Firewall/VPN Solution

Posted on 2004-08-12
Last Modified: 2013-11-16
I am looking for a Cisco Pix solution for the following scenario...

I have two racks of Internet servers - Mail, DNS, HTTP etc...
I also have a rack of internal servers on a local area network (private IP address range - 192.168.x.x)

The Internet servers are multihomed and connected to the Internet via a 2Meg leased line with a range of public IP addresses and a 2Meg ADSL line with a different range of public IP addresses.

We currently have several small VPN routers terminating around sixty site to site VPN tunnels to customers we support.

The 2Meg leased line is coming from a Cisco 2600 router we have no access to or control over.
The 2meg ADSL line is coming from an ADSL router we do have access and control over.

We want to be able to see all of our customers sites over the VPN tunnels but of course not let the customers see each others sites.

I am looking for a PIX firewall/VPN solution which would meet our needs taking into account the information given above.

I have little experience in the Firewall/VPN field of networking and would appreciate some advice if possible as to the best solution available.
Question by:jongrew
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 15

Accepted Solution

Yan_west earned 250 total points
ID: 11784413
First of all, since your network is pretty big, I would go with the biggest solution offering from cisco. the pix 525, or 535, with VPN accelerator card.

pix 525
pix 535

everything is in there, configuration guide, data sheets, etc...
LVL 15

Expert Comment

ID: 11784426
I would ask a solution provider that will be happy to look at your network directly and propose you the best solution, they will be happy to do it, because this is a very expensive solution, requirering a costly maintenance contract, and configuration fees.
LVL 36

Expert Comment

ID: 11785985
Hi jongrew,
This site lists the specifications of the different PIX's -
4Mbps is not particularly high speed so I would recomend the PIX 515-R-DMZ as it has plenty of bandwidth and will support 30Mbps of VPN traffic. At a later date you can even purchase a license upgrade for it to get the higher VPN speeds of the 515-UR I believe.

Some usefull links :-
PIX configuration examples -
PIX configuration basics -
PIX ssh configuration -
My Pages:-
PIX as multi user VPN server -
PIX as a home DSL firewall -

Author Comment

ID: 11791957
Thanks for the advice and so quick...

Just another question if I may -  Interface wise, how  many interfaces would we need to buy in our chosen PIX bearing in mind we have two routers (ADSL 2Meg and Cisco 2600 2 Meg), a private LAN and a Microsoft RAS server providing Internet access for dialup clients and would we be able to add interfaces as we scale up.  And which servers would best be placed where on the PIX interfaces.

 I believe we could put our two ranges of public IP addresses as two IP Address Pools on two of the interfaces and hopefully forward the right traffic to the right servers - am I right in thinking this ? And i think security wise our private LAN would have the highest security level of 100 - what should the other interface security levels be and why ?

I do have some experience in Routers and Switches and am CCNP qualified but have not had the chance to work to much with Cisco devices as yet and as mentioned before have limited knowledge of Firewalls/VPN so thanks again for your input.
LVL 36

Assisted Solution

grblades earned 250 total points
ID: 11792474
Generally you would put a server/network on a different interface to something else if you need to control what services it can talk to on other devices.
Therefore you could for example connect the two intenet connections to the same interface on the PIX as you wont need to limit the communication between these two devices. Depending on the IP addressing scheme you might need a router thogh so it may be cheaper overall to connect them to two different intetrfaces..
Your internal setwork would be the most secure so it will have a value of 100. The Internet would be the least secure so it would have a value of 0. If you are using an interface per internet connection you could set them both to a security level of zero. If you put the RAS server on a different network them something like security 50 would be suitable as it is inbetween the internet and internal network.

Basically the rule is that by default all traffic is permitted from a particular security level to an interface of a lower security level. Therefore in a normal configuration internal machine are permitted to access everything but internet users cannot access any internal machines. Once you define an access-list for an interface then this takes precedence .

If you want more than 3 interfaces you need the nrestricted license (515-UR) for the PIX.

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below.…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question