VPN Appliance Advice

[pgaliardo]

I haven't had to deal with VPN's much in our setup, so I need some advice from the experts. Currently, we have a central office with 6 remote offices, all connected throught dedicated T1 lines. Cisco 1720 Series Routers on the remote ends connecting to an Adtran Router with an 8 port WAN card on our end. There is also a Cisco 2600 Series router in the central office that handles the Internet. That's correct - 2 routers on this end - 1 for all Point to Point links and 1 for Internet traffice. Little strange setup, but it's worked for the past few years without a hitch.

In the interest of cost (what else)my boss is looking into eliminating the PTP T1's at 2 remote offices and put in DSL. So now I am faced with connecting 2 remote offices through the Internet, not through dedicated links. Obviously, I need a VPN solution here.

I'm hoping for some feedback on hardware and setup options that would work best in this scenario. There is the posibilty that all remote sites may go to DSL, so in the central office, I need a solution that can handle several PTP VPN connections.

I looked into some of the hardware out there, and it looks like there are many that "do it all" - VPN, Spam, Virus, Firewall. We already have all that, except for the VPN.

Also, I would like some advice on how to physically best set this up. Does the VPN box go "inside" or "outside" the router. Does it need it's own public ip, or can I NAT traffic from the Cisco?

Thanks in advance.

 

[burtsbees]

You can set up site-to-site VPN's from router to router---the Cisco routers do that well. Post a sh ver from the routers in question (the 2 1720's and the 2600 series), and we'll tell you if the IOS can handle VPNs.

Burt

 

[pgaliardo]

Burt,

They are a bit old, so hopefully they will suffice. My other question is, the T1 leases don't expire until October, so at 1 remote office I will want to keep the Cisco 1720 connected to the T1 while I experiment with this. I am not sure what sort router Verizon will provide for their DSL service. Do you think I can get this to work with whatever hardware they give us?

1)Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IO3-M), Version 12.1(5)T9, RELEASE SOFTWARE (fc1
)
TAC Support:

http://www.cisco.com/tac

Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Sat 23-Jun-01 23:13 by cmong
Image text-base: 0x80008088, data-base: 0x809BF854

ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)

HACKENSACK_2620 uptime is 11 weeks, 6 hours, 47 minutes
System returned to ROM by reload
System image file is "flash:c2600-io3-mz.121-5.T9"

cisco 2620 (MPC860) processor (revision 0x600) with 28672K/4096K bytes of memory
.
Processor board ID JAD05340FSW (881438504)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
Primary Rate ISDN software, Version 1.1.
1 FastEthernet/IEEE 802.3 interface(s)
4 Serial network interface(s)
4 Channelized T1/PRI port(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

2)Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-Y-M), Version 12.1(5)T9, RELEASE SOFTWARE (fc1)
TAC Support:

http://www.cisco.com/tac

Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Sun 24-Jun-01 18:12 by cmong
Image text-base: 0x800080E0, data-base: 0x806A2DAC

ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)

Franklin_1720 uptime is 38 weeks, 2 days, 14 hours, 42 minutes
System returned to ROM by power-on
System image file is "flash:c1700-y-mz.121-5.T9"

cisco 1720 (MPC860) processor (revision 0x601) with 24576K/8192K bytes of memory
.
Processor board ID JAD05320CFU (4271333430), with hardware revision 0000
M860 processor: part number 0, mask 32
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
WIC T1-DSU
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

3)Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-Y-M), Version 12.1(5)T9, RELEASE SOFTWARE (fc1)
TAC Support:

http://www.cisco.com/tac

Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Sun 24-Jun-01 18:12 by cmong
Image text-base: 0x800080E0, data-base: 0x806A2DAC

ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)

Medford_1720 uptime is 7 weeks, 3 days, 5 hours, 26 minutes
System returned to ROM by power-on
System image file is "flash:c1700-y-mz.121-5.T9"

cisco 1720 (MPC860) processor (revision 0x601) with 24576K/8192K bytes of memory
.
Processor board ID JAD05320DHU (3900835887), with hardware revision 0000
M860 processor: part number 0, mask 32
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
WIC T1-DSU
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102


Thanks

 

[burtsbees]

Cisco Feature Navigator doesn't seem to work right now...here's the link...

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

But I can tell you that the images on the 1720's are too basic for VPN's.

Burt

 

[dberg35]

Also look at Netgear FVS318, it is a inexpensive router and works very well. I use these at 2 remotes sites and they never drop. Also as for DSL and vpn have Verizon assign static IP's it will make for easier config.

 

[pgaliardo]

Yes, static IP's are what we are getting.