• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 124
  • Last Modified:

Firewall recommendation

I am helping a client spec out a couple of new firewalls and was looking for recommendations here.

The client presently operates at one site with a SonicWall TZ-210.  There is a 100/20M Comcast connection for primary use and a T-1 line used in case the Comcast connection goes down.  There are about 20 users at the primary location.  We are looking at replacing the SonicWall as it is reaching End of Life status.

The primary site has VOIP phones that use the LAN to connect to the phone system (on site) which gets phone service through a PRI adapter.  They are seriously considering moving to an all VOIP system.

The client is adding a second location which is planned to have a fast connection through Comcast and a point-to-point T-1 for VOIP phones and for backup.  We will set up a VPN between the locations for general network access and for VOIP phone use.  If they go to a full VOIP arrangement (dropping the phone box at the primary location), the phones would likely get service through the internet connection and not through the VPN.  The fast (100/25) connection speed was selected not because of internet speed but for the speed between the two locations.  The 25M upload speed was the fastest available at these locations.

I've worked with the Cisco ASA 5505 somewhat and am giving it serious consideration here.  I'm very interested in comments about whether or not this would be suitable.  In addition, any recommendations about an alternative would be welcomed.
2 Solutions
Consider the new Sonicwall TZ series. If a TZ210 was sufficient a TZ300 should do the job. It has almost 4 times the throughput of the TZ210 with a starting list price of around $965. If you got two of these you could create a STS VPN and not have to worry about the connection. Failover for the two ISP's is provided, as is support for VOIP, and much more. Look her for more info:

Michael OrtegaSales & Systems EngineerCommented:
Stick with the Cisco ASA 5505. Better support and warranty options, plus your familiarity. You can do everything you do with the description you provided. Note that the 5505 only has a 100Mb interface on it, so going above the 100x25 speed is a no go unless you go to the 5512-x or better (big jump in price).

Also, on your VoIP setup, in relation to network configuration, you would definitely want your VoIP on a separate subnet/VLAN than the rest of your data network. It's good practice, but it's also necessary from a routing perspective if you hope to force voice traffic over the P2P link and data over the VPN connection. You'll also need to equip your ASA 5505's with a Security Plus license on both ends.

QoS/CoS/Traffic shaping/policing will not be necessary since you're pushing only voice traffic over the dedicated P2P link.

CompProbSolvAuthor Commented:
Thanks for the input.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now