I am about to replace Cisco 5520 firewall with CCR1016-12G. Cisco has 5 Vlan configured 10.254.4.x 10.254.5.x 10.254.6.x etc.
I want to make just 5 real subnets , 1 for each port on CCR1016-12G instead of virtual Lans.
Does it make a sense?
Also what do think about Replacing Cisco ASA5520 with CCR1016-12G?
Will I get any benefits?

Thank you.

Well IMHO you cannot replace ASA with CCR.

One is firewall another is a Router and it will heavily depend what you are doing on ASA currently.

10.x.x.x subnet id devided on 5 virtual , then admin created a lot of rules to go from one vlan to other. I dont see how it can help from hackers but it makes working a nightmare.
My guess is that CCR NAT is good enough to protect internal network from internet.
I dont really care to check outgoing traffic.
Am I mistaken?
I just dont want to brake whole LAN at once.
So if I make 5 real subnets on CCR instead of Cisco VLANs will I be able to set same rules between subnets as it is on Cisco now or traffic from one subnet to another will be complitelly blocked?
Sorry I dont know router OS well.
Thank you

NAT does not equal to firewall and should be never treated as anykind of "protection"

The only difference between using VLANs and physical interfaces is one burns more interfaces. You still have all the same control over traffic. You will need to setup 5 access ports on your switch to keep all the traffic on their respective VLANs. One difference between the ASA and Mikrotik is the ASA has the concept of security levels and a default deny firewall policy. Mikrotik being a router platform first has a default allow policy. To accomplish the same thing on a Mikrotik you will just need to inserts deny rules after your allow rules in the firewall forward chain.

As for ASA firewalling capabilities vs Mikrotik capabilities. Both are capable of L3/L4 stateful firewalling on IPv4 and IPv6. Performance wise you should be fine replacing a 5520 with a CCR1016.

As was mentioned by Etz NAT should only be seen as a routing decision not a firewall protection. What most people think of as protection given by NAT is really only a default inbound deny firewall rule. If your networks were all on public IP addresses a default deny on the forward chaine

Thank you man! It was very clear explanation.

I should note one other difference between VLANs and separate interfaces. VLANs will all share the bandwidth of the interface they are attached to. That said the 1016 is unlikely push more packets than one 1GigE port with firewalling enabled.

That is what I wanted to here . Vlans on one interface will share the bandwidth.
Thank you.

BTW: May be I expressed my thoughts not clear with NAT.
What I mean : If I set "masquerade" on "Out.interface" and then scan CCR1016 ports from internet all of them are closed except those I set with "dstnat".
So I don't see how ASA can protect my LAN better then CCR1016 with "masquerade" set.
Unless it is easier for hackers to brake ....

True if your NAT ~1024 IP addresses into 1 IP address the profile to a hacker is one IP to scan instead of two. Functionally the same thing can be accomplished with just a default deny firewall rule.

Functionally a default deny firewall policy and many-to-one SNAT end up accomplishing similar things in some circumstances but they should not be seen as equal tools. NAT is a routing policy that in some cases gives you the same outcome as a default deny firewall rule. If a default deny inbound rule is used the same thing will be accomplished and your life will be easier for not having to deal with NAT translations everywhere when tracking down issues. Do clients on the local LAN not need to get to any of these servers behind the ASA?

In my designs I push NAT as far to the edge as possible if NAT is even needed. This way I only have to deal with NAT translations for Internet traffic if at all. Servers typically have their public IP right on the machine. It makes troubleshooting much easier. No NAT translation table logs to go look at. If someone gives me an IP to look into I know exactly what it is. Remember internally RFC1918 IP space and public IP space can be mixed. You just can't route RFC1918 space out to your Internet provider.

Functionally from a firewall/NAT perspective there isn't anything the Mikrotik does that the ASA can't do and vise versa. The one thing the ASA has over the CCR1016 is that firewalling and NAT are done in hardware this means it will likely give a more consistent speed and latency experience under load approaching its maximum limits. The CCR1016 will use more CPU the more NAT or firewall rules it needs to check. The ASA 5520 is rated at upto 450Mbps. So it seems you're swapping equivalent hardware. If the intent is to use the added routing functionality that a Mikrotik gives you then I can see a benefit. Otherwise it may be desirous to bump the Mikrotik up one model to give yourself a bit more speed. If the intent its to start over with a blank slate you may as well look at your traffic flows and plan out new firewall rules for the ASA and save some money for future upgrades.

Thank you!
All clear.

Actually there is some things that CCR can do and ASA can`t.

As ASA is not an router but pure firewall, it doesnt do BGP and it`s OSPF is quite buggy.
(Have had an issues and even service outage caused by ASA just disobeying route-map`s or prefix-lists and just leaking all the routes).

So if you plan to do dynamic routing, with route-maps, policy-based routing, multi-area OSPF, etc. CCR would be far more better choice.

Never said they were exactly the same just in the security & firewalling realm.

That said they do support BGP these days. Can't speak for its stability as I haven't ever run a ASA with a dynamic routing protocol turned on.

That said they do support BGP these days.

Now it is completely Offtopic, but BGP support is in 9.x software which is quite "bleeding edge"...

I would still prefer router for routing duties...

Fully agree on not running dynamic routing on the firewall.

9.x has has 4 major releases though. Three with BGP support 9.1, 9.2, and 9.3. Now 9.2 and 9.3 won't run on a non -X ASA though.

9.x has has 4 major releases though. Three with BGP support 9.1, 9.2, and 9.3. Now 9.2 and 9.3 won't run on a non -X ASA though.

I know

I replaced a ASA 5505 (100mb/s) with a CCR when I upgraded to a gigabit connection. It works fine, but we weren't using any fancy features of the ASA.

Sorry, but what "fancy" features ASA has that Tik can't do?

Sorry, but what "fancy" features ASA has that Tik can't do?

TCP Sequence randomization, deep packet inspection, Active/Active clustering, etc...

Config sync