Suggestions needed for a budget Firewall and VPN infrastructure with Cisco and Sonicwall equipment

Hello Everyone,

The company where I work is very budget conscientious, except with regards to the IT department,  where funds are almost impossible to obtain.  Please keep in mind that when answering this question, all the hardware will be bought off Ebay.  Also, I am  very familiar with SonicOS and fairly familiar with IOS (studying for my CCNP)

We now have a requirement to establish a VPN with a dozen or so warehouses in the US.  Traffic over this Site-to-Site VPN will be Active Directory, DNS, Exchange, file sharing and possibly VoIP.

The current infrastructure is as follows:  The head office has two internet connections, 5mbit ADSL and 100mbit Fiber which are connected to the WAN and OPT interfaces on a Sonicwall TZ170 with Enhanced firmware.  Each of the warehouses have a T1, Cable or DSL and a TZ170 Standard.  Most of the warehouses are currently participating in a VPN for VoIP.

I'm concerned that the TZ170 at the head office will not be able to handle all of the traffic from the VPN.  Also, the TZ170 has the ability for 10 VPN Site-to-Site connections in the SonicOS (not sure if more can be purchased or not).  

I'm thinking that a PIX Firewall of some kind and a 3640 (is a PIX required if the IOS has FW capabilities?), but I'm not sure what exactly to get to ensure the best security, as well as top reliability and performance.

What would you do on a shoe string budget sticking to used Sonicwall and Cisco equipment?

Who is Participating?
giltjrConnect With a Mentor Commented:
Well I would choose the 3745 over the 3640.  Just for the reason that the 3640 is no longer supported, so if you wanted to get support your out of luck.

As for the ASA vs. 3745.  What is the pricing for a 3745 with the IOS Firewall Module?

Cisco has a FAQ on the IOS Firewall:

If I was on a shoe string budget, I would use Linux and iptables and a spare PC.

Instead of a PIX I would see if you could get a ASA box on e-bay.  If you really want a PIX, what class are you looking at?  If you think a TZ170 can't handle it, then you would need a PIX 525 or 535.

If you have a router with FW options, then you would not really need another firewall, unless you wanted to offload the overhead of doing firewall functions.

Take a look at smoothwall, an open-source hardened Linux solution. There are also commercial versions that are more powerful and fairly inexpensive.

If you want to go with Cisco, I would choose the ASA 5500 series. You can pick up a basic 5505 bundle solution for about $400 on ebay.
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

I'd choose a CISCO 1800 series router.  they are better suited to site-to-site vpn's.

the firewall feature set will cover most events, and unless you went with an ASA 5510 or similar, the elements that would be missed are failover / traffic management.  If you're on a shoestring budget, then i'm unsure if these are important criteria.

an ASA 5505 does not have a DMZ capability, and the vpn capabilities are better with the 5510.

raptorjb007Connect With a Mentor Commented:
The ASA5505 does have a DMZ capability, however with he base license it is restricted to 3 VLANS, one of which is restricted to communicating with only one other VLAN. You can purchase the Security+ License for the ASA5505 which will unlock the ability for active/passive fail over and additional VLANS, however this will double the cost of the firewall.

Regarding which ASA is the best model for this purpose, the ASA5510 would be the better choice, the ASA5505 may run into a CPU bottleneck with the kind of traffic you will be pushing on the VPN's, not to mention a base license limit of 10 above which you would require the Security+ License.

As for a budget is concerned, you may be able to purchase a used Pix model on EBay, just get a model 525 or higher.

I have not used a smoothwall so I am unable to speak for its performance and/or capabilities.

Cisco ASA 5500 Series Adaptive Security Appliances Models Comparison
encoadAuthor Commented:
Thanks to all who have responded thus far.  

I've considered the Linux option, but I don't think it's feasible.  I've found Cisco products to be essentially flawless (almost flawless for the sonicwall), but once I start running a server to handle the internet traffic I've got to worry about dead CPU fans, corrupted hard drives, flaky memory and toasted power supplies.  Also, the Cisco support base is alot larger then Smoothwall or the other linux options.  (don't get me wrong, I'm a Linux fan, using Ubuntu right now).

The ASA5510 looks great, but its also pretty expensive, especially once you license it up.

Any reason why I couldn't use a 3640?  Any features it would be lacking?

encoadAuthor Commented:
Or perhaps a 3745?
I'm not familiar enough with using the routers hardware to answer that question for you.
encoadAuthor Commented:

Yeah clearly the 3745 is a better choice.

I found a 3745 with the advanced Enterprise IOS for 900 on ebay.  I'm assuming that's the right IOS to get.
Should be a good starting point.  Then you have to buy the IOS Firewall.
encoadAuthor Commented:
Thanks for the information, you guys have clarified things for me.  I think that the 3745 with IOS fw will be best.  The links were very helpful.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.