Small Buisness VPN/NAT/Firewall

[Hobbzilla]

Okay any hardware/software advice would be much appreciated. I know a tad about VPN's etc but have never set one up. I work for a small company with ~ 15 employees. We are getting ready to split up our operations to have a Retail/Main offices and Shipping/Recieving/Fullfillment in another location.

My question is obviously a DSL connection at both locations with a site-to-site VPN connection would suit us fine for the shipping dept to have access to shared directories, etc. and for the orders to be printed from the main office to the shipping's site shared printers. Both locations will also need internet access (NAT/firewall).

Has anyone ever setup something similar to this scenario? I would prefer to use a network appliance as opposed to setting up a linux box on each side (I have a lot of other things to do too!), I have been looking at the Symantec VPN 100 and a couple of other cheaper VPN supported firewall/routers. From my understanding, just because the router would support the VPN connection doesn't actually mean it issues and handles the VPN connection.. so there would still need to be a software VPN connection made (built-in Win2k? client/server?).

Thanks for any advice & direction.

 

[SuperTool]

I think the router just allows the VPN to pass through it. You still need the actual VPN client/server. That is my understanding of the issue. Now there might be routers with VPN servers built in, but most entry level routers have "VPN passthrough" only.

 

[reicherb]

I can't speak about the Symantec solution but I have configured a couple of site to site VPNs using Cisco PIX500s with much success. They seem to be rock solid and also provide a good firewall. There are many other hardware options though many of which are cheaper.

 

[mobly99]

The Symantec Firewall/VPN Appliance 100 and 200 will be a VPN endpoint for site-to-site VPN. The 200R supports client VPN sessions to it as well. The 200 and 200R also will load balance accross 2 WAN connections. (Basicly the Nexland Pro 800 Turbo painted yellow with different firmware to support the firewall and VPN features)

Symantec Data Sheet

Nexland Pro Turbo 800

 

[Daniel]

I've done site to site VPN with Sonicwall devices before, works like a charm now.

 

[mboy]

Yes, you should have ZERO problems with a couple of Sonicwall Pro 100 boxes.

I have a pro 200 @ work and an Original Soho @ home (well a flashed webramp=same thing). I dont allow netbios passthru as I dont need anyone connecting to my home pc on accident (except me). Works GREAT, the SW's are very easy to cofigure, maintain, proved very secure FW, and have been ROCK solid!

remember u will need different subnets at each site, but the sonicwall or PIX will provide the endoints, so no softweare is needed, however u can use their appropriate software if u have any remote users who need to VPN in from home, or wherever.

Don't forget to use 3DES , the Sonicwall (and probably pix, altho I never used them) have built in VPN accelerators to help speed up the encryption/decryption process.

 

[Hobbzilla]

Do the SonicWall appliances allow the traffic to split depending on destination (www vs. LAN)? Or would all traffic from the fullfillment office go through the VPN tunnel to the main office and out from there? It seems silly to do it that way if I am not wanting to setup a single point of web monitoring etc. Does this make sense?

 

[mboy]

I believe so. go to www.sonicwall.com. They have a demo of their configuration browser that u can go thru and play with to see if it does what you want.

 

[cmetz]

Hobbzilla, also consider the Linksys BEFVP41 (cheapest, but lacking in some features) and the Netscreen 5XP (or whatever lettered flavor of the month - these are higher-end units). Also consider a PC running OpenBSD or Linux (Google for Smoothwall and IPCop, canned distros trying to make setup easier).

 

[topdavis]

If you are looking for an integrated Firewall and VPN device, then you can also consider the Nokia IP series of Firewall and VPN devices. The Nokia appliances run the Checkpoint Firewall and VPN software. It sounds like the Nokia IP51, IP71, or IP120 might be the range of product that would suit your needs.

Nokia used to make an incredible VPN device called a crypto cluster. Unfortunately, they discontinued it. It was the fastest VPN dvice at the time and had unmatched failover and clustering capabilities, allowing the company to grow the VPN solution without forklift upgrades. Nokia is putting a lot of the technology into their IP series. It is something to consider, if future expansion might br an issue.

Personally, I am not a fan of the all in one box. Even with accelerator cards, you can cripple multi-purpose boxes once you find the packet size they have trouble with performing cryptogrpahy on. Also, if there is a compromise of one aspect of a multi-function box, the entire box can be compromised. You may want to consider going with a dedicated firewall and getting a small VPN only device. Avaya and Rapidstream make low-end devices with extremely acceptable performance, regardless of packet sizes. This way, you can perform maintenance and upgrades on separate devices and not fear crippling the entire sytem.

 

[Goosemaster]

Here you go---a checkpoint Network appliance--


or

Netscreen products are good and very fast.



Both can easily be had online through stores or ebay(good prices)

 

[mcveigh]

I have had success with snapgear's line of vpn routers.

as you can see there are many options, I try to find one that works then use it everywhere

 

[Buddha Bart]

Go with SonicWall or Cisco PIX.

Site A LAN: 192.168.2.0/24
Router WAN IP: whatever your isp's dhcp server gives you.
Router LAN IP: 192.168.2.1

Site B LAN: 192.168.3.0/24
Router WAN IP: again, isp's discresion
Router LAN IP: 192.168.3.1

VPN LAN: 192.168.1.0/24
Router A VPN IP: 192.168.1.1
Router B VPN IP: 192.168.1.2

Granted thats 250-odd IP's left over in each of the three networks, but in your situation detailed subnetting really wouldn't serve any purpose.

The annyoying thing is gonna be re-establishing your VPN every time one of your DSL IP's change. See if you can pay a bit extra for static.

Oh yeah, and connecting to a remote file server over DSL is going to kill the link. Even realy good DSL connections only get like 512K of upload. If you got two or three people at site B trying to view a decent sized file on a fileserver at site A, site A's upload will be completely saturated and won't be able to get basic ACK packets back for anything else site A was trying to use its network connection for.

 

[Hobbzilla]

All good information (not a suggestion to stop or anything)!! Thanks!

Bart, site B is really going to have 1 active user hitting the main LAN. Is DSL still going to pose a problem? Also, the majority of the work isn't going to be fileserving.. but our client-server backoffice program, Great Plains. Not having any experience with this is a thorn in my side. I don't really know what kind of performance to expect.

 

[groovin]

whats your budget? some of these solutions vary alot in price.

 

[azev]

Get sonicwall pro series and also make sure that your central office where the sonicwall pro is located can get a Static IP.

You can then setup each office on its own subnett and access them by ip address, after vpn tunnel is established; or u can use WINS server and enable netbios passthorugh and you can access the remote computer/printer by name.

Sonicwall does not tunnel internet access to the central office, all computer will access the internet from its own gateway (reduce traffic on the central office/reduce VPN traffic in general

I would recomend sonicwall against cisco because it is much easier to setup for beginner. But then again, if you'd like to learn from trial/error, cisco is always been the most reliable network applience.

Good Luck

 

[mboy]

My sonicwall Pro200 - to SW Soho VPN hs been rock solid for me.

 

[Hobbzilla]

Well, I guess I am assuming that I would need the same router on both sides? The Sonicwall pro 200 looks like what most people are suggesting. Not quite out of my budget. I was hoping for something around $500 per LAN. But I guess you get what you pay for!

 

[mboy]

If your Lans are small, then you can go with a pro 100 @ each site and pay for enough users/vpn connections to suit your needs.
I bet even a SOHO3 at each end would work ok as well.

 

[bozo1]

Originally posted by: mboy
If your Lans are small, then you can go with a pro 100 @ each site and pay for enough users/vpn connections to suit your needs.
I bet even a SOHO3 at each end would work ok as well.

I'm curious why people are recommended the Pro100 or Pro200 models instead of the SOHO3? I have a couple of clients that we are about to put SOHO3's in for - the pro100 or 200 models seem way overkill for small offices ( < 20 users ) or am I missing something?

 

[mboy]

You are pretty much correct on the SOHO3 for small 10-20 seat companies. The pro models have faster processors and come with some more stuff out of the box (as opposed to buying extra user/vpn licenses), support more concurrent connections (soho is 6,000, pro200 is over 20,000) only have 10vpns on the SOHO3 as well. I have a pro 200 @ work, but I have at least 70 pc's on my LAN and some VPN connections.
I am not sure the SOHO offers DMZ, so that is a VERY important feature if hosting any sites or public servers of any kind.

Great boxes tho