Recently upgraded our firewall to a Palo Alto NGFW from a very old Cisco ASA. We have 4 WFH engineers that are using ASA 5505 for a site-to-site VPN. Their work requires them to be able to connect multiple types of devices through the ASA to hit the internal network.
First thought was just grabbing them all a PA-220, but I’m wondering if that’s overkill for this.
What solution do you think would be best for this scenario?
PA-220 is getting rather long in the tooth. If you go the Palo Alto route I would suggest a PA-410 instead, or PA-415 if PoE is desirable, setup as GlobalProtect satellites. If you have it you can use Panorama to manage everything centrally.
Juniper SRX300 or SRX320 are another option. The latter has a PoE variant available. I have deployed a number of these to good effect, each running BGP over a pair of IPSec tunnels landing on disparate Palo Alto boxes.
create a ipsec tunnel between the PA to the ASA. or for standardisation buy small PA appliances 220 or 410 for the WFH sites.
new design use sdwan
PA-410 (415 if you need local logging) and GlobalProtect Satellite, or standard S2S IPsec.
Alternatively, a router and some route-based IPsec tunnels suffice as well. Depends on what you want.
If I wanted a pain free, plug an play life I would entertain getting a Meraki MX and some Z3, Z3C etc and give them the Zx to take home and just plug in. They then get a SSID and multiple GbE ports to connect stuff to. You would just run the MX for the teleworkers, potentially hanging it off a dedicated zone on the new PA.
Many wireless controllers also provide similar functionality like Cisco OEAP on the WLCs.
Personally I use a mikrotik or rut and wireguard it into the network, but any only linux PC with enough nics (or outputting onto a separate switch) will do.
However there are of course issues with MTU sizes, and I’ve never managed to get pim working reliably over wireguard (my on-prem wireguard is a linux VM) so depends exactly what you want.
Any reason for not using a VPN client on their machines?
Why, exactly, can’t they just use a client VPN like a normal employee?
Does the ASA 5505 not support IPSec VPN or something? Why do you need to change anything?
Can you deploy RAPs to them? Let them work as if they are in the office
For dedicated workers at home. My recommendation is the meraki z4 devices for the end users and you can use the mx67 as your end device in the dc.
The z4s can have 4 devices plugged in also which is get for testers remote who have multiple devices and testing needs.
Easy to setup, monitor, maintain. One template for z4s and one template for the mx67. If you go from 4-10 users, it will sync and grab the template.
That’s my recommendation.
Current design I use is (mx250 x 4) z3s (300+) z3c (10+) critical end users who’s home donnectim goes out can go to cellular. Z4s (40+) the z4s will replace the z3s as they come up for renewals/replacements.
Rage. Why site to site? Why does your business need to access its engineers’ home networks? Why can’t they just use point to site connections from their company-managed laptops?
Vm-50 on a nuc type pc?
Can you not create S2S tunnels to your Palo, then just use global protect to the Palo for the remote user’s?
Why not buy a small home SDWAN router with built-in switch
Usually one that’s tied to your firewall vendor is fine
Or setup a terminal server and use either rdgateway or a screen connect type solution
Horizon View mfa secured desktops
+1 for Juniper SRX 300. Fanless, mature hw/sw*, reliable.
*) *some* of Juniper’s latest JunOS releases have had… mindboggling misfeatures.
That was kinda the point of this post. Should I just be moving to SD-WAN? I should have created a better post, but I wanted to keep it broad and vague to get many responses.
My thought is, we’re moving to a NGFW from an outdated FW. What is the best option to move forward for our WFH employees that need more than a basic client VPN tunnel? I want to put the money into this project and not ask for it later.
Just curious, why ipsec and not a wireguard tunnel?