Cisco Network Design

I have a cisco 2801 that is pretty much an all in one device.  Its serves as my connection to the ISP, does all firewalling, NATing, etc.  This 2801 then connects to a Cisco 2950 switch where all my workstation are plugged into.   I want to add a Cisco PIX 506E that will be configured for a L2L VPN Tunnel to a another location.  All this pix will do is the VPN Tunnel.  I want all firewalling, NATing, etc be remain on the Cisco 2801.  I have the inside interface of the pix connected to the 2950, but where should I connect the outside interface?  I have the outside interface configured with a public address just not sure of the best way to go about connecting it.  I attached a network diagram.  Thanks.
NetworkDiagram.jpg
LVL 1
Crossroads305Asked:
Who is Participating?
 
Istvan KalmarConnect With a Mentor Head of IT Security Division Commented:
it is working, please put another VRF the pix VLAN, for more security
0
 
MikeKaneCommented:
I'll offer 2 options here, depending on what you need:

OPtions 1:
A Pix VPN on a stick style setup similiar to this: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml
Where the Pix outside interface would connect to the 172.18.0.2 network on the 2950.   Follow the doc for the setup.  



Option 2:
Put the 506 in between the 2801 and the 2950 with a new subnet in between the devices.

Like the following:

Internet
|
(outside ip)
2801
(172.19.0.1) <-new IP
|
(172.19.0.2)
PIX 506E
(172.18.0.1)
|
(172.18.0.2)
2950


This would require a bit of redesign and the PIX would have to be able to handle the amount of traffic you pump through the conenctions.  Pay attention to the connection count as well.    This setup would lend the PIX to a more traditional inline firewall role.  
0
 
Crossroads305Author Commented:
Thanks.  The PIX is just temporary.  I only need the L2L tunnel for a couple weeks.  I want to do this in a way where I can just unplug the pix when we don't need the tunnel anymore.  I would like to keep the 172.18.0.1 ip address on the Cisco 2801 if possible, bucause all workstation use it as the default gateway.  If I put that address on the pix, the workstation won't have a default gateway when I take the pix away.  Is there another way to do this?  Thanks.
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
Istvan KalmarHead of IT Security Division Commented:
If you want to use L2L vpn the 2801 is enough, so you  not need to use PIX
0
 
Istvan KalmarHead of IT Security Division Commented:
It is able to encrypt 1,5Mbps in own processor....
0
 
Crossroads305Author Commented:
They don't want to use the 2801.  I have to accomplish this with the PIX.  This is a weird situation.  I'm trying to figure out the easiest way to do this.  Thanks
0
 
Crossroads305Author Commented:
If I configure another VLAN on the switch configured with a public address, could I just connect the outside interface of the pix to the public VLAN and the inside interface to the LAN VLAN.  Would this work?  Thanks.
0
 
MikeKaneCommented:
The VLAN segments should work also.    Just be careful about ending up with multiple gateways on the same subnet.  
0
 
Crossroads305Author Commented:
Thanks.  If you look a the diagram, right now my 2801 and 2950 are connected via private address (172.18.0.x).  For this to work they would have to be connected via public address?  
0
 
MikeKaneConnect With a Mentor Commented:
Well, you could just create a new vlan interface on the router, trunk the port to the switch to carry the existing and the new vlan.   Then connect the outside interface of the PIX to an access port on that vlan.   Create a new subnet just for this traffic.    the inside interface of the pix could be on the existing VLAN.  

On the router, do a static one to one nat for the pix's newsubnet ip.     That should work in  theory...
0
 
Crossroads305Author Commented:
Thanks for all your help.  They decided to just have me create the VPN on the 2801 instead of the pix.  I appreciate everything.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.