Yes, that would be the Cisco ASA5506, although the USG 60 (successor to the USG 50) definitely achieves some of the better throughput values… ipsecVPN Cisco 100MB / USG 60 180MB - FW throughput Cisco: 750MB / USG 60: 1000 MB.. ..
Considering that the Cisco Fr. 100 is more expensive than the USG 60, the choice is actually clear 🙂
Well, I haven’t had great experiences with Netgear so far. Especially when it comes to fixing the firmware bugs… the device itself doesn’t look bad… but based on experience, I would advise against it!
What I can also highly recommend (especially if speed is important) is the Fortigate 60D… it provides a very good throughput on the VPN… In terms of cost, it’s within your budget… but it does require some configuration more experience than a USG 50.
Yep, with Cisco devices it’s like that… the cheaper it is, the lower the throughput on the VPN.
Yes, that’s correct… although you probably already have anti-spam solutions, virus protection, etc. in use… the question always arises for me… does this still have to be on the FW?
I have been working with my customers for years with USG UTM devices without the UTM functions… so far, I have NEVER had a customer infected with viruses or have to deal with SPAM…
But everyone has to decide for themselves whether these functions are worth the money.
Hello
I would like to go back to the original question “Is it possible to connect two Internet boxes (1x house A, 1x house B) directly via VPN?” come back.
I currently also have a VPN connection between two locations with Zyxel USG50 and USG20. This works wonderfully, but I don’t have InternetBoxes for VDSL termination but rather the “old” VDSL routers or Centro Piccolo.
As far as I know, you need the IP forwarding functions for the VPN. With this function, the external, public IP address is passed on from the modem to the Zyxel USG. As far as I know, this function is not available on the new InternetBox, so I’m wondering how you got it to work without this function?
NB: I don’t have any licenses for the UTM functions either, AV runs on all clients anyway, in private environments the anti-spam and content filter are not necessary, if only IDP.
Greetings
Good bye
That’s not entirely correct… it used to be that you MUST have the public IP address on the USG.
On the firmware version 3.x side, this is no longer the case, as policy routes are no longer needed…
OK, if you really want to, you can define the USG as a DMZ host on the IB… but that’s not absolutely necessary.
This constellation has been working for me for over 8 months without any problems…
Hello Gianni
Thanks for the quick reply. Of course I have the current FW 3.30 (7) on it. The external IP is displayed on the WAN interface (logical, because I forward it). Are you absolutely sure that this is no longer necessary? I previously had problems with a CentroGrande, which also couldn’t do this function. So I want to be sure before I order something new.
The DMZ will hardly help because, as far as I know, only ports (not even all) can be forwarded to a specific internal IP address, but not the external IP address.
Greetings
Neanderthals
OK. Thanks for the quick reply.
I’m just wondering whether a Zyxel USG20 ([http://www.zyxel.ch/de/products/zyxel-zywall-usg-20/)](http://www.zyxel.ch/de/products /zyxel-zywall-usg-20/)) is still appropriate for private VPN applications at the moment, or will it be outdated pretty soon? Internet lines are getting faster and faster and I don’t want the USG20 to be the bottleneck any time soon.
I need it for data backups of larger files. E.g. NAS to NAS.
@GianniBern wrote:
Do you want to use the IB on both sides? Or just one? What is the intended goal design?
Hello GianniBern
Thanks for your answer.
Target design:
Replacing ISDN telephony (at home) or analog telephony (holiday apartment) with VoIP with Swiscom InternetBoxes at both locations, as I like the functions of HD telephones such as. Type “Arosa” would have. As I understand it, this requires the InternetBox as a DECT base station.
Swisscom TV should continue to work at the “holiday apartment” location.
However, the existing site-to-site VPN (IPsec) via Zyxel USG-50 or USG-20 should still be possible. Temporary VPNs with L2TP or SSL that terminate on the Zyxel USG should also work.
This currently works without any problems via the Swisscom ISDN VDSL router (Motorola7347-84) and CentroPiccolo (Motorola 7640-47), each with IP forwarding switched on (IP passthroug / 1:1 NAT). My concern or question now is whether I can get it working again with the InternetBoxes, or do I have to stick with the “old” Swisscom “modems”?
Greetings
Neanderthals
The Internet box does not have a bridge/IP passthrough mode. So your circuit won’t work.
Either way, the matter could get tricky in one point: If you want to watch TV and make phone calls via this connection at the same time as the large file transfers, there could be a loss of quality due to the lack of QoS.
Thanks,
I don’t want to make calls over the VPN connection, so performance and QoS shouldn’t be an issue.
I just want to know whether the VPN tunnel can be established and maintained or not. So far I have received different answers. Some write that it’s working for them and others (like you) say that it’s not working. What should I believe now? There has to be a clear answer.
Thank you, I think we are now in agreement, the Internet box still does not offer a bridge/IP passthrough/1:1 NAT mode.
So now the question arises, are there users who still have IPsec and/or LT2P and/or SSL VPN connections with Zyxel USGs running stably for days and weeks without the USG knowing the public IP address on the WAN port . And if so, how these users configured it. I’m happy to hear your advice on this - thank you!