Cisco PIX 501 VPN host w/downstream Linksys and DLink VPN endpoints
We have the need to allow three remote sites to connect via VPN to our network. The sites already own either a Linksys BEFSX41, a D-Link DI-804HV or a D-Link DI-808HV -- all of which (as far as I can tell) support establishing VPN connections using IKE and IPSec.
I was thinking of using a CISCO PIX 501 (configured as my network's gateway) to accept the VPN connections. (I would like all of the remote offices to get their own PIX 501's as well, but I'm told cost is an issue.)
I putting this up on EE because I've never done anything like this before and I don't want to make a mistake before I even get started.
Will the CISCO work with non-CISCO VPN endpoints?
Is the CISCO PIX 501 reliable, or am I going to be fighting sporadic connectivity issues?
How hard is it to setup a PIX 501?
The current router/firewall at our office is using NAT. Can the PIX act as Firewall/NAT device, or do I have to put something behind it?
Thanks,
Jim
I was thinking of using a CISCO PIX 501 (configured as my network's gateway) to accept the VPN connections. (I would like all of the remote offices to get their own PIX 501's as well, but I'm told cost is an issue.)
I putting this up on EE because I've never done anything like this before and I don't want to make a mistake before I even get started.
Will the CISCO work with non-CISCO VPN endpoints?
Is the CISCO PIX 501 reliable, or am I going to be fighting sporadic connectivity issues?
How hard is it to setup a PIX 501?
The current router/firewall at our office is using NAT. Can the PIX act as Firewall/NAT device, or do I have to put something behind it?
Thanks,
Jim
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Irmoore... Isn't it true that even if he doesn't have a static IP, he will still have to have the Public IP assigned to the outside interface thorugh DHCP or PPPoE if he want to use the dynamic crypto map...
ASKER
Irmoore:
Thanks for the info... the note regarding the fact that the remote sites don't have to have a static IP is extremely valuable -- I should have mentioned that in my original post. Per everyone's suggestion, I'll definitely check out the ASA5505 (don't know why the rep I talked to @ CISCO didn't mention it...)
Another [hopefully not stupid] follow-up - 3 remote sites
Site 1 - 25 PCs
Site 2 - 2 PCs
Site 3 - 3 PCs
They'll connecting to a small server farm behind the CISCO - 6 servers total. How do I license the ASA5505? By the total number of PCs at the remotes (30)? By the total number of servers behind the CISCO (6)? By the number of VPN connections (3)?
Thanks for the info... the note regarding the fact that the remote sites don't have to have a static IP is extremely valuable -- I should have mentioned that in my original post. Per everyone's suggestion, I'll definitely check out the ASA5505 (don't know why the rep I talked to @ CISCO didn't mention it...)
Another [hopefully not stupid] follow-up - 3 remote sites
Site 1 - 25 PCs
Site 2 - 2 PCs
Site 3 - 3 PCs
They'll connecting to a small server farm behind the CISCO - 6 servers total. How do I license the ASA5505? By the total number of PCs at the remotes (30)? By the total number of servers behind the CISCO (6)? By the number of VPN connections (3)?
By the number of isakmp SA entries and number of systems that need NAT translation behind the ASA5505.. it looks like a base ASA5505 would fit your needs... Be careful though.. at the remote site that dont have static addresses, Its my understanding that you still have to get the Dynamic Public Address assigned to the outside interface of your device via PPPoE or DHCP to use the dynamic crypto maps as Irmoore suggested... you cant use a private address on your Firewall that is natted through a DSL modem for example...
ASKER
llyquid:
My side has static public IP, remote office w/25 PCs has static public PC, but the two smaller offices don't. Since my end is static and I want to allow dymanic connections from the remotes, am I OK? The link that Irmoore gave (for ASA 7.x) seems to imply this is OK.
I could setup the smaller remote offices to register with a dynamic DNS lookup site (like dyndns.com) so that I could do name resolution to get their public IP address -- would that help?
-- Jim
My side has static public IP, remote office w/25 PCs has static public PC, but the two smaller offices don't. Since my end is static and I want to allow dymanic connections from the remotes, am I OK? The link that Irmoore gave (for ASA 7.x) seems to imply this is OK.
I could setup the smaller remote offices to register with a dynamic DNS lookup site (like dyndns.com) so that I could do name resolution to get their public IP address -- would that help?
-- Jim
I think the point I am trying to make is, you dont need a "static" IP to follow Irmoores suggestion, but you do need to make sure that whatever dynamic public IP you are getting is being directly assigned to the outside interface of your firewalls at the remote site... This can sometimes be a challenge