Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cost effective for the job?

Status
Not open for further replies.
queuebert

queuebert

IS-IT--Management
Feb 18, 2003
28
0
0
JP
First, a generic networking/security question... I have a T1 being run to our new office... I think it comes with 16 static IP addresses, the exact number eludes me. The phone company is providing a T1 router for us. Question being, would it be a wise idea to get a second router so that our workstations aren't hanging out directly on the Internet?

And a more specific question, what would be a good, cost effective router/firewall combo to act in this role? I am leaning towards Cisco based on reputation alone, but if there is something more cost effective and equally suitable, other brands might be a consideration. The only special requirement is that it be able to handle multiple outgoing VPN client connections.

Thanks in advance,
Sean
 
Sort by date Sort by votes
a better idea, if i understand your senarion correctly, is to by a 24-48 port switch and connect it to the provider's router. the router can act as your network's/ LAN's gateway. if you are implementing VLANs and need these Vlans to tak to each other, then you would need a router. a cisco 2600 series would do.

as for the FW/router combo, although a router has some basic security features (access lists, ...etc) it's always a good idea to have a seperate unit for security. a cisco PIX 505 firewall has a lot of functionalities although i'm not sure about VPN capabilities. i do know that the PIX 535 has a lot of VPN features but this product is quite costly. you can always check cisco's web site for such details.
 
Upvote 0 Downvote
To answer your first question :

would it be a wise idea to get a second router so that our workstations aren't hanging out directly on the Internet?

YES......... I cannot stress this enought.

you dont want your computers directly connected to the internet.... for starters you are become an easy target.

You should consider getting a router that can do NAT, so your internal network is private.

all cisco routers can perform this and if you do a little research you can put a simple firewall on the router, but I recommend putting another firewall.

Good luck.
 
Upvote 0 Downvote
You don't need any additional equipment for your small network... A simple Cisco (or another) router will be fine. Just don't use the public addresses, and use NAT. Be very careful on any inbound translations you make (I.E. only translate for your email and webserver if you have them).

You can get a Cisco 2600 series router with a T1 interface and buy the IOS Firewall software to through on it.
 
Upvote 0 Downvote
Thanks for your replies. Because Enable's response seems like the most organized layout and I have the extra layer of security, that's probably what I'm going to do.

However, banajahm and baddos, are you suggesting that I can connect multiple machines to a single router, put a couple on the Internet (behind a firewall) with public IP addresses, and put the rest of the machines on the same router with private IP addresses? It doesn't seem like something that would work to me, but I've never used a particularly intelligent router before. (It's worth noting that I didn't actually mention that some machines *do* need the direct Internet connection before)
 
Upvote 0 Downvote
Yes... That's exactly how it would work... You would make static address translations for you webserver, mail, etc. The regular PCs would just hide behind one IP address, with nothing forwarding to them.

You should see if your ISP is giving you a free 2600 or 1700 router. Most of the time, they do if you are a new client for them.
 
Upvote 0 Downvote
I agree with baddos..use static nat for the servers and dynamic nat for the workstations. but none the less, i strongly suggest that your ENTIRE network traffic destined for the internet (i.e. ISP)goes through a firewal. and yes, the ISP may be able to give you a router if you are a new customer or if this senario is part of a solution you will be adopting from the ISP.
 
Upvote 0 Downvote
A Cisco PIX 506E or 501 50-user is likely a good choice and not too expensive.

If the "multiple outgoing client VPN connections" are to access the main office, I'd also suggest a similar device there to create one tunnel. Then you can forget the client connections and the remote office can appear as if it was just another network in your main office (subject to access controls, if you like).
 
Upvote 0 Downvote
Okay... so I am being supplied with a Netopia R5300. It seems like it will do everything I need it to without the use of a second router, as strange as it may still seem to me.

Just curious if anyone happens to have an opinion on the router, shortcomings, high points, security issues, etc.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

woza
  • Locked
  • Question
GNS3: Delete the lines "transport preferred none"
Replies
1
Views
97
DrB0b
DrB0b
jarod_paris
  • Locked
  • Question
firmware for an AP2800 WiFi terminal
Replies
0
Views
69
jarod_paris
jarod_paris
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
87
BIS
BIS
disk-us
  • Locked
  • Question
RTU licensing for a901
Replies
0
Views
34
disk-us
disk-us
Willi DB
  • Locked
  • Question
Polycom410 Forward an incoming call
Replies
0
Views
41
Willi DB
Willi DB

Part and Inventory Search

Sponsor

Back
Top