[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


Suggestions needed for a budget Firewall and VPN infrastructure with Cisco and Sonicwall equipment

Posted on 2008-06-15
Medium Priority
Last Modified: 2010-05-18
Hello Everyone,

The company where I work is very budget conscientious, except with regards to the IT department,  where funds are almost impossible to obtain.  Please keep in mind that when answering this question, all the hardware will be bought off Ebay.  Also, I am  very familiar with SonicOS and fairly familiar with IOS (studying for my CCNP)

We now have a requirement to establish a VPN with a dozen or so warehouses in the US.  Traffic over this Site-to-Site VPN will be Active Directory, DNS, Exchange, file sharing and possibly VoIP.

The current infrastructure is as follows:  The head office has two internet connections, 5mbit ADSL and 100mbit Fiber which are connected to the WAN and OPT interfaces on a Sonicwall TZ170 with Enhanced firmware.  Each of the warehouses have a T1, Cable or DSL and a TZ170 Standard.  Most of the warehouses are currently participating in a VPN for VoIP.

I'm concerned that the TZ170 at the head office will not be able to handle all of the traffic from the VPN.  Also, the TZ170 has the ability for 10 VPN Site-to-Site connections in the SonicOS (not sure if more can be purchased or not).  

I'm thinking that a PIX Firewall of some kind and a 3640 (is a PIX required if the IOS has FW capabilities?), but I'm not sure what exactly to get to ensure the best security, as well as top reliability and performance.

What would you do on a shoe string budget sticking to used Sonicwall and Cisco equipment?

Question by:encoad
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
LVL 57

Expert Comment

ID: 21790623
If I was on a shoe string budget, I would use Linux and iptables and a spare PC.

Instead of a PIX I would see if you could get a ASA box on e-bay.  If you really want a PIX, what class are you looking at?  If you think a TZ170 can't handle it, then you would need a PIX 525 or 535.

If you have a router with FW options, then you would not really need another firewall, unless you wanted to offload the overhead of doing firewall functions.

LVL 13

Expert Comment

ID: 21790723
Take a look at smoothwall, an open-source hardened Linux solution. There are also commercial versions that are more powerful and fairly inexpensive.

If you want to go with Cisco, I would choose the ASA 5500 series. You can pick up a basic 5505 bundle solution for about $400 on ebay.

Expert Comment

ID: 21791327
I'd choose a CISCO 1800 series router.  they are better suited to site-to-site vpn's.

the firewall feature set will cover most events, and unless you went with an ASA 5510 or similar, the elements that would be missed are failover / traffic management.  If you're on a shoestring budget, then i'm unsure if these are important criteria.

an ASA 5505 does not have a DMZ capability, and the vpn capabilities are better with the 5510.

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?


Assisted Solution

raptorjb007 earned 150 total points
ID: 21793831
The ASA5505 does have a DMZ capability, however with he base license it is restricted to 3 VLANS, one of which is restricted to communicating with only one other VLAN. You can purchase the Security+ License for the ASA5505 which will unlock the ability for active/passive fail over and additional VLANS, however this will double the cost of the firewall.

Regarding which ASA is the best model for this purpose, the ASA5510 would be the better choice, the ASA5505 may run into a CPU bottleneck with the kind of traffic you will be pushing on the VPN's, not to mention a base license limit of 10 above which you would require the Security+ License.

As for a budget is concerned, you may be able to purchase a used Pix model on EBay, just get a model 525 or higher.

I have not used a smoothwall so I am unable to speak for its performance and/or capabilities.

Cisco ASA 5500 Series Adaptive Security Appliances Models Comparison

Author Comment

ID: 21793904
Thanks to all who have responded thus far.  

I've considered the Linux option, but I don't think it's feasible.  I've found Cisco products to be essentially flawless (almost flawless for the sonicwall), but once I start running a server to handle the internet traffic I've got to worry about dead CPU fans, corrupted hard drives, flaky memory and toasted power supplies.  Also, the Cisco support base is alot larger then Smoothwall or the other linux options.  (don't get me wrong, I'm a Linux fan, using Ubuntu right now).

The ASA5510 looks great, but its also pretty expensive, especially once you license it up.

Any reason why I couldn't use a 3640?  Any features it would be lacking?


Author Comment

ID: 21794972
Or perhaps a 3745?

Expert Comment

ID: 21824953
I'm not familiar enough with using the routers hardware to answer that question for you.
LVL 57

Accepted Solution

giltjr earned 225 total points
ID: 21825272
Well I would choose the 3745 over the 3640.  Just for the reason that the 3640 is no longer supported, so if you wanted to get support your out of luck.

As for the ASA vs. 3745.  What is the pricing for a 3745 with the IOS Firewall Module?

Cisco has a FAQ on the IOS Firewall:



Author Comment

ID: 21825341

Yeah clearly the 3745 is a better choice.

I found a 3745 with the advanced Enterprise IOS for 900 on ebay.  I'm assuming that's the right IOS to get.
LVL 57

Expert Comment

ID: 21825912
Should be a good starting point.  Then you have to buy the IOS Firewall.

Author Closing Comment

ID: 31467454
Thanks for the information, you guys have clarified things for me.  I think that the 3745 with IOS fw will be best.  The links were very helpful.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question