bluefinger
asked on
Which Cisco Firewall and/or Router
I have a client who is replacing their DSL with a multi T1 connection and we want to upgrade from the somewhat unreliable linksy/dlink/netgear type router/firewall to something we can depend on. They have about 70 internal users and 25 external users (some OWA and some Terminal Server), but will probably double this in the next 2 years.
They are receiving a dual T1 connection with a few VOIP phone lines. The telco vendor is providing a Cisco 2600 series router, but we do not have access to the configuration, basically they are providing us with 5 static public IPs off of the 2600 and it is up to use to bring it into out network.
I want to take the Public IPs from the telco and port map them to machines on the local network including Exchange, http, https, ftp, sftp, RDP, and a few others.
From what I understand I don't really need a router, but I do need a firewall. Will a Cisco PIX 506E of 515E do the job or will I need another 2600 series router? What about the Cisco 801, is this a router/firewall combo that will meet my needs (the price is certainly right)?
Do the PIX firewalls allow what I guess would be NAT (not really routing right?) from the outside public IPs through the firewall to the inside private IPs?
Is the Cisco SmartNet warranty service worth the expense?
Thanks EE
They are receiving a dual T1 connection with a few VOIP phone lines. The telco vendor is providing a Cisco 2600 series router, but we do not have access to the configuration, basically they are providing us with 5 static public IPs off of the 2600 and it is up to use to bring it into out network.
I want to take the Public IPs from the telco and port map them to machines on the local network including Exchange, http, https, ftp, sftp, RDP, and a few others.
From what I understand I don't really need a router, but I do need a firewall. Will a Cisco PIX 506E of 515E do the job or will I need another 2600 series router? What about the Cisco 801, is this a router/firewall combo that will meet my needs (the price is certainly right)?
Do the PIX firewalls allow what I guess would be NAT (not really routing right?) from the outside public IPs through the firewall to the inside private IPs?
Is the Cisco SmartNet warranty service worth the expense?
Thanks EE
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
lrmoore
Would you consider this statement basically true?
"Do the PIX firewalls allow what I guess would be NAT (not really routing right?) from the outside public IPs through the firewall to the inside private IPs?"
Is your preference for the PIX515E based on expandability or upgradeablitliy?
Thanks,
Would you consider this statement basically true?
"Do the PIX firewalls allow what I guess would be NAT (not really routing right?) from the outside public IPs through the firewall to the inside private IPs?"
Is your preference for the PIX515E based on expandability or upgradeablitliy?
Thanks,
I have a 506E that I'm using for VPN connections, and to be honest, other than a VPN router, I don't like it all that much. PDM Management utility has a long way to go in terms of usability, and a lot of times the PDM will contradict what you're trying to do if you enter CLI commands. If you aren't doing anything complicated other than NAT/port forwarding, I'd go with something similar and much much cheaper. The Netgear FVL328 comes to mind: http://www.netgear.com/products/details/FVL328.php We have the 318, and it just works so much nicer than the PIX. I'm sure the PIX works great in certain circumstances, but if your configuration varies AT ALL from the norm, things get complicated quickly. The PIX was designed to be more of a firewall, with SPI and IDS rather than a router.
>"Do the PIX firewalls allow what I guess would be NAT (not really routing right?) from the outside public IPs through the firewall to the inside private IPs?"
Yes. Absolutely. Not all firewalls can allow you to use mulitple public IPs mapped to multiple internal IPs
I like the 515e for several reasons. Expandbility is #1. It comes in a 6 interface model that is ideal for creating multiple DMZ's, or a 3 interface model for just one DMZ (can expand to 6 later if you want), its form is a 19" rack mount, where the 506E sits on a shelf (about the size of a hefty hardback novel). The 506 only has 2 interfaces and you cannot expand any further. The 515E can be upgraded to add a second unit for seemless failover, the 506 cannot.
Yes. Absolutely. Not all firewalls can allow you to use mulitple public IPs mapped to multiple internal IPs
I like the 515e for several reasons. Expandbility is #1. It comes in a 6 interface model that is ideal for creating multiple DMZ's, or a 3 interface model for just one DMZ (can expand to 6 later if you want), its form is a 19" rack mount, where the 506E sits on a shelf (about the size of a hefty hardback novel). The 506 only has 2 interfaces and you cannot expand any further. The 515E can be upgraded to add a second unit for seemless failover, the 506 cannot.
you can manke a good DMZ and cover it with a "IDS" that can make ur thing work
then the point of PIX is fine that is really good so that u can make a shell for NAT
then the point of PIX is fine that is really good so that u can make a shell for NAT
The provider's router should be able to do NAT for you, just tell them which of the public IPs they are providing will be in the pool and which will be statically configured on your network. Put the change request in and you're done. If they push back on that, you're getting very poor service.
--------------------------
Low-end commercial-grade firewall appliances
--------------------------
Linksys RV082:
http://www.linksys.com/products/product.asp?prid=589&scid=29
Fortinet:
http://www.fortinet.com/products/telesoho.html
Adtran Netvanta
https://www.adtran.com/adtranpx/Rooms/DisplayPages/LayoutInitial?Product=com.webridge.entity.Entity%5BOID%5B27100B71B4B3E44D84DCAE487414CD69%5D%5D&Container=com.webridge.entity.Entity%5BOID%5B54C70AA0A26ED711A78500D0B72032D8%5D%5D&ProductCategory=com.webridge.entity.Entity%5BOID%5BCB5C5CB7C4419B4AA04F9CE1AEDD8CE7%5D%5D
Netscreen
http://www.juniper.net/products/integrated/dsheet/ds_5gt_xt.pdf
Watchguard Firebox
http://www.watchguard.com/products/
D-LINK w/DMZ port
http://www.dlink.com/products/?pid=66
Symantec:
http://www.symantec.com/smallbiz/gtw/
SNAP:
http://www.clearpathnet.com/snap/default.asp