Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Cisco ASA site to site setup

Posted on 2011-10-17
Medium Priority
Last Modified: 2012-05-12
Here is my current scenario. I have a Dallas sales office which has a domain controller and 10 computers. The Dallas site is connected to our main office (CFA) by a T1. Also, the Dallas site has a DSL modem just in case the T1 fails. The Dallas users simply VPN over the DSL connection to our Sonicwall VPN device if the T1 fails.

What I plan to do is to eliminate the T1 connection by buying an ASA 5510 and an ASA 5505. The 5510 will be located at CFA while the 5505 will be installed at the Dallas site. Also, our parent company is located in Japan. We use an AT&T Netgate router for secure connections from CFA to Japan. To eliminate the Netgate we thought about purchasing an ASA router for Japan as well.

My question is this, "Is my proposed setup correct?" The reasoning for the 5510 is it allows for more VPN site to site connections than the 5505. However, I will only have at the most three site to site connectons (one to Dallas, one to Japan, and another connection to a sister company). Also, if we get rid of the T1 connection, would there be a redundant Internet connection if the site to site connection failed? I would still have the DSL modem in place so I would guess that this would be my fail over plan if one of the ASA routers failed out.

At this time, I have not purchased the ASA routers. If you believe there is a more superior product than the ASAs then please share your thoughts and give some real world examples of how it helped you or another IT professional accomplish their goals. Thanks for your time.
Question by:thef284
  • 2
  • 2

Accepted Solution

shadowmantx earned 1200 total points
ID: 36980835
Cisco ASA are good, but the SDM GUI is lacking some good commands that are only available from CLI.  So brush up on your CLI if you plan on going with Cisco.

Sonicwalls are good enough to run S2S VPN's.  TZ models have built in S2S VPN modules. http://www.sonicwall.com/us/products/TZ_Series.html#tab=compare  I ran all my remote sites with Sonicwall TZ 210's.  I had good results with Sonicwall Bandwidth management for QoS issues with VOIP.  Cisco QoS was harder to setup.

Now if the T1 circuit is to be eliminated, and there is no other ISP circuit available you will have an outage for that office with the failed ISP circuit.  Sonicwall TZ 200 series have 3G modem failover ISP backups which is a good solution for inexpensive ISP failover backup service. Check with your local wireless vendors for 3G / 4G wireless ISP for cost and coverage area.
LVL 37

Assisted Solution

ArneLovius earned 800 total points
ID: 36980983
Dependant on the quantity of hosts at each network and your available bandwidth, the 5505 might be sufficient for each site. to get WAN failover you would need to get the Sec Plus version.

Cisco ASAs are not the cheapest or the most feature rich VPN /Firewalls, but for  basic VPN configurations such as you have described they are fairly simple  to configure and manage.

Author Comment

ID: 36981443
Shadowmantx: The TZ models look like a good candidate, but the NSA 240 from Sonicwall seemed to be a good appliance as well. Since we use a Sonicwall 2000 appliance currently, I am familiar and comfortable with the GUI and the layout is a lot more user friendly than the Cisco. Also, the 3G modem failover is a good idea as well.

ArneLovius: Thanks for the input. The prices for the ASAs seem a little steep so that's why I was asking about some other possible candidates. Also, it seems like that the ASAs come in many flavors which adds more cost to them in terms of wanting a box with malware/intrusion detection, firewall, VPN, and other functions.
LVL 37

Expert Comment

ID: 36981771
although the marketplace is changing, and the "all in one" boxes are getting better, I haven't found one that I like. My main dislike is that all of the "all in one" boxes are weak in at least one area that is "weak".

Author Closing Comment

ID: 36982892
Thanks for the advice. I definitely understand the differences between the ASAs and the Sonicwall appliances now.

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question