We help IT Professionals succeed at work.

Cisco VPN

Medium Priority
937 Views
Last Modified: 2012-06-22
Currently I have a client using some Linksys routers that support VPN tunnels.  They have been using the VPN tunnels to connect remote sites to a central office.  They have been rather unstable and I am looking for a cost effective solution that will provide better reliability.

I know that Cisco is likely the route to take, but I would like some recommendations on implementing a cost effective Cisco VPN solution for a central office with 4 remote offices.  Each remote office has about 12 users.

Thank you.
Comment
Watch Question

An ASA 5510 for the central office, with ASA5505 for the satellites. Depending on features needed for the satellites and user counts, they are as cheap as $350 per office. The 5510 for the central office should run about $1500-1800. The tunnels will be as bulletproof as your underlying transport, and you have a ton of optional features to use if you desire as well.

Author

Commented:
Is there anyway to connect a Cisco VPN device to a Linksys VPN?  I know the reliability would be compromised, but for testing pruposes, is there anyway to accomplish that?

Author

Commented:
Also, how difficult are those devices to configure?

Author

Commented:
Is there anyway to connect Cisco and Linksys devices with a VPN tunnel?
Cisco and LInksys are both made by Cisco now, so their interoperability is improved from when they were separate companies. But it is kind of an involved config, and the success rate I've had is under 50% either way.

And while the ASA is a very powerful firewall/vpn device, and you can get as down-in-the-weeds detailed as you wish in the CLI, there is also a GUI that's not too tough to use, and a LOT of tutorial and training stuff on Cisco's site, as well as in the box when you buy one. The gui is called ASDM, and comes installed in the device from the factory.
Hi Level9tech,

Sorry to jump in here but what Nothing Changed has mentioned is bang on but you should also consider what type of VPN topology you are going to implement i.e. mesh or hub and spoke as it will determine what type of equipement you purchase. Depending on your budget, if you plan on implementing a mesh topology you could get away with 5505's at each location. However, if it's a hub and spoke then you will need a 5510 to act as your hub because 5505's will not forward vpn traffic to your other subnets.
5505 or 5510 can do the exact same things, aside from scale, as long as the 5505 is licensed appropriately. The Sec Plus license on the 5505 makes it functionally equivalent to a 5510 in all but failover capability and scale (amount of tunnels it can terminate), but htat model is nearly $1000. The recommendation for the inexpensive 5505 (the base and 50 user license versions, roughly $350/450 ish) is based on my assumption of smaller satellite offices and larger central office. The big limitation on the base license is the number of VLANs it can support internally and the 10 node (or 50 node) limit, but even with the minimum license the 5505 base can mesh with 4 or more other sites no problem. Up to 25 as long as thee are no other remote access VPN users actually. The node limit refers only to the number of internal IP hosts that will be traversing the firewall.

Author

Commented:
The topology is going to be the hub route.  Assuming that I should go with a properly licensed 5505 correct?  I just want to make sure because I am going to be buying some equipment and I want to make sure I get it right.  Thank you everyone for your help.
Yes in a hub & spoke configuration, and assuming your remote sites are smaller (like 50 or less users), a 5505 at the edges will work fine. The part numbers I generally deploy in situations like this are:

Corporate HQ (unlimited users, up to 250 VPN  peers, 5 fast ethernet interfaces) ASA5510-BUN-K9
Corporate HQ (unlimited users, up to 250 VPN  peers, 2 Gigabit Ethernet + 3 Fast Ethernet) ASA5510-SEC-BUN-K9


Remote offices (up to 10 nodes) ASA5505-BUN-K9
Remote offices (up to 50 nodes) ASA5505-50-BUN-K9
Remote offices (unlimited nodes, up to 20 VLANs) ASA5505-SEC-BUN-K9
(note, the VLAN restriction is for "active on the firewall" only. You can have whatever internal & external routes you need for each branch regardless of the license level. They are all the same hardware)

These part numbers and encryption levels are assuming USA sales. A good yardstick on pricing can be found by searching the part numbers on shopper.cnet.com. If you have never deployed one of these, I would HIGHLY recommend engaging someone experienced to help you with initial setup, it is non trivial and time consuming for multiple sites, especially for your first time into the gear. There are really good Cisco config classes out there as well.
Hi Level9tech,

Nothing Changed is absolutely correct, my mistake regarding the 5505. My apoligizes Nothing Changed, I don't know what I was thinking!

Author

Commented:
Alright let me give a bit more detail as this is a big decision for a small business.

The central office really isn't very large.  Maybe 20 users.

We will assume the satellite offices have 15 users.

I really don't want to fork out for the ASA5510 if I don't have to.  My only concern is if the ASA5505 can handle the job at the centrel office while still allowing future growth.  I am not expecting any large growth anytime soon, but I don't want to have to go buy a new piece of hardware if one more office opens.

I have noticed on New Egg that these devices have limits on the VPN connections.  Is it considered one connection to have a tunnel open from a satellite office to the main office?  Is it still one connection if four users are connected to a server across the tunnel?  Or is it 4 or 5 connections at that point?

Does anyone have any experience with Cable internet and these devices?  I understand cable internet is probably not as stable as a T1.  How comparable is it as far as reliability?

Thank you.  I appreciate everyones help.
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Active Directory although there is only a single server at the HQ.
Exchange (Only the HQ uses this).
DNS.
Terminal Services.
File Sharing.

Thank you again.
You might want to consider adding another Active Directory server to avoid any single point of failures. If you are running Windows 2008 you can add read only domain controllers, which will lower your costs. You could also add AD in each site so users will logon locally to avoid traffic down the pipe but that will increase the costs. Are you running DNS in all locations? if so, consider adding AD on the servers (if they can handle it.), you can always controller when AD synchronizes. Exchange is only in HQ, how are the remote sites retrieving mail? Are they even retrieving mail? A terminal service is not really a big deal as it's only mouse clicks and key strokes albeit, how many apps are configured? File sharing will create traffic (obviously).
Having said that, in my opinion I would consider a 5510 at head office, better to over deliver as oppose to under delivering!
I have customers I support with up to 47 sites running on a 5505/5510 setup, with no problems. The 5510 has a ton of cpu for what it does, and a separate DSP for VPN encrypt/decrypt, leading to the Cisco specification that it can support up to 250 concurrent remote and site-to-site VPNs. They generally under-spec, and with 47 active sites all with 6mb internet pipes coming into a head end with a 100mb internet, cpu utilization hovers around 55%. You'd be hard pressed to push this solution unless you REALLY start to scale up.
Wow, i answered first, gave you the solution right off, clearly knew the products better, and you reward a points-sniper. cold.
Hey Guys,

Nothing Changed, if you want the points by all means take them (not sure on how to do that, I'm new to the site, posted questions before but never got involved helping out).  Considering I've been helped out through this site, I wanted to give back, I'm not here for the points. As for "a points-sniper" wasn't my intent to steal your points, you should actually think before you post a comment. As for knowing the products better, I was thinking of a different firewall as I was helping someone else with their config's. I quickly stated that you were correct in your statement regarding the 5505. I'm not here to state I'm better or you're better.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.