PIX 515, Radware, PIX 501 and VPN - UPDATED
Hello All,
I am looking for a sample config of something close to what is described below.
Here is my updated environment:
We have 2 T1's going into 2 1760 routers. We then connect these two routers to a Radware Linkproof device that aggregates both T's into one connection. This is for bandwidth management and load balancing. We want to then take a PIX 515 in put it on the other side of the Radware device.
We will use the PIX 515 for a DMZ as well.
The question I have pertains to the Radware device needing to do the NAT instead of the PIX.
Is this a problem?
Can I configure the PIX to allow for this?
The other part of this scenario is this:
We also have a DSL line coming in that management wants to use only for users to surf the web. We have a PIX 501 for this.
Are there any issues with this also?
I am looking for a sample config of something close to what is described below.
Here is my updated environment:
We have 2 T1's going into 2 1760 routers. We then connect these two routers to a Radware Linkproof device that aggregates both T's into one connection. This is for bandwidth management and load balancing. We want to then take a PIX 515 in put it on the other side of the Radware device.
We will use the PIX 515 for a DMZ as well.
The question I have pertains to the Radware device needing to do the NAT instead of the PIX.
Is this a problem?
Can I configure the PIX to allow for this?
The other part of this scenario is this:
We also have a DSL line coming in that management wants to use only for users to surf the web. We have a PIX 501 for this.
Are there any issues with this also?
ASKER
I'm not sure where this relates to the 2nd pix.
I followed your link and that works well for just the 501 alone.
I spoke to cisco and they said that having 2 PIXs on the same network doing what we want to do would cause issues.
I have already set up the PIX 515 and the RADware device and it is working well.
We are able to everything we need to. Email, web, internet and others.
Now I am trying to setup a a 2nd pix, a 501 to allow users onto the internet.
No incoming rules need be applied as all traffic inbound is coming in through the 515.
I was thinking of setting up the following:
dsl modem - outside interface: pppoe; inside interface: Bridge Mode
|
|
PIX 501 - outside interface: PPPoE; inside interface: 10.0.2.1
|
|
LinkSys DSL Router outside interface: 10.0.2.2; inside interface: 192.168.1.20
|
|
Internal Network - 192.168.1.0/25
Is this correct?
Is there anything I need to do on the Linksys to allow this to work?
I followed your link and that works well for just the 501 alone.
I spoke to cisco and they said that having 2 PIXs on the same network doing what we want to do would cause issues.
I have already set up the PIX 515 and the RADware device and it is working well.
We are able to everything we need to. Email, web, internet and others.
Now I am trying to setup a a 2nd pix, a 501 to allow users onto the internet.
No incoming rules need be applied as all traffic inbound is coming in through the 515.
I was thinking of setting up the following:
dsl modem - outside interface: pppoe; inside interface: Bridge Mode
|
|
PIX 501 - outside interface: PPPoE; inside interface: 10.0.2.1
|
|
LinkSys DSL Router outside interface: 10.0.2.2; inside interface: 192.168.1.20
|
|
Internal Network - 192.168.1.0/25
Is this correct?
Is there anything I need to do on the Linksys to allow this to work?
You don't need the Linksys in there at all.
How are you going to setup the machines to split the traffic netween the T1 lines and the DSL?
You could have a proxy server and configure that machine to have the PIX501 as the default gateway.
What are the T1 lines being used for?
How are you going to setup the machines to split the traffic netween the T1 lines and the DSL?
You could have a proxy server and configure that machine to have the PIX501 as the default gateway.
What are the T1 lines being used for?
ASKER
I don't have a proxy to set up.
as far as the t1's, this was a management decision to use them only for incoming web, mail, blackberry and a coupple of other external apps and for the servers to communicate out as well.
I wanted to use the dsl as a backup in case the t's, router or isp went down.
as far as the t1's, this was a management decision to use them only for incoming web, mail, blackberry and a coupple of other external apps and for the servers to communicate out as well.
I wanted to use the dsl as a backup in case the t's, router or isp went down.
In that case it sounds like you can just set the default gateway on all the servers to be the PIX515 and have all the desktop machine use the PIX501 as the default gateway.
ASKER
thats what I was thinking as well, but then I spoke with cisco and they came up with the problem that with this config, routing would be hosed. I am not sure how this would happen thought.
I can't see it being a problem as long as you don't have a machine which has to talk over the T1 and DSL lines.
ASKER
update.
i installed it with the linksys and it is working.
thanks for the help.
i installed it with the linksys and it is working.
thanks for the help.
Glad its working. If you are happy please accept one of the answers so the question can be closed.
I thought I had answered all the authors questions.
cepolly - Why did you go with the linksys instead of the PIX?
cepolly - Why did you go with the linksys instead of the PIX?
ASKER
grblades, thanks for the help, but the recommendation to use the 501 for pcs, without the linksys, and the 515 for servers didn't work.
i also spoke to cisco and they said that this config would cause a 3rd leg scenario in that the return traffic would not know where to go.
i ended up using both the 501 and the linksys like this:
dsl modem - outside interface: pppoe; inside interface: Bridge Mode
|
|
PIX 501 - outside interface: PPPoE; inside interface: 10.0.2.1
|
|
LinkSys DSL Router outside interface: 10.0.2.2; inside interface: 192.168.1.20
|
|
Internal Network - 192.168.1.0/25
this setup worked.i point all pc's to the linksys.
let me know if i'm mistaken and i'll award the points based on consensus.
thanks,
cepolly
i also spoke to cisco and they said that this config would cause a 3rd leg scenario in that the return traffic would not know where to go.
i ended up using both the 501 and the linksys like this:
dsl modem - outside interface: pppoe; inside interface: Bridge Mode
|
|
PIX 501 - outside interface: PPPoE; inside interface: 10.0.2.1
|
|
LinkSys DSL Router outside interface: 10.0.2.2; inside interface: 192.168.1.20
|
|
Internal Network - 192.168.1.0/25
this setup worked.i point all pc's to the linksys.
let me know if i'm mistaken and i'll award the points based on consensus.
thanks,
cepolly
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"Return traffic wont be a problem since both Internet connections are using NAT so the reply will come straight back to the device performing the NAT and it will translate it and put the packet on the internal network."
you may have a point here. my intial setup did not use NAT through the radware device. this caused some other issues so I changed it to NAT through that Radware device.
i am wondering whether or not this may have caused traffic to cease when i added both PIX's.
from what i understand then, is that if we removed the radware completely from the picture, both pix's should work and pass traffic.
is this correct?
you may have a point here. my intial setup did not use NAT through the radware device. this caused some other issues so I changed it to NAT through that Radware device.
i am wondering whether or not this may have caused traffic to cease when i added both PIX's.
from what i understand then, is that if we removed the radware completely from the picture, both pix's should work and pass traffic.
is this correct?
Yes it should work as long as the configuration is changed correctly.
The linksys should be the default gateway and have static routes applied to point to the PIX as the gateway for all IP's that should go via it.
The linksys should be the default gateway and have static routes applied to point to the PIX as the gateway for all IP's that should go via it.
> The question I have pertains to the Radware device needing to do the
> NAT instead of the PIX.
>
> Is this a problem?
> Can I configure the PIX to allow for this?
I can't forsee any problem with this. The PIX would just be configured without NAT and would probably have a private IP address on its outside interface. This wont cause any problems.
> We also have a DSL line coming in that management wants to use only for users to surf the web. We have a PIX 501 for this.
> Are there any issues with this also?
No problems with this. See my website for a configuration example:-
http://www.gbnetwork.co.uk/networking/ciscopixhomedsl.html