?
Solved

Complex VPN & Firewall question

Posted on 2000-05-09
5
Medium Priority
?
194 Views
Last Modified: 2010-04-17
Experts:

I have a Cisco 1750 router that currently has a frame relay connection via T1 to a remote site.  My client want to put in a second WAN card and install VPN service, so that people can reach this device from the Internet.  A firewall needs to be installed on the router, which I assume will be using NAT for the internal network and Context Based Access lists to monitor traffic.  What pitfalls am I going to run into with trying to use a firewall, VPN, and CBAC on the same router?  Can this even be done?  Any advice would be great.
0
Comment
Question by:Silas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
ID: 2804249
Hi
yes it can be done, you need a feature set that supports all of the features required. This in turn will need 8Mb Flash and 24MB Dram.
I would suggest using the router for VPN and WAN termination, backed by a separate firewall (PIX) for security.
If you use a single box and it is compromised.....
If you use the 1750 to protect the firewall and the firewall to protect the network, and a syslog server to see who is "knocking at the door" you should be able to get a secure system together.
0
 

Author Comment

by:Silas
ID: 2807223
Will the dial-in clients receive a private address from the internal network when they dial in -does the router pass authentication on to a different machine?  Will the clients receive an address from the global address pool?  How is the going to work?
0
 
LVL 13

Expert Comment

by:hstiles
ID: 2810480
If the clients are dialling in via a VPN tunnel, then surely they will be assigned an address by an ISP?
0
 

Author Comment

by:Silas
ID: 2812506
who authenticates these clients then?  Does the router authenticate them?  Do I have to put firewalls and content-based access-lists all over the place?
0
 

Accepted Solution

by:
enyce earned 400 total points
ID: 2830592
I would do NAT on the router which would require the feature pack or you can do NAT on a hardware device such as a sonicwall. Which would act as you firewall and NAT device. The more access-lists and translations you do on the router the slower its gonna be. With the VPN a hardware device such as a VPnet box could be used to authenticate users though a VPN client.
www.sonicsys.com   www.vpnet.com

Good Luck
0

Featured Post

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question