Firewall recommendation

I am helping a client spec out a couple of new firewalls and was looking for recommendations here.

The client presently operates at one site with a SonicWall TZ-210.  There is a 100/20M Comcast connection for primary use and a T-1 line used in case the Comcast connection goes down.  There are about 20 users at the primary location.  We are looking at replacing the SonicWall as it is reaching End of Life status.

The primary site has VOIP phones that use the LAN to connect to the phone system (on site) which gets phone service through a PRI adapter.  They are seriously considering moving to an all VOIP system.

The client is adding a second location which is planned to have a fast connection through Comcast and a point-to-point T-1 for VOIP phones and for backup.  We will set up a VPN between the locations for general network access and for VOIP phone use.  If they go to a full VOIP arrangement (dropping the phone box at the primary location), the phones would likely get service through the internet connection and not through the VPN.  The fast (100/25) connection speed was selected not because of internet speed but for the speed between the two locations.  The 25M upload speed was the fastest available at these locations.

I've worked with the Cisco ASA 5505 somewhat and am giving it serious consideration here.  I'm very interested in comments about whether or not this would be suitable.  In addition, any recommendations about an alternative would be welcomed.
LVL 23
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Consider the new Sonicwall TZ series. If a TZ210 was sufficient a TZ300 should do the job. It has almost 4 times the throughput of the TZ210 with a starting list price of around $965. If you got two of these you could create a STS VPN and not have to worry about the connection. Failover for the two ISP's is provided, as is support for VOIP, and much more. Look her for more info:
Michael OrtegaSales & Systems EngineerCommented:
Stick with the Cisco ASA 5505. Better support and warranty options, plus your familiarity. You can do everything you do with the description you provided. Note that the 5505 only has a 100Mb interface on it, so going above the 100x25 speed is a no go unless you go to the 5512-x or better (big jump in price).

Also, on your VoIP setup, in relation to network configuration, you would definitely want your VoIP on a separate subnet/VLAN than the rest of your data network. It's good practice, but it's also necessary from a routing perspective if you hope to force voice traffic over the P2P link and data over the VPN connection. You'll also need to equip your ASA 5505's with a Security Plus license on both ends.

QoS/CoS/Traffic shaping/policing will not be necessary since you're pushing only voice traffic over the dedicated P2P link.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CompProbSolvAuthor Commented:
Thanks for the input.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.