jongrew
asked on
Firewall/VPN Solution
I am looking for a Cisco Pix solution for the following scenario...
I have two racks of Internet servers - Mail, DNS, HTTP etc...
I also have a rack of internal servers on a local area network (private IP address range - 192.168.x.x)
The Internet servers are multihomed and connected to the Internet via a 2Meg leased line with a range of public IP addresses and a 2Meg ADSL line with a different range of public IP addresses.
We currently have several small VPN routers terminating around sixty site to site VPN tunnels to customers we support.
The 2Meg leased line is coming from a Cisco 2600 router we have no access to or control over.
The 2meg ADSL line is coming from an ADSL router we do have access and control over.
We want to be able to see all of our customers sites over the VPN tunnels but of course not let the customers see each others sites.
I am looking for a PIX firewall/VPN solution which would meet our needs taking into account the information given above.
I have little experience in the Firewall/VPN field of networking and would appreciate some advice if possible as to the best solution available.
I have two racks of Internet servers - Mail, DNS, HTTP etc...
I also have a rack of internal servers on a local area network (private IP address range - 192.168.x.x)
The Internet servers are multihomed and connected to the Internet via a 2Meg leased line with a range of public IP addresses and a 2Meg ADSL line with a different range of public IP addresses.
We currently have several small VPN routers terminating around sixty site to site VPN tunnels to customers we support.
The 2Meg leased line is coming from a Cisco 2600 router we have no access to or control over.
The 2meg ADSL line is coming from an ADSL router we do have access and control over.
We want to be able to see all of our customers sites over the VPN tunnels but of course not let the customers see each others sites.
I am looking for a PIX firewall/VPN solution which would meet our needs taking into account the information given above.
I have little experience in the Firewall/VPN field of networking and would appreciate some advice if possible as to the best solution available.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would ask a solution provider that will be happy to look at your network directly and propose you the best solution, they will be happy to do it, because this is a very expensive solution, requirering a costly maintenance contract, and configuration fees.
Hi jongrew,
This site lists the specifications of the different PIX's - http://www.s2s.ltd.uk/browse.cgi?database=cisco&get=Cisco+Secure+PIX+Firewall+Chassis
4Mbps is not particularly high speed so I would recomend the PIX 515-R-DMZ as it has plenty of bandwidth and will support 30Mbps of VPN traffic. At a later date you can even purchase a license upgrade for it to get the higher VPN speeds of the 515-UR I believe.
Some usefull links :-
PIX configuration examples - http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
PIX configuration basics - http://www.netcraftsmen.net/welcher/papers/pix01.html
PIX ssh configuration - http://www.tech-recipes.com/modules.php?name=Recipes&rx_id=215
My Pages:-
PIX as multi user VPN server - http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
PIX as a home DSL firewall - http://www.gbnetwork.co.uk/networking/ciscopixhomedsl.html
This site lists the specifications of the different PIX's - http://www.s2s.ltd.uk/browse.cgi?database=cisco&get=Cisco+Secure+PIX+Firewall+Chassis
4Mbps is not particularly high speed so I would recomend the PIX 515-R-DMZ as it has plenty of bandwidth and will support 30Mbps of VPN traffic. At a later date you can even purchase a license upgrade for it to get the higher VPN speeds of the 515-UR I believe.
Some usefull links :-
PIX configuration examples - http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
PIX configuration basics - http://www.netcraftsmen.net/welcher/papers/pix01.html
PIX ssh configuration - http://www.tech-recipes.com/modules.php?name=Recipes&rx_id=215
My Pages:-
PIX as multi user VPN server - http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
PIX as a home DSL firewall - http://www.gbnetwork.co.uk/networking/ciscopixhomedsl.html
ASKER
Thanks for the advice and so quick...
Just another question if I may - Interface wise, how many interfaces would we need to buy in our chosen PIX bearing in mind we have two routers (ADSL 2Meg and Cisco 2600 2 Meg), a private LAN and a Microsoft RAS server providing Internet access for dialup clients and would we be able to add interfaces as we scale up. And which servers would best be placed where on the PIX interfaces.
I believe we could put our two ranges of public IP addresses as two IP Address Pools on two of the interfaces and hopefully forward the right traffic to the right servers - am I right in thinking this ? And i think security wise our private LAN would have the highest security level of 100 - what should the other interface security levels be and why ?
I do have some experience in Routers and Switches and am CCNP qualified but have not had the chance to work to much with Cisco devices as yet and as mentioned before have limited knowledge of Firewalls/VPN so thanks again for your input.
Just another question if I may - Interface wise, how many interfaces would we need to buy in our chosen PIX bearing in mind we have two routers (ADSL 2Meg and Cisco 2600 2 Meg), a private LAN and a Microsoft RAS server providing Internet access for dialup clients and would we be able to add interfaces as we scale up. And which servers would best be placed where on the PIX interfaces.
I believe we could put our two ranges of public IP addresses as two IP Address Pools on two of the interfaces and hopefully forward the right traffic to the right servers - am I right in thinking this ? And i think security wise our private LAN would have the highest security level of 100 - what should the other interface security levels be and why ?
I do have some experience in Routers and Switches and am CCNP qualified but have not had the chance to work to much with Cisco devices as yet and as mentioned before have limited knowledge of Firewalls/VPN so thanks again for your input.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.