Router + firewall suggestions for new office

phoeneous

We are opening a new office in the next month and I need to get a router and firewall. Initially my plan was to just get either a 1700 series or 2600xm series and a pix 506 but Im open for suggestions. Internet will be a basic 1.5 t-1. No more than 20 users in the building. No VoIP. Budget for both devices is under $500. Switch will most likely be a 2950G-48-EI. Thoughts?

hypnotoad

phoeneous wrote: »

We are opening a new office in the next month and I need to get a router and firewall. Initially my plan was to just get either a 1700 series or 2600xm series and a pix 506 but Im open for suggestions. Internet will be a basic 1.5 t-1. No more than 20 users in the building. No VoIP. Budget for both devices is under $500. Switch will most likely be a 2950G-48-EI. Thoughts?

ASA 5505 runs the newest software and is a lot easier to use than the older PIX software. An ASA 5505 is < $500. Go with one of those and a 1700/800/2600xm.

phoeneous

This looks good:

Cisco ASA5505 Security Device Bundle, ASA5505-BUN-K9, NEW

hypnotoad

Yep. If the upstream device is ethernet (such as a cable modem or DSL), and you don't need to run a dynamic routing protocol, you could just use an ASA without a router, but since you mentioned a T1, you'll need something more than the ASA.

tiersten

phoeneous wrote: »

This looks good:

Cisco ASA5505 Security Device Bundle, ASA5505-BUN-K9, NEW

It only has 10 user licenses in that bundle and you said you've got up to 20.

chrisone

Since you have 1,000 to play with, you can make a solid network without redundancy though. At least you will have a 2960 48ports switch, an ASA 5505 50 user base license, and a 2600xm router. That should be more than enough for 20 users.

With a 48 port switch and now the ASA you can now guarantee the company future growth. You have the port desnsity and the security capabilities to add on new users. Just keep in mind the 1.5t1 is still a bottle neck for 10 people.

Here is another scenario/design you can do. Ditch the T1 and get a DSL 6mb or 3mb. You dont need Synchronis DSL since you dont need to run voice, just get ADSL 6mb and you can now ditch the router since you wont need it anymore.

1. ADSL 6mb
2. ASA 5505 50 user license
3. 2960 48 port switch
4. Save company money "most important"
5. Room for future growth!

tiersten

chrisone wrote: »

Since you have 1,000 to play with

Isn't it $500 for both instead of each?

rwwest7

2610xm
ASA 5505 with 50 user license
any 24 port switch off the shelf


With just 20 users wouldn't a 2960 or up be overkill.

JSK

With that budget I really don't see any other option except buying a used router and PIX.

earweed

Even if he had 1,000 the proposed setup he's given is more than that.

phoeneous

tiersten wrote: »

Isn't it $500 for both instead of each?

Yeah, $500 total.

I've never configured an asa before and I thought the licensing was strictly for vpn users. Should I assume it is for any internal ip based device that needs to pass through the firewall or concurrent tcp/ip sessions?

I havent been given details yet from the isp but since it is a t1 my guess is they will run ppp.

Because of budget constraints, what do you think about just using the 1700 or 2600 ios firewall instead?

As far as growth goes, the building can only hold 20 people so scalability isnt a huge factor. And this office will be completely stand alone and seperate from our hq, no point to point in the future.

Kaminsky

Think about lunchtime and it's raining outside in middle of winter and all 20 users stay in and browse the internet. Do you think the 1721 and the pix will cut it ?

phoeneous

Kaminsky wrote: »

Think about lunchtime and it's raining outside in middle of winter and all 20 users stay in and browse the internet. Do you think the 1721 and the pix will cut it ?

Good point. That's why I started this thread for suggestions. This'll be the first time I've put wan equipment into a production environment completely on my own.

We havent signed anything with the isp yet so I can still ask for 6mb adsl and ppoe that to the asa. Then from the asa to the 2950g.

kalebksp

If you're not going to go with a T1 I would look at an 800 series router, I find them to be more flexible than an ASA and they don't have a per device license. You might even have enough money left over to get a SMARTnet contract, I'm not a fan of using improperly licensed IOS/ASA software in a business.

Kaminsky

One thing to consider when buying kit for this project is what support do you have if you buy it cheaply and what happens when that second/third/fourth hand kit finally gives up the ghost just when the site manager needs to send off his weekly report to the area boss. Who will they point at when it all goes horribly wrong and you have to justify your installation? I've had brand new 3750Gs go fizzle in my face and I don't know if you've ever looked inside one of those but everything is soldered in and when it is dead... it is dead and it is not coming back no matter how small a screwdriver you have! Luckily I had a 4 hour turn around with Cisco. If you bought it cheaply to save on the installation costs and have the higher ups say "oh wow.. look how cheaply it can be done", what support would you have?

What I am getting at is in your enthusiasm to get this done cheaply, you could really be setting yourself up for a fall long term if it messes up. That office dies and further up the chain they will be asking which fekin idiot got us into this mess when they are down for two weeks (guarentee no loyalty from your line manager at this point) whilst you scan ebay for another like device?

Your only hope would be an email from your line manager instructing you to do it on the cheap. Drop the risks into a reply and when you get the reply go ahead .... laminate it!

If your are going to start getting into production design and implementation, which is basically what this is, make sure to cover your back and invisage the worst case scenario at all times. Don't let your enthusiasm cause you to be an easily expendable scapegoat.

phoeneous

I know what your're saying, the $500 budget isn't my idea. I want to put in a 2801 and a 2960. I'm hoping to persuade them to increase the budget.

chrisone

tiersten wrote: »

Isn't it $500 for both instead of each?

ahhh i read the original post wrong. Wow 500 is pretty low haha. I still feel if you get a ADSL instead of a t1 you can still buy a ASA5505 and a 2960. ASA should run you around 350 on ebay and a 2960 should be around 100 bucks. You wont need a router if you get ADSL.

like kaminsky said, make sure you highlight the fails of such a design due to the budget and frame it for them after they signed off on the notice.

peanutnoggin

kalebksp wrote: »

If you're not going to go with a T1 I would look at an 800 series router, I find them to be more flexible than an ASA and they don't have a per device license. You might even have enough money left over to get a SMARTnet contract, I'm not a fan of using improperly licensed IOS/ASA software in a business.

I agree with kalebksp. If you're not going to go with a T1, then get an 800 series router with a SMARTnet contract. It is designed to be the "all-in-one" device in which you are looking for. If you have to have a T1, I would then suggest you get a 2651XM with the appropriate cards, then you can run the IOS Zone Based Firewall (which is pretty nifty) for a small office. You'll have the ability to do VPN tunneling and probably everything else you need for a 20 user setup. With this, I would also suggests (as many others have stated) you emphasize to your management that $500 is not a lot for what they want you to do! Be sure that they completely understand that you will probably have to buy used equipment at that price with no service contract or warranty. HTH.

-Peanut

tech-airman

phoeneous wrote: »

We are opening a new office in the next month and I need to get a router and firewall. Initially my plan was to just get either a 1700 series or 2600xm series and a pix 506 but Im open for suggestions. Internet will be a basic 1.5 t-1. No more than 20 users in the building. No VoIP. Budget for both devices is under $500. Switch will most likely be a 2950G-48-EI. Thoughts?

phoeneous,

What network infrastructure does the upstream headquarters have? WAN link? VPN endpoint? Other?

phoeneous

tech-airman wrote: »

phoeneous,

What network infrastructure does the upstream headquarters have? WAN link? VPN endpoint? Other?

ASA 5510, 2811, 2960's. But I mentioned in a post above that this new office will be completely seperate and will never be connected to hq.

I'm speaking with head honcho tomorrow. I'm going to pitch an 871 and a 2960.

johnwest43

1721 and a pix 506e. Should be able to get both with WIC card for under 400.

networker050184

I'd go with a Linksys switch or something to go with the 800 series. It will keep your budget down and with only 20 users I doubt there is much need for more than basic VLANs.

ilcram19-2

phoeneous wrote: »

ASA 5510, 2811, 2960's. But I mentioned in a post above that this new office will be completely seperate and will never be connected to hq.

I'm speaking with head honcho tomorrow. I'm going to pitch an 871 and a 2960.

yeap 871 and 2960 would be better choice, not matter how much i keep trying to like the ASA to me they are still limited i took both of the cisco ASA tests and i couldnt fall for them
good features but still go with an ISR

phoeneous

According to isp, dsl is not available in that area. They can do broadband or a t1.

tiersten

phoeneous wrote: »

They can do broadband or a t1.

Broadband being what?

phoeneous

tiersten wrote: »

Broadband being what?

Cable modem.

Budget was increased to $2000. Now I'm looking at a 1921 and a 2960.

earweed

That's a big budget shift.

JSK

Yeah, but it was the right decision.

Heero

phoeneous wrote: »

Cable modem.

Budget was increased to $2000. Now I'm looking at a 1921 and a 2960.

You can probably get a business class cable connection + a DSL backup connection for less than the price of one T1, plus it is much faster. I pushed my Dad to do this for his workplace because they were just crawling on a T1. I offered to set it all up, but they have a consulting company they do everything with. Ended up with a 600 dollar FreeBSD box setup as firewall/router and for WAN failover. They are very happy about switching over from T1.

My suggestion though is get a backup line, because even business class cable has a pretty shitty SLA compared to T1.

phoeneous

Thoughts on Cisco1921-T1SEC/K9? My vendor is trying to sell me the router and vwic2 card seperately.

johnwest43

with that budget go with a router of your choice and a asa 5505 unlimited user bundle.