Afternoon all - I am currently at the point of replacing my older Cisco ASA’s for my company and wonder what kind of thing(s) others would consider/suggest. I currently have my network split up into two separate hubs connected with a VPN (as well as VPN’s connecting remote spokes to the HUB):
One of the main problems with this setup I would like to eliminate is when either HUB (Office 1 or 2) goes down, the attached remote facilities to that HUB also cannot function properly without difficult manual workarounds. I believe I’d really like to have a Cloud based HUB that all the facilities can connect to so if any facility goes down, it is only affecting itself and not the remotes connected to it. (Albeit unless the cloud hub itself goes down - then we’d all be toast - but i’ve been pretty happy with the uptime for hosted things theses days and believe we would have very little of that [fingers crossed]).
I have one vendor (the one that set up the ASA’s) pushing a Meraki solution (which I have tried in the past and could not get it to work well with the existing ASA’s and had to terminate the testing, but they did work) - and I would expect that using all Meraki devices should have no interoperability issues like we experienced in the past, but i’m not really wild about their licensing.
I have a second vendor proposing a Sophos solution - never used them, but this vendor is also providing our Voip phone solution, and I am leaning toward having them also manage our routers (so any issues with the VOIP phones can also be trouble shot by the same router folks - one throat to choke so to speak).
I am not a router guy, nor a network engineer. Know just about enough to get into trouble. I use primarily Unifi gear in house and have considered moving to Unifi/Ubiquiti routers as a replacement, but again I am not a router guy and would need to have someone I can use to admin them, plus I do not think Unifi/Ubiquiti has a Cloud router - It would need to be able to also connect to our Hosted AWS instances with a tunnel simply. So I thought I would ask this community what they might consider doing to replace the aging ASA’s - keeping in mind that I can be a physical on-sight guy to reboot and run a few commands on my end - but I would need a legit organization administering the routers for me in the end. I am sure I could - YouTube/Internet my way into getting things initially setup and going, but in a production environment I would not be the guy to troubleshoot issues and keep it going 24/7. So Whatever the solution, in the end it would involve including that as well.
Thanks for the input and suggestion - I actually did have a conversation with a Fortinet sales guy and he had a network engineer on the line with us that kept wanting to put a primary router in Office1/Office2 - which I thought would defeated the point of having a “cloud” router - he was sure I did not understand how SD-WAN’s works. Nevertheless - they were supposed to put something together for me and I never heard back from them again. Just got on their mailing distribution list! Thanks again for the input!
This may seem like a silly question, (and may also indicate why the Fortinet network guy felt I did not understand SD-WAN) - but I just watched a few SD-Wan setups with Fortigate and all them are setting up redundant Internet connections. All my locations have one internet connection each (no redundancy here) - I was wanting the SD-WAN set up so if one of the hub locations falls, it didn’t take the adjoining locations with it. I’d think redundant internet connections would potentially take care of that issue with out the need of a “cloud router” or SD-WAN and maybe that’s a better approach (wouldnt put us in a single point of failure for everyone). If I were going to run redundant Internet connections at the Office Locations, I don’t see what I would need the SD-WAN for? I understand there are other benefits of SD-WAN, but those are not the primary reason for looking at this change.
The routers that are used with our Hosted applications on AWS only allow one VPN to be connected to them. So the Meraki and the Sophos solutions are both talking about hosting a virtual meraki or sophos router on AWS that will be our HUB.
Just got off the phone with a guy who about has me convinced that I’m over killing with the whole SDWan approach and suggesting using Unifi gear with fail over if needed.
SDWan is a fancy term for policy based routing – which a lot of modern firewalls can do. From a security functionality standpoint – what are your requirements? From a support standpoint, what are your requirements?
This is not a complicated install & not very big - the only thing our PTP VPNs do - is provide printing and scale interfaces for our AWS hosted applications. We are a 95% cloud based (VOIP phones are hosted, Google Apps, etc) - that’s it. We want it to be secure, and up - I do have VLANs (all Unifi) implemented with a LAN, Guest network, and a VOIP phones lan. We also run cameras (mix of old Revo, Reolink and Unifi Protect). You have actually worked on our stuff before (2018 I think) and I was seriously considering hitting you up - but wasn’t sure if it was your kinda wheelhouse to take over managing something like this. I wanted to look at SD Wan to get our HUB out in the cloud so one facility would not take down the connected locations. The more I think about it and the cost - wondering if having a secondary ISP at the HUBS and failover might not do the same thing for considerably less, or given the number of real outages we’ve been experiencing not sure its worth the cost. For my support needs, I need someone managing the routers - a guy to call if stuff is not working and the ISP says their end is up.
We ran into an issue with my EastCoast hub router - its throwing an error that eventually caused it to reboot itself. So my original plan of replacing these at EOL 2026 (with EOSale 2025) has moved up - the router support folks say I need to renew my licence for the Cisco so they can update it and fix the bug. Thinking i’d rather put those funds toward starting a replacement path than updating these routers. You’ve been in my system before id have no problem letting you take a look again so you could propose a solution we could implement or at least get a conversation going about it.
So – we’ve often been able to replace all Cisco devices in an organization with someone else for the cost of the Cisco licensing. Email me and we can talk for sure.
