From: Muhammad Nasim (muhammad.nasim@gmail.com)
Date: Sat Feb 07 2009 - 11:12:30 ARST
Dear Radioactive,
That means firewall should not even give support for any routing becasue it
hard core router's function.
The features and functions which are introducing in almost every firewall in
almost every release is because the networks need those features and
functions.
It will be very easy for Cisco's , Juniper's software development team to
say that this feature is not supported becasue it is NOT firewall thing,
Instead they are introducing it.
PBR is a very very valid feature that should be availble on the firewalls.
Actually PBR on firewall make the things simple.
2009/2/7 Radioactive Frog <pbhatkoti@gmail.com>
> Guys, don't forget that it will be a good idea of ASA or any firewall to
> do PBR. Thats should be router's function.
>
> People do over complicate ! here is the example.
>
>
>
> On Sat, Feb 7, 2009 at 10:50 PM, Farrukh Haroon <farrukhharoon@gmail.com>wrote:
>
>> Agreed, it is a feature Cisco should have introduced long ago :)
>>
>> But will I pay 8 times the cost for a feature that I don't need? Not many
>> people use ASA5505s to multi-home.
>>
>> Regards
>>
>> Farrukh
>>
>> On Sat, Feb 7, 2009 at 2:32 PM, Muhammad Nasim <muhammad.nasim@gmail.com
>> >wrote:
>>
>> > Dear Farrukh,
>> > Cisco ASA does not support PBR or Source Based routing. I am seeing a
>> lot
>> > of people want to do this at the firewall.
>> >
>> > Also when there will be a lot of site to site VPNs and remote access VPN
>> > running on the ASA it simply turn down some of the tunnels.
>> >
>> > Chris,
>> >
>> > I would strongly recommend to look into deeply that what feautres and
>> > functionalities you are using at you Check Point and then confirm it
>> that
>> > ASA do have these features as well.
>> >
>> > HTH
>> >
>> >
>> >
>> >
>> >
>> > 2009/2/7 Farrukh Haroon <farrukhharoon@gmail.com>
>> >
>> > who = you :)
>> >>
>> >> On Sat, Feb 7, 2009 at 10:12 AM, Farrukh Haroon <
>> farrukhharoon@gmail.com
>> >> >wrote:
>> >>
>> >> > You can find a side-by-side comparison here:
>> >> >
>> >> >
>> http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
>> >> >
>> >> > All vendors have their particular pros and cons, everybody can't
>> afford
>> >> a
>> >> > BMW (or a Daewoo for that matter).
>> >> > E.g. with Juniper who have to buy a separate box for SSL VPN etc.
>> >> >
>> >> > Regards
>> >> >
>> >> > Farrukh
>> >> >
>> >> > On Sat, Feb 7, 2009 at 2:42 AM, Christopher Copley <
>> >> > copley.chris@gmail.com> wrote:
>> >> >
>> >> >> Well, my vote was for the Juniper Netscreens, but I got over ruled.
>> >> The
>> >> >> reason we are going from Checkpoint to ASA is really for 2
>> reasons...
>> >> >> 1. Political
>> >> >> 2. Costs
>> >> >>
>> >> >> My management is die hard Cisco every thing! Plus the way we buy
>> >> >> Checkpoint and do support puts a serious hurt on us. The cost of
>> the
>> >> >> Checkpoint is 7 or 8 times higher than a comp Cisco model. And out
>> >> >> support
>> >> >> cost and times are very poor. With out getting into a very long
>> story,
>> >> it
>> >> >> is a much better deal go Cisco than Checkpoint. Plus it means more
>> >> >> training
>> >> >> for me! And that is never a bad thing!
>> >> >>
>> >> >>
>> >> >> Chris
>> >> >>
>> >> >>
>> >> >> On Fri, Feb 6, 2009 at 6:23 PM, Felix Nkansah <
>> felixnkansah@gmail.com
>> >> >> >wrote:
>> >> >>
>> >> >> > Hi Chris,
>> >> >> > The 5505 uses switched ports instead of the routed ports you would
>> >> see
>> >> >> in
>> >> >> > the higher models.
>> >> >> >
>> >> >> > One has to use SVIs for L3 stuff on the 5505 therefore (like we do
>> on
>> >> >> the
>> >> >> > FWSM).
>> >> >> >
>> >> >> > The 5505 does not support security contexts and stateful failover
>> >> (even
>> >> >> > though it supports bare active/standby failover).
>> >> >> >
>> >> >> > Get a box with a security plus license anyway if you want to enjoy
>> >> >> enough
>> >> >> > functionalities.
>> >> >> >
>> >> >> > By the way, why are you replacing Checkpoint with Cisco? It's like
>> >> >> > replacing BMWs with Daewoo.
>> >> >> >
>> >> >> > If you have to introduce new firewall/IDS/IPS/UTM stuff in your
>> >> network,
>> >> >> I
>> >> >> > would advise you to go for Juniper products instead.
>> >> >> >
>> >> >> > 2 cents!
>> >> >> >
>> >> >> > Felix
>> >> >> > ccie r&s, security
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > On Fri, Feb 6, 2009 at 10:34 PM, Christopher Copley <
>> >> >> > copley.chris@gmail.com> wrote:
>> >> >> >
>> >> >> >> Group,
>> >> >> >>
>> >> >> >> My company is moving away from Checkpoints to ASA's. I have got
>> my
>> >> >> >> management to buy me 2 ASA 5505's for my lab to learn. My
>> question
>> >> >> is,
>> >> >> >> how
>> >> >> >> does the 5505's compare to the 5510 and above? Is there much
>> that
>> >> I
>> >> >> will
>> >> >> >> not be able to test or practice with the 5505's, or major
>> >> differences?
>> >> >> >>
>> >> >> >>
>> >> >> >> Chris
>> >> >> >>
>> >> >> >>
>> >> >> >> Blogs and organic groups at http://www.ccie.net
>> >> >> >>
>> >> >> >>
>> >> _______________________________________________________________________
>> >> >> >> Subscription information may be found at:
>> >> >> >> http://www.groupstudy.com/list/CCIELab.html
>> >> >>
>> >> >>
>> >> >> Blogs and organic groups at http://www.ccie.net
>> >> >>
>> >> >>
>> _______________________________________________________________________
>> >> >> Subscription information may be found at:
>> >> >> http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> > --
>> > Muhammad Nasim
>> > Network Engineer
>> > Saudi Arabia
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
-- Muhammad Nasim Network Engineer Saudi ArabiaBlogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:10 ARST