cisco pix 515E replacing 2611XM router... do I still need router?

[cyr0nk0r]

Currently the Cisco 2611XM is serving as both router and firewall. We don't do any crazy ACL's or anything. All we are using the router for is to NAT traffic from (2) /28 blocks of public IP's to our servers on the LAN.

However, the routers CPU is starting to get maxed out because of all the NAT'ing going on. It has been suggested to us to get a Pix 515E instead because the pix will do the NAT on the hardware layer instead of doing it in software.

So, once we get the 515E and get it doing doing all of our NAT'ing, can't we just pull out the 2611XM and get rid of it? I don't see the need to keep it since we aren't doing any crazy routes or anything.

 

[jlazzaro]

how many translations do you have? i wouldnt expect 2 /28 blocks to create that much of a load. what IOS version are you running? how much memory?

none the less, i would go ASA...the PIX is a dying breed. as for the router, it depends; if you have cable or dsl service, ditch the router and just run the ASA. if you have something like a T1, you would have to keep the 2611.

 

[drebo]

Definitely second the ASA 5510. Just beware of its limitations (can't do routemaps, for instance).

If you've got an external DSL/Cable modem or an external DSU, you can get rid of the router. Otherwise, you'll need to keep it.

Also, I'll take the router off of you if you're getting rid of it

 

[cyr0nk0r]

Sorry, this is not for SOHO.
The feed is a 100mbps ethernet handoff.

The 2611XM currently has about 50+ static NAT's setup within it.
"ip nat inside source static tcp <port> <inside ip> <port> <outside ip> extendable"

We can't afford an ASA.

 

[spidey07]

I don't recall the throughput of a 515 but 100 Mbs may be too much for it. I can also understand why your 2611 can't keep up.

 

[drebo]

A PIX 515E isn't that much cheaper than an ASA 5510 if you're buying new. If you're buying used, I could see where you're coming from.

We use two PIX 515Es here in failover configuration and they work wonderfully. We bought them used, as well.

Also, DSL/Cable/T1 does not necessarily imply a SOHO environment. Either an ASA 5510 or a PIX 515E could handle your situation just fine. Though, I'm interested in how much traffic you have that a 2611XM can't do it.

Edit: per Cisco Docs, the Pix 515E can do 190 Mbps clear text, bottoming out at 130 Mbps for AES encrypted VPN traffic.

 

[cyr0nk0r]

Our traffic arrives to us encrypted. Although the router is not doing any VPN or AES itself, the traffic itself is encrypted causing slowness.
We maintain about 30Mbps at all times 24x7 through the 2611XM. Normally that wouldn't be too much of a problem, but since every bit of it is NAT'ed and all going to different ports on different LAN IP's the routers cpu is usually at about 70-80% utilization.

We are expanding the business and will be pushed up to about 50mbps within the next 6 months or so and I know for sure the 2611XM is just not going to cut it.
Yes, we will be getting the 515E used. My IT budget does not allow for anything "new".