Solved

Cisco VPN

Posted on 2009-06-29
17
848 Views
Last Modified: 2012-06-22
Currently I have a client using some Linksys routers that support VPN tunnels.  They have been using the VPN tunnels to connect remote sites to a central office.  They have been rather unstable and I am looking for a cost effective solution that will provide better reliability.

I know that Cisco is likely the route to take, but I would like some recommendations on implementing a cost effective Cisco VPN solution for a central office with 4 remote offices.  Each remote office has about 12 users.

Thank you.
0
Comment
Question by:level9tech
  • 6
  • 6
  • 5
17 Comments
 
LVL 8

Expert Comment

by:Nothing_Changed
ID: 24736167
An ASA 5510 for the central office, with ASA5505 for the satellites. Depending on features needed for the satellites and user counts, they are as cheap as $350 per office. The 5510 for the central office should run about $1500-1800. The tunnels will be as bulletproof as your underlying transport, and you have a ton of optional features to use if you desire as well.

0
 

Author Comment

by:level9tech
ID: 24736255
Is there anyway to connect a Cisco VPN device to a Linksys VPN?  I know the reliability would be compromised, but for testing pruposes, is there anyway to accomplish that?
0
 

Author Comment

by:level9tech
ID: 24736283
Also, how difficult are those devices to configure?
0
 

Author Comment

by:level9tech
ID: 24740165
Is there anyway to connect Cisco and Linksys devices with a VPN tunnel?
0
 
LVL 8

Expert Comment

by:Nothing_Changed
ID: 24746393
Cisco and LInksys are both made by Cisco now, so their interoperability is improved from when they were separate companies. But it is kind of an involved config, and the success rate I've had is under 50% either way.

And while the ASA is a very powerful firewall/vpn device, and you can get as down-in-the-weeds detailed as you wish in the CLI, there is also a GUI that's not too tough to use, and a LOT of tutorial and training stuff on Cisco's site, as well as in the box when you buy one. The gui is called ASDM, and comes installed in the device from the factory.
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24748162
Hi Level9tech,

Sorry to jump in here but what Nothing Changed has mentioned is bang on but you should also consider what type of VPN topology you are going to implement i.e. mesh or hub and spoke as it will determine what type of equipement you purchase. Depending on your budget, if you plan on implementing a mesh topology you could get away with 5505's at each location. However, if it's a hub and spoke then you will need a 5510 to act as your hub because 5505's will not forward vpn traffic to your other subnets.
0
 
LVL 8

Expert Comment

by:Nothing_Changed
ID: 24753794
5505 or 5510 can do the exact same things, aside from scale, as long as the 5505 is licensed appropriately. The Sec Plus license on the 5505 makes it functionally equivalent to a 5510 in all but failover capability and scale (amount of tunnels it can terminate), but htat model is nearly $1000. The recommendation for the inexpensive 5505 (the base and 50 user license versions, roughly $350/450 ish) is based on my assumption of smaller satellite offices and larger central office. The big limitation on the base license is the number of VLANs it can support internally and the 10 node (or 50 node) limit, but even with the minimum license the 5505 base can mesh with 4 or more other sites no problem. Up to 25 as long as thee are no other remote access VPN users actually. The node limit refers only to the number of internal IP hosts that will be traversing the firewall.
0
 

Author Comment

by:level9tech
ID: 24762653
The topology is going to be the hub route.  Assuming that I should go with a properly licensed 5505 correct?  I just want to make sure because I am going to be buying some equipment and I want to make sure I get it right.  Thank you everyone for your help.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 8

Expert Comment

by:Nothing_Changed
ID: 24764592
Yes in a hub & spoke configuration, and assuming your remote sites are smaller (like 50 or less users), a 5505 at the edges will work fine. The part numbers I generally deploy in situations like this are:

Corporate HQ (unlimited users, up to 250 VPN  peers, 5 fast ethernet interfaces) ASA5510-BUN-K9
Corporate HQ (unlimited users, up to 250 VPN  peers, 2 Gigabit Ethernet + 3 Fast Ethernet) ASA5510-SEC-BUN-K9


Remote offices (up to 10 nodes) ASA5505-BUN-K9
Remote offices (up to 50 nodes) ASA5505-50-BUN-K9
Remote offices (unlimited nodes, up to 20 VLANs) ASA5505-SEC-BUN-K9
(note, the VLAN restriction is for "active on the firewall" only. You can have whatever internal & external routes you need for each branch regardless of the license level. They are all the same hardware)

These part numbers and encryption levels are assuming USA sales. A good yardstick on pricing can be found by searching the part numbers on shopper.cnet.com. If you have never deployed one of these, I would HIGHLY recommend engaging someone experienced to help you with initial setup, it is non trivial and time consuming for multiple sites, especially for your first time into the gear. There are really good Cisco config classes out there as well.
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24767031
Hi Level9tech,

Nothing Changed is absolutely correct, my mistake regarding the 5505. My apoligizes Nothing Changed, I don't know what I was thinking!
0
 

Author Comment

by:level9tech
ID: 24767109
Alright let me give a bit more detail as this is a big decision for a small business.

The central office really isn't very large.  Maybe 20 users.

We will assume the satellite offices have 15 users.

I really don't want to fork out for the ASA5510 if I don't have to.  My only concern is if the ASA5505 can handle the job at the centrel office while still allowing future growth.  I am not expecting any large growth anytime soon, but I don't want to have to go buy a new piece of hardware if one more office opens.

I have noticed on New Egg that these devices have limits on the VPN connections.  Is it considered one connection to have a tunnel open from a satellite office to the main office?  Is it still one connection if four users are connected to a server across the tunnel?  Or is it 4 or 5 connections at that point?

Does anyone have any experience with Cable internet and these devices?  I understand cable internet is probably not as stable as a T1.  How comparable is it as far as reliability?

Thank you.  I appreciate everyones help.
0
 
LVL 1

Accepted Solution

by:
Noyan Gonulsen earned 500 total points
ID: 24767320
Hi,
Here is the link for the 5500 series model comparison;
http://www.cisco.com/en/US/customer/products/ps6120/prod_models_comparison.html

You had mentioned there 4 remote sites and HQ (and potential growth) keep in mind the all traffic coming into the hub has to be decrypted and then encrypted if its being forwarded. What are you running on your network? Active Directory? Dns?  File and print services? Are you running exchange? Goldmine? Etc.
In my opinion, I would list out all the services, apps that are running on the network first and then we can go from there.
We have T1's in our locations exempt for our New York location which is DSL but we have a Sonicwall TZ 180 and the rest are ASA's.
0
 

Author Comment

by:level9tech
ID: 24784975
Active Directory although there is only a single server at the HQ.
Exchange (Only the HQ uses this).
DNS.
Terminal Services.
File Sharing.

Thank you again.
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24785841
You might want to consider adding another Active Directory server to avoid any single point of failures. If you are running Windows 2008 you can add read only domain controllers, which will lower your costs. You could also add AD in each site so users will logon locally to avoid traffic down the pipe but that will increase the costs. Are you running DNS in all locations? if so, consider adding AD on the servers (if they can handle it.), you can always controller when AD synchronizes. Exchange is only in HQ, how are the remote sites retrieving mail? Are they even retrieving mail? A terminal service is not really a big deal as it's only mouse clicks and key strokes albeit, how many apps are configured? File sharing will create traffic (obviously).
Having said that, in my opinion I would consider a 5510 at head office, better to over deliver as oppose to under delivering!
0
 
LVL 8

Expert Comment

by:Nothing_Changed
ID: 24785923
I have customers I support with up to 47 sites running on a 5505/5510 setup, with no problems. The 5510 has a ton of cpu for what it does, and a separate DSP for VPN encrypt/decrypt, leading to the Cisco specification that it can support up to 250 concurrent remote and site-to-site VPNs. They generally under-spec, and with 47 active sites all with 6mb internet pipes coming into a head end with a 100mb internet, cpu utilization hovers around 55%. You'd be hard pressed to push this solution unless you REALLY start to scale up.
0
 
LVL 8

Expert Comment

by:Nothing_Changed
ID: 24806791
Wow, i answered first, gave you the solution right off, clearly knew the products better, and you reward a points-sniper. cold.
0
 
LVL 1

Expert Comment

by:Noyan Gonulsen
ID: 24807279
Hey Guys,

Nothing Changed, if you want the points by all means take them (not sure on how to do that, I'm new to the site, posted questions before but never got involved helping out).  Considering I've been helped out through this site, I wanted to give back, I'm not here for the points. As for "a points-sniper" wasn't my intent to steal your points, you should actually think before you post a comment. As for knowing the products better, I was thinking of a different firewall as I was helping someone else with their config's. I quickly stated that you were correct in your statement regarding the 5505. I'm not here to state I'm better or you're better.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Hello to you all, I hear of many people congratulate AWS (Amazon Web Services) on how easy it is to spin up and create new EC2 (Elastic Compute Cloud) instances, but then fail and struggle to connect to them using simple tools such as SSH (Secure…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now