Whats your VPN dream setup?


So we may have some money to spend at the end of the year on some new equipment.  Right now we just have a win2k3 server behing a linksys router.  Our current setup is pretty simple.  Just have the VPN/DHCP role in win2k3 running, and users connect through the "network connection" wizard on their laptops (winxp).  Does anyone have any tips about the VPN hardware available?  So far i've looked at hotbrick, sonicwall, netgear and cisco ... But im not to sure at what i should be looking for ... or if we really even need to change our current setup.

Whats your thoughts or personal experiences with VPN setups?
Who is Participating?
 Cisco is definitely 1st choice, followed by SonicWall.  For a business firewall, stay away from the SOHO brands like Netgear, D-Link, etc.

Advantages of Cisco:
- Absolutely rock-solid VPN
- Licensing for VPN is much more open/flexible; out of the box Cisco PIX is fully functional for the max # of client or site VPNs that a model supports; low-end ASA's have a "Security Plus" model that adds to # of licensed VPNs, etc.
- Cisco VPN client software is a free download (when you've purchased "SmartNet" support on the appliance)
- Cisco VPN client is *easy* to install, configure & use; so is SonicWall, but the GUI on the Cisco is easier to understand for a novice user.
- Options for 24/7 SmartNet support with platform-specific experts waiting to help.  Cisco also offers a "4-hr response" flavor of 24/7 SmartNet support, something that SonicWall doesn't offer.

  Which model to get?  Depends on: current # of hosts (PCs + servers) behind your Linksys, max # of simultaneous VPN users, max # of site-to-site VPNs you might want, & expected growth for all the above in the next 2 yr.  For Cisco, 1st choice would be the new ASA security appliances (sort of the next-generation PIX), closely followed by PIX.   ASA adds lots of new features beyond what the PIX provides.
  I strongly suggest you get a better box than you think you need now, since networks never stay the same but only grow & require better performance, & the more features used on a single box will require a better model.  Some general guidelines:

   For networks with <40 local hosts + up to 10 VPNs (client & site-site):
PIX 501, ASA 5505, SonicWall TZ-170   <- roughly equivalent models
   For networks with 50-100 hosts + up to 25 VPNs:
PIX 506E, ASA 5505 Security Plus (possibly ASA 5510), SonicWall 2040

   Cisco ASA series:
   Cisco PIX firewalls:
   SonicWall 2040:

Rob WilliamsCommented:
If you are using the "network connection", does that mean you have Small Business Server? If so you may also want to look at the built in features with Remote Web Workplace and Outlook Web Access.

Using the Windows VPN works great and no real need to switch. However moving to a hardware based VPN router should give you a little more security and slightly better performance. Security is enhanced as there is no need to open/forward ports and it will use the IPSec protocol rather than PPTP. Performance is improved by off-loading the encryption to a dedicated device.

There are dozens of VPN routers available, and most very good. However, Cisco make the best units, have the most versatility, and by far the best support. The model you require will depend on the number of on site Internet users, and the number of simultaneous VPN connections you will require. Cisco's PIX 501 is a great unit starting at about $375 US with 50 users and 10 simultaneous VPN tunnels, either site to site, or client to site.
Rob WilliamsCommented:
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Have used the sonicwall TZ170 and 2040 for small networks and they work great for the site to site and global vpn client, however the suggestion RobWill has I would go with.
We currently use the PIX501 and it is a great firewall have 2 site to sites up and running very stable and secure...
Have you looked at products from Juniper? www.juniper.net

Invariably all the models support additional features like 'deep inspection', url filtering etc... and the performance is far better.

Cisco ASA 5505 - hands down. No contest.
PIX is being phased out but is good 2nd choice
Depending on want you want spend and what you want it today


SME = Draytek 3000 Corp= Stonegate

Firewall SME =Draytek,Sonicwall,Netscreen 5gt, Corp,Netscreen,cisco,checkpoint,

Need to look at SSL VPN behind your own firewall

SME = Sonicwall 200 or 2000 Corp Netscreen (Neoteris), F5
juniper & Checkpoint are good, but my Cisco is my choice for all the times due the ease of use, the ease of migration... everything is awsome with cisco.. rest all depends on what exactly your requirements are, depending on which you can decide or the best product for yourself.
and not to forget Nokia VPN boxes.... they are also state of art... just a bit over complicated.
 Failover? Cisco's got it:
- Failover to a secondary box? Cisco PIX 7.x or Cisco ASA
- Dual-ISP failover links?  Cisco PIX 7.x or Cisco ASA

  SSL VPN? - Cisco ASA

Bottom line is, if you want the best, go with Cisco.  They've been around a long time, they invest a couple of billion $ each yr in R&D to improvements & new technology, you'll get great support, their hardware is bullet-proof, their firewalls have proven they're stable & secure, & the company will be around for years to come.

Most enterprise class have failover to another box, I meant failover to a seperate VPN link as in


Cisco SSL VPN  or Neoteris  http://www.juniper.net/company/presscenter/pr/2006/pr-060306.html

Cisco isnt the best at anything

Firewall Better Cisco = Netscreen (Firewall around longer than Pix)
Switch better than Cisco = Extreme,Foundry (Far better product)
Routers= Juniper
SSL VPN = Any other make apart from whale

jGamsAuthor Commented:
Wow, Thanks for the replies everyone!

Looks like cisco seems to be the fav so far.  One question about the cisco box ... Do you have to use the actual cisco vpn client to connect to the VPN? or can you just use a regular winxp vpn connection?  

The reason i ask is because i know of some ppl who have to connect to multiple clients .. each with their own weird vpn setup that uses different software.  I had a few buddies who had to use the cisco client, and once installed, they were no longer able to connect with any of the other clients software. It was like the cisco client had blocked all other vpn usage ... Would this be an isolated problem, or could this potentially happen to us if we setup shop with a cisco box?

any thoughts?
Rob WilliamsCommented:
Cisco can be configured to use IPSec and their client, or PPTP and the Windows client if you prefer. I haven't had problems with the Cisco client conflicting, but I agree many VPN clients do not play well together,
The Cisco ASA can be an endpoint for either Cisco's IPSEC VPN client, or Microsoft PPTP VPN client, or both simultaneously. Either can also be supported from an inside client going to an external vpn server.
The Cisco VPN client is preferred because YOU control all client behavior wheras the USER controls all client behavior of Microsoft client.

Many VPN clients do not play well together. Nortel and Cisco don't play nice on the same PC. Many IPSEC clients don't play nice with XP's built in IPSEC capabilities.
I've never had a problem using both Cisco VPN and Microsoft VPN on the same laptop.
Yep Cisco VPN client won't conflict at all with Window's built-in PPTP VPN.  Agree that most 3rd-party vendors' VPN clients don't coexist well or at all on the same PC, such as Cisco & SonicWall.  *Sometimes you can work around this by temporarily disabling 1 of the 3rd party clients while you use the other, eg: stopping the Cisco VPN service daemon or disabling the vendor-specific VPN virtual interface.

jGamsAuthor Commented:
Thanks for the help everyone.  This information has given me a good stepping stone in my search.

Rob WilliamsCommented:
Thanks jGams, good luck with your decision.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.