Cisco ASA site to site setup

Posted on 2011-10-17
Last Modified: 2012-05-12
Here is my current scenario. I have a Dallas sales office which has a domain controller and 10 computers. The Dallas site is connected to our main office (CFA) by a T1. Also, the Dallas site has a DSL modem just in case the T1 fails. The Dallas users simply VPN over the DSL connection to our Sonicwall VPN device if the T1 fails.

What I plan to do is to eliminate the T1 connection by buying an ASA 5510 and an ASA 5505. The 5510 will be located at CFA while the 5505 will be installed at the Dallas site. Also, our parent company is located in Japan. We use an AT&T Netgate router for secure connections from CFA to Japan. To eliminate the Netgate we thought about purchasing an ASA router for Japan as well.

My question is this, "Is my proposed setup correct?" The reasoning for the 5510 is it allows for more VPN site to site connections than the 5505. However, I will only have at the most three site to site connectons (one to Dallas, one to Japan, and another connection to a sister company). Also, if we get rid of the T1 connection, would there be a redundant Internet connection if the site to site connection failed? I would still have the DSL modem in place so I would guess that this would be my fail over plan if one of the ASA routers failed out.

At this time, I have not purchased the ASA routers. If you believe there is a more superior product than the ASAs then please share your thoughts and give some real world examples of how it helped you or another IT professional accomplish their goals. Thanks for your time.
Question by:thef284
    LVL 5

    Accepted Solution

    Cisco ASA are good, but the SDM GUI is lacking some good commands that are only available from CLI.  So brush up on your CLI if you plan on going with Cisco.

    Sonicwalls are good enough to run S2S VPN's.  TZ models have built in S2S VPN modules.  I ran all my remote sites with Sonicwall TZ 210's.  I had good results with Sonicwall Bandwidth management for QoS issues with VOIP.  Cisco QoS was harder to setup.

    Now if the T1 circuit is to be eliminated, and there is no other ISP circuit available you will have an outage for that office with the failed ISP circuit.  Sonicwall TZ 200 series have 3G modem failover ISP backups which is a good solution for inexpensive ISP failover backup service. Check with your local wireless vendors for 3G / 4G wireless ISP for cost and coverage area.
    LVL 36

    Assisted Solution

    Dependant on the quantity of hosts at each network and your available bandwidth, the 5505 might be sufficient for each site. to get WAN failover you would need to get the Sec Plus version.

    Cisco ASAs are not the cheapest or the most feature rich VPN /Firewalls, but for  basic VPN configurations such as you have described they are fairly simple  to configure and manage.

    Author Comment

    Shadowmantx: The TZ models look like a good candidate, but the NSA 240 from Sonicwall seemed to be a good appliance as well. Since we use a Sonicwall 2000 appliance currently, I am familiar and comfortable with the GUI and the layout is a lot more user friendly than the Cisco. Also, the 3G modem failover is a good idea as well.

    ArneLovius: Thanks for the input. The prices for the ASAs seem a little steep so that's why I was asking about some other possible candidates. Also, it seems like that the ASAs come in many flavors which adds more cost to them in terms of wanting a box with malware/intrusion detection, firewall, VPN, and other functions.
    LVL 36

    Expert Comment

    although the marketplace is changing, and the "all in one" boxes are getting better, I haven't found one that I like. My main dislike is that all of the "all in one" boxes are weak in at least one area that is "weak".

    Author Closing Comment

    Thanks for the advice. I definitely understand the differences between the ASAs and the Sonicwall appliances now.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
    Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now