• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 271
  • Last Modified:

Which Cisco Firewall and/or Router

I have a client who is replacing their DSL with a multi T1 connection and we want to upgrade from the somewhat unreliable linksy/dlink/netgear type router/firewall to something we can depend on.  They have about 70 internal users and 25 external users (some OWA and some Terminal Server), but will probably double this in the next 2 years.

They are receiving a dual T1 connection with a few VOIP phone lines.  The telco vendor is providing a Cisco 2600 series router, but we do not have access to the configuration, basically they are providing us with 5 static public IPs off of the 2600 and it is up to use to bring it into out network.

I want to take the Public IPs from the telco and port map them to machines on the local network including Exchange, http, https, ftp, sftp, RDP, and a few others.

From what I understand I don't really need a router, but I do need a firewall.  Will a Cisco PIX 506E of 515E do the job or will I need another 2600 series router?  What about the Cisco 801, is this a router/firewall combo that will meet my needs (the price is certainly right)?

Do the PIX firewalls allow what I guess would be NAT (not really routing right?) from the outside public IPs through the firewall to the inside private IPs?

Is the Cisco SmartNet warranty service worth the expense?

Thanks EE
1 Solution
My recommendation would be the PIX515E - Restricted license version. If the 506E is all you can afford, that would be my second choice.
Without the smartnet service you can't get updates to the OS, you can only get bug-fixed versions, not the "latest and greatest", but yes, either will do everything you want and tons more (like VPNs)..

bluefingerAuthor Commented:

Would you consider this statement basically true?

"Do the PIX firewalls allow what I guess would be NAT (not really routing right?) from the outside public IPs through the firewall to the inside private IPs?"

Is your preference for the PIX515E based on expandability or upgradeablitliy?  

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

I have a 506E that I'm using for VPN connections, and to be honest, other than a VPN router, I don't like it all that much.  PDM Management utility has a long way to go in terms of usability, and a lot of times the PDM will contradict what you're trying to do if you enter CLI commands.  If you aren't doing anything complicated other than NAT/port forwarding, I'd go with something similar and much much cheaper.  The Netgear FVL328 comes to mind: http://www.netgear.com/products/details/FVL328.php  We have the 318, and it just works so much nicer than the PIX.  I'm sure the PIX works great in certain circumstances, but if your configuration varies AT ALL from the norm, things get complicated quickly.  The PIX was designed to be more of a firewall, with SPI and IDS rather than a router.
>"Do the PIX firewalls allow what I guess would be NAT (not really routing right?) from the outside public IPs through the firewall to the inside private IPs?"
Yes. Absolutely. Not all firewalls can allow you to use mulitple public IPs mapped to multiple internal IPs

I like the 515e for several reasons. Expandbility is #1. It comes in a 6 interface model that is ideal for creating multiple DMZ's, or a 3 interface model for just one DMZ (can expand to 6 later if you want), its form is a 19" rack mount, where the 506E sits on a shelf (about the size of a hefty hardback novel). The 506 only has 2 interfaces and you cannot expand any further. The 515E can be upgraded to add a second unit for seemless failover, the 506 cannot.

you can manke a good DMZ and cover it with  a "IDS" that can make ur thing work
then the point of PIX is fine that is really good so that u can make a shell for NAT
The provider's router should be able to do NAT for you, just tell them which of the public IPs they are providing will be in the pool and which will be statically configured on your network.  Put the change request in and you're done.  If they push back on that, you're getting very poor service.  

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now