ASA and cisco vs NSA sonic firewall

Question

Currently I’m trying to structure our network to fully support and be redundant with BGP/Multi homing.

Our current company size is 40 employees but the major part of that is our Development department. We are a software company and continued connection to the internet is a requirement as 90% of work stops when the net goes down.

The only thing hosted on site (that needs to remain up) is our exchange server.

Right now i'm faced with 2 different directions and was wondering if I could get your opinions on this.

We will have 2 ISPs that are both 20meg up/down and dedicated fiber (so 40megs combined). This is handed off as an Ethernet cable into our server room.

ISP#1 first digital ISP#2 CenturyLink

we currently have 2x ASA5505s but the 2nd one is not in use. It was there to be a failover and it just needs the security+ license to be matched with the primary device. But this depends on the network structure.

I have been looking into the hardware that would be required to be fully redundant and I found that we will either of the following.

2x Cisco 2921+ series routers with failover licenses. They will go in front of the ASAs and either connects in a failover state or 1 ISP into each of the 2921 series routers and then 1 line into each of the ASAs (thus all 4 hardware components will be used actively). So 2x Cisco 2921+ series routers 2x Cisco ASA5505 firewalls

The other route 2x SonicWalls NSA2400MX series. 1 primary and the secondary will be in a failover state. This will remove the ASAs from the network and be about 2k cheaper than the cisco route. This also brings down the points of failure because it’s just the 2x sonicwalls It will also allow us to scale all the way up to 200-400 users (depending on their configuration). This also makes so the Sonic walls.

So the real question is with the added functionality ect of the sonicwall is there a point in paying so much more to stay the cisco route?

Thanks!

Answer 1

I like to separate the roles of each device. I'd go with the Cisco route. Reason being is that I like to keep the firewall to do firewall duties and the router to do routing duties. It's also easier to troubleshoot.

Are you also getting smartnet? Support with Cisco has been great for us when we need to talk to TAC.

I'm not sure what the traffic is like on your network but the 5505s would be a concern for me, especially if you are planning to scale up to 200-400 users. Memory on the 5505s is 512mb.

Answer 2

We have had nothing but trouble with SonicWall when our customers have used it to provide us with remote support VPN access. These issues ranged from difficulty with getting client software to work to connections dropping or performing poorly despite following best practices. When customers were using Cisco ASAs we had no such issues.

When we set up our own corporate network, we considered both SonicWall and Cisco ASA and went with the Cisco ASA for a number of reasons:

1. Lower TCO and training cost since the Cisco ASA provides a consistent configuration experience since all gear uses IOS
2. Better business continuity and disaster recovery story as we could have onsite support from a larger variety of local enterprises and consultants
3. Easy client setup for remote employees

In my opinion, $2,000 is barely worth thinking about as a savings unless you have a very small network and all else remains equal. With the added cost of managing a multi-vendor environment in both operations and training, those savings would quickly evaporate.