PIX 506

I am in the process of connecting two building together utilizing WiFi and it was recommended by the vendor to also drop a PIX-506 on each end then create a tunnel that the data between two site will pass thru.  Neat idea I said, but I am new to VPN stuff and wonder if anybody has a sample as to how to accomplish?  Any suggestion is greatly appreciated.  I am stuck on using the PIX-506.

As always, thank you for your time on this matter.
Who is Participating?
kbbcnetConnect With a Mentor Commented:
VPN Tunnel Config: http://www.cisco.com/en/US/tech/tk827/tk369/tk388/tsd_technology_support_sub-protocol_home.html

According to Cisco:
The PIX 506 is designed specifically for the small office/remote office environment. It supports 10Mbps of regular traffic, and 4-7 Mbps of 3DES two-way encrypted traffic. The number of connections will be dictated by their individual bandwidth requirements, but in general you can expect something like 8-10. [generally used between lan & internet]
The PIX 506 also supports IPsec VPNs and has two ethernet connections.

A PIX is a firewall with VPN options and a VPN 3000 is VPN only device. VPNs are most often used to tunnel across the Internet. Example: Although VPN 3000 can be used for lan to lan conectiivty, it is usually used for remote access and the Cisco 7100 for Lan to lan.

Other considerations:
Cisco & other Wifi access points with line of sight between two building should allow 300' to 2000'.  These devices usually have good security capabilites.
How far apart are your buildings & what Wifi devices are you using?
For what security reason did the vendor think you needed PIX-506 Firewalls on either end - i.e, what do you want to acomplish?
What is the number of network users in each building & what is your network bandwidth 10 Mb? 100Mb? 1Gb?
Do you have Internet access in either building?
Hope this helps!
Then you are so far up a creek that a paddle will be useless!


Tell the vendor to get stuffed and buy a couple of simple VPN devices (Juniper NEtscreen or Sonicwall are good bets).

Actually, thinking about it - why do you need to VPN over your private WiFi connection anyway? I assume you have enabled security at each endpoint so they can only talk to each other? If so, then your vendor is screwing you into buying rubbish end-of-life kit that he wants to shift! Dump the vendor, sort out a rotating rncryption key wifi security system and forget the VPN.
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.


I would have to agree with kbbcnet on this one, you really need to define what kind of WIFI connection (capacity) are you planing on using and how far the buildings are apart? Are you planning on using access points or routers and have you picked a brand. I think it is important in the sense that you might be able to get the functionality that you desire without having to get and configure pixii (sp?).

It is possible to get WIFI bridges that use a combination of directional antennae and some sort of encrypted tunneling protocol that can traverse the distances mentioned without allowing external users to hop onto your network. If bandwidth is a concern there are wireless solutions that can scale up to T3 speeds, but everything comes with a cost.

The PIX 506E is a pretty robust solution but at 1295 each I am not sure if that is what you really want.

Hope this helps.

Since you are "stuck on using the PIX-506", it's a simple matter to create a LAN-LAN tunnel, but don't use the link that kbbcnet because you are not an Easy VPN client/server. Using the VPN Wizard in the GUI, it is a very painless process.
Here's the command line explaination for a "Simple IPSEC LAN-LAN connection between two PIX's"

I'm OK with using the VPN tunnel inside the wirless bridge. It's not a bad idea.
You're not up a creek without a paddle.
The PIX *is* a "simple VPN device" IMHO

BTW, yes, the classic 506 "is" end-of-lifed, but the 506e model is still being sold and supported, and will be for a good long time.
The "e" stands for "enhanced VPN capabilities"
It also adds 10/100 capabilities to the old 10Mb only of the original 506

Configuring Cisco SOHO VPNs:
Site1 & Site2
Confiuration Examples
Troubleshooting procedures
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.