SA520W -vs- 891W -vs- ASA5505 IPS & Wireless 802.11n bridging

Linksys, Netgear, sonicwall, ect. Webbase configurations for firewalls. Web filting traffic shaping.
Post Reply

SA520W -vs- 891W -vs- ASA5505 IPS & Wireless 802.11n bridging

Post by Guest » Wed Nov 10, 2010 9:16 pm

heres our current setup


50Mbps Docsis 3.0 cable -->ASA5505 -->SMC 802.11n bridge --->Cisco AP1252 -->2960G 8 port -  with a 24 port unmanaged daisychained to it ...right now clients only connect on the 5ghz only using  MSRADIUS PEAP for client connects to MS WIN2008 PDC & Wireless bridge is WPA2-PSK on 2.4GHZ


obviously not the best setup...  some things are monitored with CNA others ASDM


the first question is 891w -vs- SA520W  main differances in IPS functionality performance/throughput etc..  the ASA5505 appears to have lower specs in VPN/Firewall throughput 150mbps & 50mbps for VPN -vs- the SA520W at 200 & 65....   The IPS module for the asa5505 what additional things does it cover  ... the SA520W appears to have all 100/1000 ports -vs- the more expensive 891w  which only has 10/100 ports...  while its true the WAN is only 50mbps Docsis 3.0 does support up to 300 it appears that the new 890 routers are almost outdated and should have included 100/1000 ports.


can the 520W wireless bridge using WPA2-PSK to either an AP1252 or an AP541N


we are thinking of the following setup


Cable modem --->SA520W --->AP541N -->ESW540-24P-K9  (or use the AP1252 Dual Radios... would it support Standard POE with this ESW switch ? or require MCS be turned down in power to support both radios.?. or just be able to use a single Radio?  as we were told a 3750G switch would be needed for full 18.5W POE


instead of using 2.4ghz for the bridge & 5ghz for the clients.. (since the AP541N only support 2.4 or 5GHZ switchable not both) can both the clients & bridge all use MS Radius PEAP to Win2008 PDC or would we be forced to use WPA2-PSK


can this all be managed using a single tool...?  and if so  what are the differances between CCA & CNA as they  basically appear to do the same thing?


our other thoughts were   an intergrated router with Cable modem 802.11N & Gigabit in a single box.

we looked at the 1941W problem is it doesn support a Docsis 3.0 HWIC and its much more expensive.


thanks again for your assistance as Cisco appears to have many overlapping products.




Re:SA520W -vs- 891W -vs- ASA5505 IPS & Wireless 802.11n bridging

Post by Guest » Wed Nov 10, 2010 9:47 pm



Im also interested in a good answer from someone about this issue. I don really have any answers.


We have about 150 ASA5505 deployed and have had rock solid performance. I haven had a single DOA and can only remember 2 or 3 devices with reboots that firmware didn fix.  I am looking at some SA500 series boxes, but the issues Im seeing in the community forums is not too encouraging.  I rather stick with Cisco Enterprise products cut down for SMB as opposed to Consumer(Linksys) products developed for SMB.


The only issue I can see with the ASA5505 moving foward is bandwidth. Luckily our cable speeds around here top out at 25Mbit at the moment.


Best Regards,

Chris Carson



Here are some quotes Ive seen that aren very enlightening.


These units are just Linux machines Cisco is polishing it upfor a specific segment, and a specific set of network functions to cater to small businesses.To expect it to do everything a normal IOS router (or vpn device, or firewall) is reallyunrealistic. These are meant for branch offices mostly, of under 100 users.”



“The web interface has some noticable bugs. Looks like they hacked it together prettyquickly. I attached a screen shot of the web ike and vpn policy”


My advice... throw the SA520 in the garbage and either go buy a cheaper linksys, or buildyour own custom router using Openswan (thats what Im doing). I had tickets open withCisco support and the guy from support told me he Cisco professional client doesn evenwork with the SA520. Only their QuickVPN client works (only on Windows). He said SSLVPN works but you have to pay $30/license!”


“Yea, these units are definitely different than any other Cisco device. I think they e meantto be in a class all of their own. From the looks of it, the remote access vpn option is solelythe ssl vpn.”






























Re:SA520W -vs- 891W -vs- ASA5505 IPS & Wireless 802.11n bridging

Post by Guest » Wed Nov 10, 2010 9:49 pm

just an update & some feedback on Cisco Support..


we did purchase the SA520W and got the following working

CABLE -->SA520W --(WPA2-PSK --Bridge--->SMCWEB-N Bridge --->2960G 8 port -->WIN2008 PDC replaced the standard Cisco Antennas with 7db Dlink ANT24-0700   - We never got a reply from Cisco support on any 802.11n bridging questions either in this newsgroups or via phone..


We uploaded the latest firmware,  but could never get the IPS license files cisco emailed us to load... (others have been having issues with SSL license loading) so I think a bug exists here see    We contacted Cisco SMB support on 01/20/2010 opened a case.. the tech was polite said he needed to escalate and we Never got a callback... opened a second case with another Tech... she was also polite, put me on hold for 3mins... asked me to send log files + screen shoots etc... also Never called me back...  I called back today and was told the case had been escalated given this techs name/number... call him, left Vmail and never got a callback


Re:SA520W -vs- 891W -vs- ASA5505 IPS & Wireless 802.11n bridging

Post by Guest » Wed Nov 10, 2010 10:37 pm

Hi Kevin,

Could you send me the case numbers?  I would like to get to the bottom of why this problem happened.  I have escalated this internally and would like to you get your problems fixed and the system fixed so other customers don have this issue.


Can you post your unanswered questions and I will get you the answers you are looking for.


Steven Smith


Re:SA520W -vs- 891W -vs- ASA5505 IPS & Wireless 802.11n bridging

Post by Guest » Wed Nov 10, 2010 11:09 pm

case# 613450009 & 613528479


issue #1

we can get the IPS license file to load ... here are the license files + screen shot + Log files attached

please explain why we can load the IPS files and what the firewall errors are -thanks


issue #2

see my first post... but to recap... really simple.. wireless bridging

Cable -->SA520W ---WPA2-PSK..*** or **** PEAP TO MSRADIUS/CERT (nice but not required). (what Cisco product to **insert*** here) -->ESW-540P-24-K9


Can the AP541N be a slave (workgroup bridge -no client connections or show up as a client) to the SA520W...if we insert an AP1252 can it be a slave to the SA520W (or can the SA520W be a wireless client bridge to the AP1252) I assume the ESW-540P can run the AP541N through POE no issues... Ive been told the AP1252 can run single radio to 802.1af POE , or dual radios to a standard POE switch if you turn down the radio power


any other Cisco products that can act as wireless bridge to the above... our Idea is removal antennas  or have you tested the Cisco WET610N


the technical problems with our current setup using SMC Wireless N bridge to SA520W is that in order to get it to work... we need to set the SMC to WPA/WPA2 mode with AES/TKIP  and must brodcast SSID) and no removable antennas ...if we attempt to lock down any tighter to WPA2/AES MAC filtering ... or Not Brodcast the SSID ... things break - I know this isn a Cisco issue... thats why we are looking for an 100% Cisco solution..( my understanding is that no IETF or RFC Internet standard for wireless bridging its vendor specific ) that way if issues exist we can open feature or bug requests



while Im at it... what do you have 2 products CNA (cisco Network assistant) and CCA (cisco config assistant) they appear to be the same darn product ..except half the products work with CNA the other CCA...   we can really seem to config the SA500 series through CCA... The graphical topology looks cool..


if you can get answers to the IPS issue, we will be happy for now.. I will also try calling the support SE again

Post Reply