Cisco VPN

Currently I have a client using some Linksys routers that support VPN tunnels.  They have been using the VPN tunnels to connect remote sites to a central office.  They have been rather unstable and I am looking for a cost effective solution that will provide better reliability.

I know that Cisco is likely the route to take, but I would like some recommendations on implementing a cost effective Cisco VPN solution for a central office with 4 remote offices.  Each remote office has about 12 users.

Thank you.
level9techAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nothing_ChangedCommented:
An ASA 5510 for the central office, with ASA5505 for the satellites. Depending on features needed for the satellites and user counts, they are as cheap as $350 per office. The 5510 for the central office should run about $1500-1800. The tunnels will be as bulletproof as your underlying transport, and you have a ton of optional features to use if you desire as well.

0
level9techAuthor Commented:
Is there anyway to connect a Cisco VPN device to a Linksys VPN?  I know the reliability would be compromised, but for testing pruposes, is there anyway to accomplish that?
0
level9techAuthor Commented:
Also, how difficult are those devices to configure?
0
Webinar: What were the top threats in Q2 2018?

Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that describes and analyzes the top threat trends impacting companies around the world. Are you ready to learn more about the top threats of Q2 2018? Register for our Sept. 26th webinar to learn more!

level9techAuthor Commented:
Is there anyway to connect Cisco and Linksys devices with a VPN tunnel?
0
Nothing_ChangedCommented:
Cisco and LInksys are both made by Cisco now, so their interoperability is improved from when they were separate companies. But it is kind of an involved config, and the success rate I've had is under 50% either way.

And while the ASA is a very powerful firewall/vpn device, and you can get as down-in-the-weeds detailed as you wish in the CLI, there is also a GUI that's not too tough to use, and a LOT of tutorial and training stuff on Cisco's site, as well as in the box when you buy one. The gui is called ASDM, and comes installed in the device from the factory.
0
Noyan GonulsenCommented:
Hi Level9tech,

Sorry to jump in here but what Nothing Changed has mentioned is bang on but you should also consider what type of VPN topology you are going to implement i.e. mesh or hub and spoke as it will determine what type of equipement you purchase. Depending on your budget, if you plan on implementing a mesh topology you could get away with 5505's at each location. However, if it's a hub and spoke then you will need a 5510 to act as your hub because 5505's will not forward vpn traffic to your other subnets.
0
Nothing_ChangedCommented:
5505 or 5510 can do the exact same things, aside from scale, as long as the 5505 is licensed appropriately. The Sec Plus license on the 5505 makes it functionally equivalent to a 5510 in all but failover capability and scale (amount of tunnels it can terminate), but htat model is nearly $1000. The recommendation for the inexpensive 5505 (the base and 50 user license versions, roughly $350/450 ish) is based on my assumption of smaller satellite offices and larger central office. The big limitation on the base license is the number of VLANs it can support internally and the 10 node (or 50 node) limit, but even with the minimum license the 5505 base can mesh with 4 or more other sites no problem. Up to 25 as long as thee are no other remote access VPN users actually. The node limit refers only to the number of internal IP hosts that will be traversing the firewall.
0
level9techAuthor Commented:
The topology is going to be the hub route.  Assuming that I should go with a properly licensed 5505 correct?  I just want to make sure because I am going to be buying some equipment and I want to make sure I get it right.  Thank you everyone for your help.
0
Nothing_ChangedCommented:
Yes in a hub & spoke configuration, and assuming your remote sites are smaller (like 50 or less users), a 5505 at the edges will work fine. The part numbers I generally deploy in situations like this are:

Corporate HQ (unlimited users, up to 250 VPN  peers, 5 fast ethernet interfaces) ASA5510-BUN-K9
Corporate HQ (unlimited users, up to 250 VPN  peers, 2 Gigabit Ethernet + 3 Fast Ethernet) ASA5510-SEC-BUN-K9


Remote offices (up to 10 nodes) ASA5505-BUN-K9
Remote offices (up to 50 nodes) ASA5505-50-BUN-K9
Remote offices (unlimited nodes, up to 20 VLANs) ASA5505-SEC-BUN-K9
(note, the VLAN restriction is for "active on the firewall" only. You can have whatever internal & external routes you need for each branch regardless of the license level. They are all the same hardware)

These part numbers and encryption levels are assuming USA sales. A good yardstick on pricing can be found by searching the part numbers on shopper.cnet.com. If you have never deployed one of these, I would HIGHLY recommend engaging someone experienced to help you with initial setup, it is non trivial and time consuming for multiple sites, especially for your first time into the gear. There are really good Cisco config classes out there as well.
0
Noyan GonulsenCommented:
Hi Level9tech,

Nothing Changed is absolutely correct, my mistake regarding the 5505. My apoligizes Nothing Changed, I don't know what I was thinking!
0
level9techAuthor Commented:
Alright let me give a bit more detail as this is a big decision for a small business.

The central office really isn't very large.  Maybe 20 users.

We will assume the satellite offices have 15 users.

I really don't want to fork out for the ASA5510 if I don't have to.  My only concern is if the ASA5505 can handle the job at the centrel office while still allowing future growth.  I am not expecting any large growth anytime soon, but I don't want to have to go buy a new piece of hardware if one more office opens.

I have noticed on New Egg that these devices have limits on the VPN connections.  Is it considered one connection to have a tunnel open from a satellite office to the main office?  Is it still one connection if four users are connected to a server across the tunnel?  Or is it 4 or 5 connections at that point?

Does anyone have any experience with Cable internet and these devices?  I understand cable internet is probably not as stable as a T1.  How comparable is it as far as reliability?

Thank you.  I appreciate everyones help.
0
Noyan GonulsenCommented:
Hi,
Here is the link for the 5500 series model comparison;
http://www.cisco.com/en/US/customer/products/ps6120/prod_models_comparison.html

You had mentioned there 4 remote sites and HQ (and potential growth) keep in mind the all traffic coming into the hub has to be decrypted and then encrypted if its being forwarded. What are you running on your network? Active Directory? Dns?  File and print services? Are you running exchange? Goldmine? Etc.
In my opinion, I would list out all the services, apps that are running on the network first and then we can go from there.
We have T1's in our locations exempt for our New York location which is DSL but we have a Sonicwall TZ 180 and the rest are ASA's.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
level9techAuthor Commented:
Active Directory although there is only a single server at the HQ.
Exchange (Only the HQ uses this).
DNS.
Terminal Services.
File Sharing.

Thank you again.
0
Noyan GonulsenCommented:
You might want to consider adding another Active Directory server to avoid any single point of failures. If you are running Windows 2008 you can add read only domain controllers, which will lower your costs. You could also add AD in each site so users will logon locally to avoid traffic down the pipe but that will increase the costs. Are you running DNS in all locations? if so, consider adding AD on the servers (if they can handle it.), you can always controller when AD synchronizes. Exchange is only in HQ, how are the remote sites retrieving mail? Are they even retrieving mail? A terminal service is not really a big deal as it's only mouse clicks and key strokes albeit, how many apps are configured? File sharing will create traffic (obviously).
Having said that, in my opinion I would consider a 5510 at head office, better to over deliver as oppose to under delivering!
0
Nothing_ChangedCommented:
I have customers I support with up to 47 sites running on a 5505/5510 setup, with no problems. The 5510 has a ton of cpu for what it does, and a separate DSP for VPN encrypt/decrypt, leading to the Cisco specification that it can support up to 250 concurrent remote and site-to-site VPNs. They generally under-spec, and with 47 active sites all with 6mb internet pipes coming into a head end with a 100mb internet, cpu utilization hovers around 55%. You'd be hard pressed to push this solution unless you REALLY start to scale up.
0
Nothing_ChangedCommented:
Wow, i answered first, gave you the solution right off, clearly knew the products better, and you reward a points-sniper. cold.
0
Noyan GonulsenCommented:
Hey Guys,

Nothing Changed, if you want the points by all means take them (not sure on how to do that, I'm new to the site, posted questions before but never got involved helping out).  Considering I've been helped out through this site, I wanted to give back, I'm not here for the points. As for "a points-sniper" wasn't my intent to steal your points, you should actually think before you post a comment. As for knowing the products better, I was thinking of a different firewall as I was helping someone else with their config's. I quickly stated that you were correct in your statement regarding the 5505. I'm not here to state I'm better or you're better.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.