Suggestions needed for a budget Firewall and VPN infrastructure with Cisco and Sonicwall equipment

Posted on 2008-06-15
Last Modified: 2010-05-18
Hello Everyone,

The company where I work is very budget conscientious, except with regards to the IT department,  where funds are almost impossible to obtain.  Please keep in mind that when answering this question, all the hardware will be bought off Ebay.  Also, I am  very familiar with SonicOS and fairly familiar with IOS (studying for my CCNP)

We now have a requirement to establish a VPN with a dozen or so warehouses in the US.  Traffic over this Site-to-Site VPN will be Active Directory, DNS, Exchange, file sharing and possibly VoIP.

The current infrastructure is as follows:  The head office has two internet connections, 5mbit ADSL and 100mbit Fiber which are connected to the WAN and OPT interfaces on a Sonicwall TZ170 with Enhanced firmware.  Each of the warehouses have a T1, Cable or DSL and a TZ170 Standard.  Most of the warehouses are currently participating in a VPN for VoIP.

I'm concerned that the TZ170 at the head office will not be able to handle all of the traffic from the VPN.  Also, the TZ170 has the ability for 10 VPN Site-to-Site connections in the SonicOS (not sure if more can be purchased or not).  

I'm thinking that a PIX Firewall of some kind and a 3640 (is a PIX required if the IOS has FW capabilities?), but I'm not sure what exactly to get to ensure the best security, as well as top reliability and performance.

What would you do on a shoe string budget sticking to used Sonicwall and Cisco equipment?

Question by:encoad
  • 4
  • 3
  • 2
  • +2
LVL 57

Expert Comment

ID: 21790623
If I was on a shoe string budget, I would use Linux and iptables and a spare PC.

Instead of a PIX I would see if you could get a ASA box on e-bay.  If you really want a PIX, what class are you looking at?  If you think a TZ170 can't handle it, then you would need a PIX 525 or 535.

If you have a router with FW options, then you would not really need another firewall, unless you wanted to offload the overhead of doing firewall functions.

LVL 13

Expert Comment

ID: 21790723
Take a look at smoothwall, an open-source hardened Linux solution. There are also commercial versions that are more powerful and fairly inexpensive.

If you want to go with Cisco, I would choose the ASA 5500 series. You can pick up a basic 5505 bundle solution for about $400 on ebay.

Expert Comment

ID: 21791327
I'd choose a CISCO 1800 series router.  they are better suited to site-to-site vpn's.

the firewall feature set will cover most events, and unless you went with an ASA 5510 or similar, the elements that would be missed are failover / traffic management.  If you're on a shoestring budget, then i'm unsure if these are important criteria.

an ASA 5505 does not have a DMZ capability, and the vpn capabilities are better with the 5510.


Assisted Solution

raptorjb007 earned 50 total points
ID: 21793831
The ASA5505 does have a DMZ capability, however with he base license it is restricted to 3 VLANS, one of which is restricted to communicating with only one other VLAN. You can purchase the Security+ License for the ASA5505 which will unlock the ability for active/passive fail over and additional VLANS, however this will double the cost of the firewall.

Regarding which ASA is the best model for this purpose, the ASA5510 would be the better choice, the ASA5505 may run into a CPU bottleneck with the kind of traffic you will be pushing on the VPN's, not to mention a base license limit of 10 above which you would require the Security+ License.

As for a budget is concerned, you may be able to purchase a used Pix model on EBay, just get a model 525 or higher.

I have not used a smoothwall so I am unable to speak for its performance and/or capabilities.

Cisco ASA 5500 Series Adaptive Security Appliances Models Comparison

Author Comment

ID: 21793904
Thanks to all who have responded thus far.  

I've considered the Linux option, but I don't think it's feasible.  I've found Cisco products to be essentially flawless (almost flawless for the sonicwall), but once I start running a server to handle the internet traffic I've got to worry about dead CPU fans, corrupted hard drives, flaky memory and toasted power supplies.  Also, the Cisco support base is alot larger then Smoothwall or the other linux options.  (don't get me wrong, I'm a Linux fan, using Ubuntu right now).

The ASA5510 looks great, but its also pretty expensive, especially once you license it up.

Any reason why I couldn't use a 3640?  Any features it would be lacking?

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.


Author Comment

ID: 21794972
Or perhaps a 3745?

Expert Comment

ID: 21824953
I'm not familiar enough with using the routers hardware to answer that question for you.
LVL 57

Accepted Solution

giltjr earned 75 total points
ID: 21825272
Well I would choose the 3745 over the 3640.  Just for the reason that the 3640 is no longer supported, so if you wanted to get support your out of luck.

As for the ASA vs. 3745.  What is the pricing for a 3745 with the IOS Firewall Module?

Cisco has a FAQ on the IOS Firewall:


Author Comment

ID: 21825341

Yeah clearly the 3745 is a better choice.

I found a 3745 with the advanced Enterprise IOS for 900 on ebay.  I'm assuming that's the right IOS to get.
LVL 57

Expert Comment

ID: 21825912
Should be a good starting point.  Then you have to buy the IOS Firewall.

Author Closing Comment

ID: 31467454
Thanks for the information, you guys have clarified things for me.  I think that the 3745 with IOS fw will be best.  The links were very helpful.

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now