Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX VPN endpoint behind router or PIX VLAN trunk

Status
Not open for further replies.
Gihzmo

Gihzmo

MIS
Apr 5, 2005
25
US
I am trying to setup a VPN to another company's office which we are doing some buisness with. They do not have much of any infrastructure, so I am having to design the network down there myself. What I need to do is have our PIX 501 to VPN to, and a router in front of it so their PC can be on the outside of the firewall. I am trying to find a router to go in front of the firewall, but I am not sure what kind of router I should use, obviously I need something that will do static nat to nat the firewall through the firewall and that will permit the IPSEC and ISAKMP through. The other thing I was thinking was to get a PIX 506 and put a Cisco 2950 and trunk the VLANS from the switch to the firewall. Has anyone done this or have any suggestions on this. I dont really care what kind of router, just so long as it can allow IPSEC and ISAKMP and can static nat. I know I can do it with a low end cisco router but I was going to see if there was something cheaper out there.
 
Sort by date Sort by votes
What is the purpose of the RTR? Why cant it just be a rtr? Of course a rtr can allow IPSEC through and statically nat. Im not sure why you would have to NAT though. Do you have a router in place from your ISP? Do you have public IP space or is it dynamically assigned? It sounds like you may have a small network? For a switch consider a layer 3 switch also. If budget is a concern look at refurbs. They arent as bad as people make them out to be. Also they can be put on smartnet and usually have a company warranty. I have had very good experience purchasing with a refurb company. If you need a reference let me know.
 
Upvote 0 Downvote
There is no router currently in place, and I have to seperate our network from their network down there. Also I cannot do a VLAN trunk into the PIX 501. We currently have them behind our firewall, but we wanted to move them in front of our firewall and let them be on a completely seperated network and have our firewall as some security between us and them.
 
Upvote 0 Downvote
Also it is a DSL circuit so I can only have one mac address behind the DSL modem. This is the main reason I have to have a router to nat everything, so it will all be coming from one mac address.
 
Upvote 0 Downvote
Well then I would go the way of keeping your Pix at the head and doing VLANS. That is if you get the 506. You dont have to get a Cisco switch either. The 3COMS or Dells would work for you as far as vlans go.
 
Upvote 0 Downvote
another question, can I use a Cisco 837 as a IPSEC/ISAKMP VPN endpoint from a PIX, it looks like I can but I am not sure. Also can I have multiple internal interfaces with that router? I need to seperate the internal networks and allow one straight out to the internet and one to pass through the VPN.
 
Upvote 0 Downvote
Yes the 837 does support IPSEC. Make sure you have the right IOS installed. I believe it comes with a 4 port switch for the LAN and one outside interface. You shouldnt have to have 2 LANS unless you just have alot of internal host and in that case the 837 isnt the way to go. The way the VPN will work is you can define wht traffic crosses the tunnel by a ACL. Basically which traffic is to be tunneled and which is to go to the Internet.
 
Upvote 0 Downvote
I would strongly take a look at the 1811 series router if I were you. You can setup VLANs to segment the networks, use the IOS Firewall feature set, do VPNs, and everything else you mentioned in this post. They typically run about $900. We have a few of these in potentially hostile environments segmenting networks using vlans and they have been great.

Although, the router comes with an embedded 8 port switch (that you can divide into vlans). You may also want to pick up a couple low end layer non-managed2 switches (3com, Allied Telesyn) to hang the users off if you have more than 8. Allied Telesyn switches will run about $80 a pop.


XXXXXXXXX#sho version
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.3(8)YI1, RELEASE SOFTWARE (fc1)
Synched to technology version 12.3(10.3)T2
Technical Support: Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Fri 22-Apr-05 18:57 by ealyon

ROM: System Bootstrap, Version 12.3(8r)YH5, RELEASE SOFTWARE (fc1)
ROM: Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.3(8)YI1, RELEASE SOFTWARE (fc1)

XXXXXXXXx uptime is 6 weeks, 43 minutes
System returned to ROM by power-on
System restarted at 14:32:07 CST Thu Nov 10 2005
System image file is "flash:c181x-advipservicesk9-mz.123-8.YI1.bin"


This product contains cryptographic features and is subject ..........%snip%

Cisco 1811 (MPC8500) processor (revision 0x300) with 118784K/12288K bytes of memory.
Processor board ID FHK092420W4, with hardware revision 0000

FastEthernet interfaces
1 Serial interface
1 terminal line
31360K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
284
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
280
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
121
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
349
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
86
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top