Suggestions needed for a budget Firewall and VPN infrastructure with Cisco and Sonicwall equipment

Posted on 2008-06-15
Medium Priority
Last Modified: 2010-05-18
Hello Everyone,

The company where I work is very budget conscientious, except with regards to the IT department,  where funds are almost impossible to obtain.  Please keep in mind that when answering this question, all the hardware will be bought off Ebay.  Also, I am  very familiar with SonicOS and fairly familiar with IOS (studying for my CCNP)

We now have a requirement to establish a VPN with a dozen or so warehouses in the US.  Traffic over this Site-to-Site VPN will be Active Directory, DNS, Exchange, file sharing and possibly VoIP.

The current infrastructure is as follows:  The head office has two internet connections, 5mbit ADSL and 100mbit Fiber which are connected to the WAN and OPT interfaces on a Sonicwall TZ170 with Enhanced firmware.  Each of the warehouses have a T1, Cable or DSL and a TZ170 Standard.  Most of the warehouses are currently participating in a VPN for VoIP.

I'm concerned that the TZ170 at the head office will not be able to handle all of the traffic from the VPN.  Also, the TZ170 has the ability for 10 VPN Site-to-Site connections in the SonicOS (not sure if more can be purchased or not).  

I'm thinking that a PIX Firewall of some kind and a 3640 (is a PIX required if the IOS has FW capabilities?), but I'm not sure what exactly to get to ensure the best security, as well as top reliability and performance.

What would you do on a shoe string budget sticking to used Sonicwall and Cisco equipment?

Question by:encoad
  • 4
  • 3
  • 2
  • +2
LVL 57

Expert Comment

ID: 21790623
If I was on a shoe string budget, I would use Linux and iptables and a spare PC.

Instead of a PIX I would see if you could get a ASA box on e-bay.  If you really want a PIX, what class are you looking at?  If you think a TZ170 can't handle it, then you would need a PIX 525 or 535.

If you have a router with FW options, then you would not really need another firewall, unless you wanted to offload the overhead of doing firewall functions.

LVL 13

Expert Comment

ID: 21790723
Take a look at smoothwall, an open-source hardened Linux solution. There are also commercial versions that are more powerful and fairly inexpensive.

If you want to go with Cisco, I would choose the ASA 5500 series. You can pick up a basic 5505 bundle solution for about $400 on ebay.

Expert Comment

ID: 21791327
I'd choose a CISCO 1800 series router.  they are better suited to site-to-site vpn's.

the firewall feature set will cover most events, and unless you went with an ASA 5510 or similar, the elements that would be missed are failover / traffic management.  If you're on a shoestring budget, then i'm unsure if these are important criteria.

an ASA 5505 does not have a DMZ capability, and the vpn capabilities are better with the 5510.

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.


Assisted Solution

raptorjb007 earned 150 total points
ID: 21793831
The ASA5505 does have a DMZ capability, however with he base license it is restricted to 3 VLANS, one of which is restricted to communicating with only one other VLAN. You can purchase the Security+ License for the ASA5505 which will unlock the ability for active/passive fail over and additional VLANS, however this will double the cost of the firewall.

Regarding which ASA is the best model for this purpose, the ASA5510 would be the better choice, the ASA5505 may run into a CPU bottleneck with the kind of traffic you will be pushing on the VPN's, not to mention a base license limit of 10 above which you would require the Security+ License.

As for a budget is concerned, you may be able to purchase a used Pix model on EBay, just get a model 525 or higher.

I have not used a smoothwall so I am unable to speak for its performance and/or capabilities.

Cisco ASA 5500 Series Adaptive Security Appliances Models Comparison

Author Comment

ID: 21793904
Thanks to all who have responded thus far.  

I've considered the Linux option, but I don't think it's feasible.  I've found Cisco products to be essentially flawless (almost flawless for the sonicwall), but once I start running a server to handle the internet traffic I've got to worry about dead CPU fans, corrupted hard drives, flaky memory and toasted power supplies.  Also, the Cisco support base is alot larger then Smoothwall or the other linux options.  (don't get me wrong, I'm a Linux fan, using Ubuntu right now).

The ASA5510 looks great, but its also pretty expensive, especially once you license it up.

Any reason why I couldn't use a 3640?  Any features it would be lacking?


Author Comment

ID: 21794972
Or perhaps a 3745?

Expert Comment

ID: 21824953
I'm not familiar enough with using the routers hardware to answer that question for you.
LVL 57

Accepted Solution

giltjr earned 225 total points
ID: 21825272
Well I would choose the 3745 over the 3640.  Just for the reason that the 3640 is no longer supported, so if you wanted to get support your out of luck.

As for the ASA vs. 3745.  What is the pricing for a 3745 with the IOS Firewall Module?

Cisco has a FAQ on the IOS Firewall:



Author Comment

ID: 21825341

Yeah clearly the 3745 is a better choice.

I found a 3745 with the advanced Enterprise IOS for 900 on ebay.  I'm assuming that's the right IOS to get.
LVL 57

Expert Comment

ID: 21825912
Should be a good starting point.  Then you have to buy the IOS Firewall.

Author Closing Comment

ID: 31467454
Thanks for the information, you guys have clarified things for me.  I think that the 3745 with IOS fw will be best.  The links were very helpful.

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question