We help IT Professionals succeed at work.

Cisco PIX 501 VPN host w/downstream Linksys and DLink VPN endpoints

James St. John
on
685 Views
Last Modified: 2009-06-07
We have the need to allow three remote sites to connect via VPN to our network.  The sites already own either a Linksys BEFSX41, a D-Link DI-804HV or a D-Link DI-808HV -- all of which (as far as I can tell) support establishing VPN connections using IKE and IPSec.

I was thinking of using a CISCO PIX 501 (configured as my network's gateway) to accept the VPN connections.  (I would like all of the remote offices to get their own PIX 501's as well, but I'm told cost is an issue.)

I putting this up on EE because I've never done anything like this before and I don't want to make a mistake before I even get started.

Will the CISCO work with non-CISCO VPN endpoints?
Is the CISCO PIX 501 reliable, or am I going to be fighting sporadic connectivity issues?
How hard is it to setup a PIX 501?
The current router/firewall at our office is using NAT.  Can the PIX act as Firewall/NAT device, or do I have to put something behind it?

Thanks,
Jim
Comment
Watch Question

Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Commented:
Irmoore... Isn't it true that even if he doesn't have a static IP,  he will still have to have the Public IP assigned to the outside interface thorugh DHCP or PPPoE if he want to use the dynamic crypto map...

Author

Commented:
Irmoore:

Thanks for the info... the note regarding the fact that the remote sites don't have to have a static IP is extremely valuable -- I should have mentioned that in my original post.  Per everyone's suggestion, I'll definitely check out the ASA5505 (don't know why the rep I talked to @ CISCO didn't mention it...)

Another [hopefully not stupid] follow-up - 3 remote sites
Site 1 - 25 PCs
Site 2 - 2 PCs
Site 3 - 3 PCs

They'll connecting to a small server farm behind the CISCO - 6 servers total.  How do I license the ASA5505?  By the total number of PCs at the remotes (30)?  By the total number of servers behind the CISCO (6)?  By the number of VPN connections (3)?

Commented:
By the number of isakmp SA entries and number of systems that need NAT translation behind the ASA5505..    it looks like a base ASA5505 would fit your needs...   Be careful though.. at the remote site that dont have static addresses,  Its my understanding that you still have to get the Dynamic Public Address assigned to the outside interface of your device via PPPoE or DHCP to use the dynamic crypto maps as Irmoore suggested...   you cant use a private address on your Firewall that is natted through a DSL modem for example...

Author

Commented:
llyquid:

My side has static public IP, remote office w/25 PCs has static public PC, but the two smaller offices don't.  Since my end is static and I want to allow dymanic connections from the remotes, am I OK?  The link that Irmoore gave (for ASA 7.x) seems to imply this is OK.

I could setup the smaller remote offices to register with a dynamic DNS lookup site (like dyndns.com) so that I could do name resolution to get their public IP address --  would that help?

-- Jim

Commented:
I think the point I am trying to make is,  you dont need a "static" IP to follow Irmoores suggestion,  but you do need to make sure that whatever dynamic public IP you are getting is being directly assigned to the outside interface of your firewalls at the remote site...    This can sometimes be a challenge

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.