Solved

Your opinion about connecting 3 Cisco PIX 506e firewalls?

Posted on 2008-06-11
18
325 Views
Last Modified: 2010-04-09
I would like your opinion about connecting 3 Cisco PIX 506e firewalls. I have 3 offices which I would like to connect to eachother. This must be done by creating VPN's. The connections between the offcies are made by direct fiber connections (LAN-to-LAN, no routing, no internet access). Is it needed or recommended to use routers between those connections in front of the PIX firewalls. OR it is possible to give the 3 firewalls IP-addresses like 10.10.10.1  .2 and  .3, creating internal ranges at the 3 offices and use static routes. Is that possible? What do you recommend for this scenario?
0
Comment
Question by:Traction IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 4
  • +1
18 Comments
 
LVL 20

Expert Comment

by:RPPreacher
ID: 21763315
Static routes are fine.
0
 

Author Comment

by:Traction IT
ID: 21763341
in fact the Cisco PIX is also a basic router isn't it? What do you think, Cisco PIX 506E or a Cisco 870 series router?
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 21763382
A PIX can do basic routing.  It is not a router.

Use a PIX if you need firewall services or VPN tunnels, otherwise a 870 will be fine.
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 

Author Comment

by:Traction IT
ID: 21763435
Indeed, I need VPN tunnels and good, reliable security... PIX for me?
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 21763439
Yes.
0
 
LVL 5

Expert Comment

by:renill
ID: 21766437
You need to place the pix 's at your perimeter and try making  a vpn mesh for redundancy.
Pix can do static routing. configure site-to-site vpns on the pixes.

Renill
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 21768387
Anything else you need before closing this question?
0
 

Author Comment

by:Traction IT
ID: 21768617
Yes... I'm talking about LAN-LAN connections which are already VLAN'ed by the provider, we are talking about a private LAN-LAN connection without internet access. Maybe it's better than to make use of simple routers and not a firewall, like the PIX.

0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 21768742
If it is a private l2l connection, VPN is unnecessary.  You may want to firewall if you are worried about isolating traffic from place to place.

I think the router (since no VPN) would be best.
0
 
LVL 7

Expert Comment

by:naughton
ID: 21774667
i'd also look at an ASA vs a PIX - the ASA provides traffic management capabilities also.  you can always plug a modem / router into the Appliance later if needed for vpn etc.

the PIX would also provide a higher level of security.
0
 

Author Comment

by:Traction IT
ID: 21776561
When I just want to "connect" the locations by using static routes and no other special things, what do you all advice me to use for type of router?
0
 
LVL 7

Expert Comment

by:naughton
ID: 21776575
how many users per site?>  what type of traffic is being passed?

you could enable ripV2 so the router can learn about the routes, - vs static entries.  


0
 

Author Comment

by:Traction IT
ID: 21776785
In fact only RDP-traffic, some print traffic and somewhat internet traffic, it's about 4 sites.

main site  (here are the servers located) (4 Mb LAN-LAN connection)
sub site  max. 10 users  (2 Mb LAN-LAN connection)
sub site  max. 10 users  (2 Mb LAN-LAN connection)  
sub site  max. 15 users  (2 Mb LAN-LAN connection)  

At the main site there already is an internet connection which have it's own seperate firewall for internet access.
0
 
LVL 20

Accepted Solution

by:
RPPreacher earned 250 total points
ID: 21777231
I'm sure the 870 that you mentioned would be fine.
0
 
LVL 7

Assisted Solution

by:naughton
naughton earned 250 total points
ID: 21783351
an 800 series should be fine.  i'd also look at combining it with websense to manage internet usage - ensure you use route maps on any static NAT entries to avoid problems with VPN traffic.
0
 

Author Comment

by:Traction IT
ID: 21784634
what is websense? an additional product for an cisco 800? or an additional device?
0
 
LVL 7

Expert Comment

by:naughton
ID: 21784645
www.websense.com  its a software add on for the router / firewalls.

0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question