?
Solved

Is a Pix 506 Enough for Internet Access, VPN, Email/Web Services?

Posted on 2005-03-13
3
Medium Priority
?
363 Views
Last Modified: 2013-11-16
My Company has about 30 internet enabled workstations.  Currently, we have a Cisco 1720 Router at the Border between ISP and our Firewall.  The firewall is one I built myself out of a Multihomed Linux Fedora 2 machine running iptables.  I am also running a Squid Proxy Server which is caching our traffic and logging sites workstations are visiting.

The money has come through to purchase a firewall, so I was looking at a PIX 506.  However, I want to make sure this will do what I want.

Here is what I want to do.

VPN Access from Remote Site (basically to login from home and run VNC, or View Security Cameras)
Email Web-Access from the Web for our Exchange Users
Internet Access to the 30 Workstations in the Building
Possible offloading 10% of our website and redirecting it back home (here) for specialized data access (like viewing accounts, billing information) *this is LEAST important

Here is what we have now:

On the Serial Interface of the Cisco Border Router, we have single IP address.  This IP address is NAT'd on the Router to "share" it with the entire building.
NO EMAIL in house (currently outsourced, but we will be purchasing Exchange to do this)

My question:

Because I have limited experience in this area, and know enough to get me in trouble, I need to know whether or not I need a block of addresses from my ISP to accomplish all of this, or would I be ok to forward through the NAT on the router to the services I need?  What are the PROs/CONs of doing it either way.  From my understand, IPsec cannot traverse NAT, making VPN a possible problem.

Also, do I really need to purchase a hardware firewall?  THe linux seems to be doing the trick and beyond what firewalls on the market can do as far as logging sites, etc.  The only thing I worry about it that it works so well that in 2 years when the HDD crashes and I need to fix it, I will forget how it worked and it will take a longer period of downtime.

Appreciate your Thoughts,

Deeky
0
Comment
Question by:deeky
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13529445
Let me address directly as many points as I can....

Will the PIX do this?
>VPN Access from Remote Site (basically to login from home and run VNC, or View Security Cameras)
Absolutely. The Cisco VPN client is fee and very secure and easy to setup with the wizards.

>Email Web-Access from the Web for our Exchange Users
Piece of cake

>Internet Access to the 30 Workstations in the Building
No problem

>Possible offloading 10% of our website and redirecting it back home
I'm not sure I quite understand, but this would be an advanced service like a reverse proxy? The PIX is not designed to provide those type services, but perhaps an additional squid box would help with that, or a load-blancing switch - something like that.

>I need to know whether or not I need a block of addresses from my ISP to accomplish all of this
A small block, perhaps 6 addresses.
You need one public IP on the router serial interface, and a different IP block for the router's inside and the PIX's outside IP addresses. Having a couple extra won't hurt if in the future you need to add more servers or services.
You are correct about IPSEC VPN having "issues" with NAT, but most all recent releases support nat-transparency with IPSEC. That said, it works best to support multiple outbound vpn client connections from the inside of your PIX, or your PIX to support multiple simultaneous sessions to remote clients using only one public IP. So - you still need a public IP on the PIX interface itself. You 'could' get away without an additional IP address on your serial interface, but it is the most efficient configuration. Tell your ISP that you want a /30 address for the serial interface, and a /29 ip block for the LAN.

>do I really need to purchase a hardware firewall?
That's a pretty subjective question. Personally, I like the simplicity of a purpose built product like the PIX. A very small text file with all of your configuration makes it a 2-minute job to completely reconfigure a brand new box, or re-do the one you have. That's easier to teach a newcomer than all the intracies of Linux/IPtables box. If you later need to upgrade to a more powerful PIX515 or even the Gigabit capable 535 versions of the PIX, its still the exact same config file that you would use to get you to your starting point of where you are today. Backing up the config file takes at most 5 seconds. There is no harddrive to 'crash'.  Let's see you do all that with a Linux box.



0
 

Author Comment

by:deeky
ID: 13529532
Let's Focus on this a little bit more, this is where I get a confused:

*lrMoore wrote:
A small block, perhaps 6 addresses.
You need one public IP on the router serial interface, and a different IP block for the router's inside and the PIX's outside IP addresses. Having a couple extra won't hurt if in the future you need to add more servers or services.

*deeky wrote:
<I HAVE HEARD THIS BEFORE, CAN YOU EXPLAIN THE REASONING BEHIND HAVING PUBLIC IP ADDRESSES FOR EACH OF THOSE INTERFACES?  IF I AM AT HOME, AND I OPEN THE VPN CLIENT TO CONNECT TO MR. PIX AT WORK, ARE YOU SAYING I WOULD BE PROVIDING THE VPN CLIENT WITH THE IP ADDRESS OF THE PIX, NOT MY ROUTER AT WORK?  SOMEHOW THEN MY ROUTER KNOWS THAT THE PIX IS LISTENING TO THIS ADDRESS?>

lrmoore wrote:
You are correct about IPSEC VPN having "issues" with NAT, but most all recent releases support nat-transparency with IPSEC. That said, it works best to support multiple outbound vpn client connections from the inside of your PIX, or your PIX to support multiple simultaneous sessions to remote clients using only one public IP. So - you still need a public IP on the PIX interface itself. You 'could' get away without an additional IP address on your serial interface, but it is the most efficient configuration. Tell your ISP that you want a /30 address for the serial interface, and a /29 ip block for the LAN.

deeky wrote:
<WHY DOES MY ISP CARE ABOUT ANYTHING BUTMY SERIAL INTERFACE ON MY ROUTER?>

I just realized who is answering my question, so I KNOW i am speaking with the correct person here!  You have helped me many times!

Thanks,

Deeky
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1200 total points
ID: 13529828
The goal will be to avoid issues like this one:
http://www.experts-exchange.com/Networking/Broadband/VPN/Q_21328357.html#13434170
Other similar issues:
http://www.experts-exchange.com/Hardware/Routers/Q_21326501.html

My solution for you would be identical.
Public IP address subnet between router and ISP - I'm only assuming a serial connection because I don't have information to say it's not. T1=serial, DSL=ATM, cable or dsl modem = Ethernet feed. No matter what, this is the "WAN" interface and dees public IP.
Public Ip address on Ethernet port of router - no NAT
Public IP address on PIX - let the PIX do all the NAT

> IF I AM AT HOME, AND I OPEN THE VPN CLIENT TO CONNECT TO MR. PIX AT WORK, ARE YOU SAYING I WOULD BE PROVIDING THE VPN CLIENT WITH THE IP ADDRESS OF THE PIX, NOT MY ROUTER AT WORK?  SOMEHOW THEN MY ROUTER KNOWS THAT THE PIX IS LISTENING TO THIS ADDRESS?>
Precisely. Your router is simply routing packets between two interfaces. It doesn't need to know about the PIX, what the pix is, does, or what it is listening to. Its only job is to pass packets.

><WHY DOES MY ISP CARE ABOUT ANYTHING BUTMY SERIAL INTERFACE ON MY ROUTER?>
Because if you get another IP subnet, the ISP has to route that subnet to you, via your serial (WAN) interface.

Trust me on this one. You "can" get away without two public subnets, but I personally wouldn't do it. It requires double-natting and can get ugly trying to syncronize two configurations. If you think VPN's don't like NAT, they really don't like being natted twice. Let the router do what it was designed to do - route packets. Let the PIX do what it was designed to do - NAT/FW/access control.

0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question