• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 591
  • Last Modified:

Cisco PIX 501 VPN host w/downstream Linksys and DLink VPN endpoints

We have the need to allow three remote sites to connect via VPN to our network.  The sites already own either a Linksys BEFSX41, a D-Link DI-804HV or a D-Link DI-808HV -- all of which (as far as I can tell) support establishing VPN connections using IKE and IPSec.

I was thinking of using a CISCO PIX 501 (configured as my network's gateway) to accept the VPN connections.  (I would like all of the remote offices to get their own PIX 501's as well, but I'm told cost is an issue.)

I putting this up on EE because I've never done anything like this before and I don't want to make a mistake before I even get started.

Will the CISCO work with non-CISCO VPN endpoints?
Is the CISCO PIX 501 reliable, or am I going to be fighting sporadic connectivity issues?
How hard is it to setup a PIX 501?
The current router/firewall at our office is using NAT.  Can the PIX act as Firewall/NAT device, or do I have to put something behind it?

Thanks,
Jim
0
jimstjohn
Asked:
jimstjohn
3 Solutions
 
poweruser32Commented:
im not an expert on the cisco but i know that the asa is the big player in the cisco market now-replacing the pix-dont ask me about the difference
as regards compatability with other hardware devices i dont think you will have any problems there
yes the pix uses NAT and it is fairly handy to set up-you can use the asdm web console if you are not into ssh or telnet to issue commands-you can also set up the vpn site to site connections on it as well and it is very secure from that point of view
0
 
llyquidCommented:
If you dont already own the PIX 501,  get an ASA5505 instead...  also, remeber that the PIX 501 comes in a 10, 50, and Unlimited User versions...   if you put in a 10 user version,   you can only have 10 simultaneous NAT translations through the PIX...

Do you have static IPs on your devices at all the sites?   If so then you are in luck...  the IPSEC tunnels are configurable...

 although the PIX501 have been known to overheat because of their Netgear Switch like chassis...  the PIX is by far the most superior device you have named in your list above and will be the strongest link in the chain... but static IPSEC tunnels only work with static IP addresses assigned on the interface of each of the firewalls...     These devices do not support the EasyVPN server feature of the 501...  in the case of EasyVPN, you can have a static IP at the headend,  and the remote devices can be behind NAT and have private IPs...   but you'll have to wait until cisco gear becomes affordable to your client...
0
 
lrmooreCommented:
>Will the CISCO work with non-CISCO VPN endpoints?
Yes, absolutely. I currently have VPN tunnel between Linksys WRV54G to ASA5510 and PIX506 before I replaced it with ASA.

>Is the CISCO PIX 501 reliable, or am I going to be fighting sporadic connectivity issues?
It would do fine as long as the remotes are small offices and you have the proper license on the 501. Price-wise the ASA5505 is a much better bargain and newer technology and all around better buy.

>How hard is it to setup a PIX 501?
Comes with a GUI VPN wizard that takes 2 minutes to setup the VPN tunnels.

>The current router/firewall at our office is using NAT.  Can the PIX act as Firewall/NAT device, or do I have to put something behind it?
The PIX/ASA is the only device you need for all your VPN/NAT/PAT needs.

As long as your end has a static IP, the remotes don't have to. See the link here for the PIX 6.x version:  http://www.cisco.com/warp/public/110/dynamicpix.html
This link is for the ASA 7.x
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
The Cisco end is setup the same way as shown in these examples regardless of the remote endpoint, whether it is Cisco, Linksys, Netgear, whatever.


0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
llyquidCommented:
Irmoore... Isn't it true that even if he doesn't have a static IP,  he will still have to have the Public IP assigned to the outside interface thorugh DHCP or PPPoE if he want to use the dynamic crypto map...
0
 
jimstjohnAuthor Commented:
Irmoore:

Thanks for the info... the note regarding the fact that the remote sites don't have to have a static IP is extremely valuable -- I should have mentioned that in my original post.  Per everyone's suggestion, I'll definitely check out the ASA5505 (don't know why the rep I talked to @ CISCO didn't mention it...)

Another [hopefully not stupid] follow-up - 3 remote sites
Site 1 - 25 PCs
Site 2 - 2 PCs
Site 3 - 3 PCs

They'll connecting to a small server farm behind the CISCO - 6 servers total.  How do I license the ASA5505?  By the total number of PCs at the remotes (30)?  By the total number of servers behind the CISCO (6)?  By the number of VPN connections (3)?
0
 
llyquidCommented:
By the number of isakmp SA entries and number of systems that need NAT translation behind the ASA5505..    it looks like a base ASA5505 would fit your needs...   Be careful though.. at the remote site that dont have static addresses,  Its my understanding that you still have to get the Dynamic Public Address assigned to the outside interface of your device via PPPoE or DHCP to use the dynamic crypto maps as Irmoore suggested...   you cant use a private address on your Firewall that is natted through a DSL modem for example...
0
 
jimstjohnAuthor Commented:
llyquid:

My side has static public IP, remote office w/25 PCs has static public PC, but the two smaller offices don't.  Since my end is static and I want to allow dymanic connections from the remotes, am I OK?  The link that Irmoore gave (for ASA 7.x) seems to imply this is OK.

I could setup the smaller remote offices to register with a dynamic DNS lookup site (like dyndns.com) so that I could do name resolution to get their public IP address --  would that help?

-- Jim
0
 
llyquidCommented:
I think the point I am trying to make is,  you dont need a "static" IP to follow Irmoores suggestion,  but you do need to make sure that whatever dynamic public IP you are getting is being directly assigned to the outside interface of your firewalls at the remote site...    This can sometimes be a challenge
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now