Which PIX Bundle?

[mparry]

Hi,

I need to determine which flavour of PIX 515 is needed for the following solution:

I will have either a 512K or 2MB leased line connection to the Internet - giving VPN access for 30 remote users (using terminal services apps,pop3 Email and file services).

In addition to this I need to provide HQ access for 5 other users (all in one remote office)... this access has to be secure and robust as the users will be using financial apps using terminal services often throughout the day.

The most important issue is that they have a constant connection to the HQ servers. Initially I had planned to give them a dedicated 128K point to point leased line from them to us - as this would be reliable, but expensive.

However, on the other hand, can I not just create a more reliable PIX solution... for example, if I was to use a fail-over PIX for assurance and also could I have a dialup ISDN line also terminating on the PIX again for added assurance should the main Internet connection go down.

Basically can I have:
- 2MB leased line terminating on a router which feeds into the PIX (the main access method)
- 128K ISDN line terminating on a separate router and feeding into another port on the PIX (backup)
- a failover PIX working alongside for further resilience

Plus, do I need to go for the unbundled s/w option. With 4 FE ports?

Thanks,
Marcus

 

[tbissett]

This can be done, but I would go with a standard PIX bundle and add a 4-port Ethernet card to it (for a total of six ports). You'll need to use four right off the bat, so a couple extra ports might come in handy later on. Here is how I would envision your setup:

MAIN OFFICE
PIX-515-UR-BUN - PIX 515 Unrestricted 2 FE ports
PIX-4FE - Four port Ethernet interface
PIX-515-VPN-3DES - 3DES license for Primary PIX
PIX-515-FO-BUN - PIX 515 Failover bundle, 2 FE ports
PIX-4FE - Four-port Ethernet interface for FO unit
PIX-515-VPN-3DES - 3DES license for FO unit

Here's how the ports on the PIX would be set up:
E0 - Outside
E1 - Inside
E2 - ISDN DMZ
E3 -
E4 -
E5 - Stateful failover (a Cat-5 crossover cable between the two units).

Keep in mind that the IPSEC tunnel will go down if the firewall fails over. It usually comes back up with a minute, though.

You will also need a switch or hub of some sort on each segment, except for the stateful link. This is because a failover PIX config requires two connections in each segment (one for each unit).

For the remote office, if you want the ISDN in a separate segment like you have at the HQ, you would need to order the same thing. If not, then you could use a PIX-501-BUN-K9 which will can provide your five users with a 3DES site-to-site tunnel. This model does not support failover or a third interface, though.

Hope it helps...

 

[mparry]

Thank you tbissett for taking time to answer my question.

With regards to the later part of the question - creating a backup / resilience option for 5 remote finance users I may look to create the following solution instead of using another PIX:

- Unless the main VPN is slow or our leased line to the Internet is down all users (including the 5 remote finance users) will operate over the Internet and through the main HQ PIX for connectivity (terminal services to apps + pop3 Email).

- If the 5 finance users are receiving poor service over the VPN they can initiate an backup ISDN dialup solution. This should mean they could continue to use their HQ apps (via terminal services) over a 128K bonded ISDN line. In this case, I think I should only need routers at either end of the line instead of another PIX. Resilience is thereby achieved as the ISDN backup route does not go over the public Internet and uses different hardware to the main office connectivity route.

Do you think this sounds like an ok solution.

Thanks for your help.

Marcus