• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 197
  • Last Modified:

Complex VPN & Firewall question

Experts:

I have a Cisco 1750 router that currently has a frame relay connection via T1 to a remote site.  My client want to put in a second WAN card and install VPN service, so that people can reach this device from the Internet.  A firewall needs to be installed on the router, which I assume will be using NAT for the internal network and Context Based Access lists to monitor traffic.  What pitfalls am I going to run into with trying to use a firewall, VPN, and CBAC on the same router?  Can this even be done?  Any advice would be great.
0
Silas
Asked:
Silas
1 Solution
 
paul<!-773E4EC9FB6F119639C3541451B90293-->Commented:
Hi
yes it can be done, you need a feature set that supports all of the features required. This in turn will need 8Mb Flash and 24MB Dram.
I would suggest using the router for VPN and WAN termination, backed by a separate firewall (PIX) for security.
If you use a single box and it is compromised.....
If you use the 1750 to protect the firewall and the firewall to protect the network, and a syslog server to see who is "knocking at the door" you should be able to get a secure system together.
0
 
SilasAuthor Commented:
Will the dial-in clients receive a private address from the internal network when they dial in -does the router pass authentication on to a different machine?  Will the clients receive an address from the global address pool?  How is the going to work?
0
 
hstilesCommented:
If the clients are dialling in via a VPN tunnel, then surely they will be assigned an address by an ISP?
0
 
SilasAuthor Commented:
who authenticates these clients then?  Does the router authenticate them?  Do I have to put firewalls and content-based access-lists all over the place?
0
 
enyceCommented:
I would do NAT on the router which would require the feature pack or you can do NAT on a hardware device such as a sonicwall. Which would act as you firewall and NAT device. The more access-lists and translations you do on the router the slower its gonna be. With the VPN a hardware device such as a VPnet box could be used to authenticate users though a VPN client.
www.sonicsys.com   www.vpnet.com

Good Luck
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now