Choosing a Cisco router/firewall

MacGuffin

I'm looking for a router to serve two goals. The primary goal is to choose a router/firewall for a customer, the secondary goal is to get hardware that will assist in my Cisco certification studies. The customer is not completely pleased with his current provider of e-mail and web services and has approached me asking if I can make a better offer. One plan I have is to setup a system in my basement that would connect to the local cable internet service provider.

So, the concern is if I am picking the correct hardware for the task. There's a lot of choices for the router and I want to make sure I pick the right one for the customer. I'm thinking that along with web and e-mail I'd have a system that provides a secure means to backup the company laptops, I'm thinking VPN to a file server, since the client recently had an "issue" with the files on his laptop. I took a look at what cablesandkits.com has and they have "CISCO2811-SEC/K9" and "CISCO2801-SEC/K9" described as a Cisco router with security bundle for about $300. Cables and Kits also have a HWIC-CABLE-D-2 adapter card for about $350.

Am I looking at the right equipment for my client? I think I am, I just want someone to check my work. I'm thinking the router with the security bundle should provide VPN services for any Mac OS or Windows laptop for file backups. I could go cheaper with a router that does not have the security bundle, have the VPN service provided by the same computer that does the file services. The assumption is that the router would give better performance and security. A router without the security bundle would be about half the cost of one with it.

I'm still trying to get an idea on how much the customer wants to spend. I'll provide three choices for the cable modem, pick up a modem from Best Buy for about $100, get the Cisco router and cable modem card for about $500, or get the Cisco router with security bundle and cable modem card for about $700.

Like I said, I think I got a handle on what the routers can do, I just want some verification before I make a $700 mistake.

MacGuffin

No bites so far. Perhaps I was a bit too wordy before so I'll try to ask the same question in another way.

I'm seeking a Cisco router that has a DOCSIS compatible interface and at least one ethernet port. Gigabit ethernet is preferred as is having two ethernet ports. The router has to provide basic firewall capability at a minimum, it would be nice if it had some sort of VPN capability so that someone on the internet can tunnel into the LAN side for secure file transfer, administration, and other communications. Will a Cisco 2800 series router do what I require?

Jon_Cisco

Sorry I don't have any practical experience to answer this question.

It seems your trying to set up secure hosting at your home but also looking to use the equipment to learn on. I think that will discourage responses. I would not suggest using live equipment for your studies.

ande0255

I would definitely suggest rolling a smartnet contract with Cisco into the price your providing to the customer for Cisco TAC support. If that router goes down and you are not able to fix it on your own, you are going to have one extremely irate customer on your hands.

That being said, I'd say the 2811 you describe is a good solution, but again verify with Cisco the price of getting a contract on that equipment before making any purchase.

MacGuffin

Jon_Cisco wrote: »

I would not suggest using live equipment for your studies.

I'll be using this router in my studies to the extent that it is a real world practical application of my skills. It will not be a part of my lab kit.

I've found that what skills I don't use every day will be lost. I'm thinking that choosing a Cisco router for this role would force me to interact daily, or nearly so, with Cisco equipment. I can make the argument to my customer that since the router is enterprise class stuff that it makes his data that much more protected from loss or theft. The primary goal is doing what is right for my customer, any secondary benefit to my studies is just a bonus.

f0rgiv3n

Personally I'd go for a Cisco ASA for this purpose. I've configured an ASA with passthrough authentication from the ISP before and used the modem only for the actual conversion piece. The ASA is made for the exact scenario you describe, VPNs, firewall, ISP connectivity.

MacGuffin

f0rgiv3n wrote: »

Personally I'd go for a Cisco ASA for this purpose. I've configured an ASA with passthrough authentication from the ISP before and used the modem only for the actual conversion piece. The ASA is made for the exact scenario you describe, VPNs, firewall, ISP connectivity.

That sounds like a good idea. Problem is that I know next to nothing about Cisco ASA products. If someone would be so kind to answer some very basic questions I'd appreciate it.

It looks like only the ASA5505 would be in my price range, tell me about it. I see it has an expansion slot of some kind, can I put a cable modem card in there? What about configuring it? How does the operating system differ from that in the 2600 series routers I have now? If it's too different than what I'm familiar with then I can't recommend it to my customer. I thought of getting one, or something similar, for my CCNA-Security studies at some point. I'm not sure I'd be comfortable relying on it as production equipment until I know more about it.

Getting back to what ande0255 said about a support contract. How would I go about getting one? Anyone have some sort of idea on how much it would cost? Would it be something like $10/month? Not sure I can justify much more than that to my customer.

EV42TMAN

SMARTnet contracts for the ASAs start at $100 a year and go up from there based on the model of the device and its feature set. Also the 5505 50 or unlimited host model will probably work fine for your client. You don't have to a ASA CLI junky to configure them if you buy a new one you can follow the quick start guide and get connected to the firewall through the ASDM. If you do them you'll have wizards you can follow that can help you set up the device.

For the overall set up your doing I'd take a set up back and look at it this way. Most ISP's Business internet connections requires you to use their modem so they can guarantee service so I wouldn't waste time quoting cable modem cards etc. If your debating using used equipment it tells me something isn't lining up correctly, either a budgeting or planning issue. In a business production environment I wouldn't use used equipment unless if was my only option. It's a liability nightmare. Personally when i'm working with clients I recommend Cisco or Watchguard depending on budgets. Honestly with the information you've posted so far i'm willing to make a bet that a Watchguard XTM 25 would work just fine and its its around $350 brand new which is at least $100 cheaper then the comparable ASA 5505. We get that you want to learn Cisco but most small to medium don't use Cisco so you'll have to take that into account for the future.

MacGuffin

That's good info EV42TMAN, thank you. I'm still trying to figure out what the guy wants and what he's willing to pay for it. I also have to offer him what I know, that means Windows, Mac OS, and Cisco. Last I talked with him he seemed very concerned about security so I thought I'd give him an option that included enterprise level security, if only to show that it costs enterprise level money.

You are probably right about the ISP wanting to specify what modem connects to their network. I'll have to investigate that further. I mentioned used Cisco equipment not just because of price but because I know where to get it. I found places that sell new Cisco gear so I'll take another look to get an idea on pricing.

Sounds like both the Cisco 2800 series and ASA 5505 will do what I want. I can also make use of the software firewall that is part of Windows Server or Mac OS X Server, depending on what the customer wants. Looking at consumer level cable modems available it seems even many of those will have routing and firewall capability, I can just specify one of those.

I have a better idea on where I'm going but I'm still open to any suggestions.