Replacing a Cisco Pix Firewall with a D-LINK DFL-CPG310 Firewall

Question

Does anyone have any experience migrating from a Cisco PIX to a so-called non-enterprise grade firewall/router/vpn?

I'm a non-networking professional (developer) that flunked the CCNA (only got a 730) and find myself missing the ease of configuration you get with home firewall/router products.

The environment is a small office with a remote office.

As far as I can tell, the D-LINK DFL-CPG310 will do what we need:

• Site to Site VPN (to connect the remote office to the local office)
• DHCP Server (unlike the PIX you don't pay extra for licenses)
• Will route packets into and out of the originating interface (so home users connected to the local office by VPN can see resources on the remote office's LAN). PIX wouldn't do this.
• VPN Server (vista support would be a nice plus)
• Built-in DMZ support.
• Web based configuration interface (would prefer one that did not have a command-line as an option as a way to guarantee everything can be configured via web)
• syslog support. So we can dump a continuous stream of logs to a PC until we need the hard-drive space and delete them.
• Access controls with enough power to be useful. E.g., we can block access to a site or block access entirely by MAC Addr without ever writing a single ifconfig-like line.
• A website with a link to the user manual.

Things we don't need:

• A serial port interface. For anything in any way.
• Separate VLANs. We're all one big happy subnet.
• TFTP support. We'll just upload config backups by browser.
• 24x7 tech support. By the time they send someone it would have been cheaper to buy a replacement.
• A website with dozens of links to dozens of tips that aren't relevant.
• Separate installation, configuration, maintenance and upgrade guides each of which is as long as a medium sized novel.
• A separate command reference that's longer than the bible.

I'm open to any other products people have had success with.

Answer 1

Most SMB products have the features you describe. I think even the newer versions of the Cisco PIX have web based configuration interfaces but it's not quite as slick as those from companies that engineered their products from the ground up to be used by SMB.

Other firewall manufacturers that you may want to check out include:

Sonicwall (their TZ series)

Checkpoint (their Safe@Office line)

Answer 2

I would still recommend you stick with the Cisco product. I realize it has several features that you don't say you need but you get a level of reliability that is second to none. You could go for something like a Cisco ASA 5505. Which isn't very expensive realitivly speaking. The ASDM interface is quite easy to use, with your attempted CCNA you probably have an advantage on many people that have setup devices like this in the past. The Cisco VPN client is compatible with Vista but is a bit finicky. Running a site to site vpn between your remote offices would allow you to share resources between the offices and to home users that vpn in.

That my opinion for exatly what it is an opinion. I have 2 5505's that have at least 6 months of uptime at the moment, and thats what i am basing this recommendation on.

Answer 3

A Cisco PIX is overkill for many scenarios -- but since you have it inhouse -- I would recommend keeping it in place. That being said -- if the maintenance cost (having someone configure it for you) makes it worth replacing with a SOHO router, and you are aware of the tradeoffs of that, and comfortable with SOHO performance, occasional reboots, then go for it.

Answer 4

I have used the Linksys (Now Cisco Small Business, but don't let that scare you) RV042 routers to do everthing you need to do with great success.

The model I went with was the RV042 which is a 4 port model for about $200 each (last I checked).

Like I said does everything, I connect the main office to 3 branch offices with it using the build in VPN to VPN between the routers. All offices are on the RV042.

Its easy to configure, 100% by web browser. I'd switch to it, even though you have the PIX now, I suspsect this will safe you hours of configuration in the future and hence pay for itself.

I'll use these until they stop making them. I've never had an issue with them, and have had about total of 10 running over the years, with 4 currently. (Down sizing, less branch offices now)

• Site to Site VPN (to connect the remote office to the local office)

  YES - I use this, IPSec, easy to configure

• DHCP Server (unlike the PIX you don't pay extra for licenses)

  YES - This is the DHCP for the network, up to 255 computers

• Will route packets into and out of the originating interface (so home users connected to the local office by VPN can see resources on the remote office's LAN). PIX wouldn't do this.

  Can't confirm this, since I don't need it, but you can setup routing rules so likely this can be done, I had to do something similiar to get workstations to see the exchange server.

• VPN Server (vista support would be a nice plus)

  YES - PPTP using the included windows client or an IPSec using the Linksys quick VPN (but I've had less success getting this to work)

• Built-in DMZ support.

  YES - has a seperate WAN port for this, 2nd WAN port can be DMZ or a second ISP connection

• Web based configuration interface (would prefer one that did not have a command-line as an option as a way to guarantee everything can be configured via web)

  YES - I've never used the command line for this

• syslog support. So we can dump a continuous stream of logs to a PC until we need the hard-drive space and delete them.

  I think so, but I've never had to do this, but looking at the logging screen seems like it can.

• Access controls with enough power to be useful. E.g., we can block access to a site or block access entirely by MAC Addr without ever writing a single ifconfig-like line. A website with a link to the user manual.

  YES - MAC Address, IP access, to sites, etc. I also don't use my ISP's DNS servers but instead use OpenDNS ones and block access that way. You can use a DHCP from your ISP and setup static DNS servers to override your ISPs. I've blocked specific computers while giving the rest of the office access.