their IPSEC vpn functionality on the srx sucks ass, and was quite possibly the biggest pia, and greatest waste of my time that I have experienced in quite a while. After buying the licenses, configuring it to work with our ACS server, etc..we ended up not even using it. Which is ok, because the vpn was pretty slow IMO, when it did establish. If I ever deployed an SRX again, I would just buy junipers ssl vpn appliance as well.

User avatar
Axis
Post Whore
Posts:
1045
Joined:
Thu Nov 04, 2010 9:55 am
Certs:
CCNA

Re: Replacing ASA5510

Mon Aug 08, 2011 4:10 pm

ahh, ya that's a real shame. It's going to be a hard sell as the VPN is a pretty big deal...it almost sounds like it would be best to leave the 5510 in place as just a vpn server. That or when you add the SRX240 and the vpn appliance costs together then you're getting back to the costs of the asa5540. Granted the 5540 only has half the firewall throughput of the 240.

Vology has the ASA5550-BUN-K9 listed for $7500 which isn't too bad considering it comes with a lifetime warranty
The best part about telling UDP jokes is I don't really care if you get them or not.

User avatar
texanmutt
Post Whore
Posts:
1971
Joined:
Sat Oct 20, 2007 11:05 am
Certs:
CCNA

Re: Replacing ASA5510

Thu Aug 11, 2011 8:23 am

Axis wrote:Granted the 5540 only has half the firewall throughput of the 240.


Keep in mind that those throughput figures are not running any services such as QoS, NAT, etc.

User avatar
Axis
Post Whore
Posts:
1045
Joined:
Thu Nov 04, 2010 9:55 am
Certs:
CCNA

Re: Replacing ASA5510

Mon Aug 15, 2011 5:07 pm

texanmutt wrote:
Axis wrote:Granted the 5540 only has half the firewall throughput of the 240.


Keep in mind that those throughput figures are not running any services such as QoS, NAT, etc.



True, but I would assume the 240 would retain the higher throughput unless it doesn't have the processing power the 5540 does.
The best part about telling UDP jokes is I don't really care if you get them or not.

User avatar
texanmutt
Post Whore
Posts:
1971
Joined:
Sat Oct 20, 2007 11:05 am
Certs:
CCNA

Re: Replacing ASA5510

Thu Aug 18, 2011 8:07 am

According to the data sheets the ASA 5540 is rated at 500K PPS, 25K connections per second, 400K total sessions. An SRX240H (high memory) is rated without services or UTM enabled at 200K PPS, 9K connections per second and 128K total sessions. This performance is closer to an ASA5510, not counting NAT, VPN, QoS, etc.

If you want to go Juniper an SRX650 would be more suited to the performance level you are looking for.

Packet-Jockey
New Member
Posts:
1
Joined:
Sun Nov 27, 2011 5:41 am
Certs:
CCNA

Re: Replacing ASA5510

Sun Nov 27, 2011 5:51 am

We use ssg550's for IPSec site to site vpn's. And asa5510's for client vpn access. Works well for us over 3 sites. Axis how'd it go for you did you implement your proposed cfg in the end?

'

Return to Juniper Networking

Who is online

Users browsing this forum: No registered users and 6 guests