RE: PIX + VPN Router or Just VPN Router? [7:45315]

Wed, 29 May 2002 03:10:04 -0700 

Mark, this was very helpful. I appreciate the response!!

Jeffrey Reed
Classic Networking, Inc.

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark
Odette II
Sent: Wednesday, May 29, 2002 2:28 AM
To: [EMAIL PROTECTED]
Subject: RE: PIX + VPN Router or Just VPN Router? [7:45315]

This may be the answer to your question...

>From what I gather, your design description says that you have a central
office, with several point-to-point Frame Relay connections to some
remote "sites", as well as you will have in the future, several more
remote "sites" that will be connecting via xDSL, CableModem, or even
local-POP FR-to-Internet connections.  For those broadband and
Local-POP-Frame Internet connections, a VPN Tunnel is needed to connect
to the Central sites' LAN.

For those Broadband and POP-Frame connections to the net, you want to
also give the remote sites internet access, so you figure to just route
them out the Internet GW of the Central Site... which is the same
ingress point of the VPN Tunnel termination.  Here in lays the problem.
You can't route VPN traffic (encrypted data) in and back out the same
interface.  VPN's don't route... PIXen don't route... they only allow
traffic to pass from one interface to the next (defined by rules).

Now, even though the PIX doesn't have "routing" functionality, you can
specify a default route (quad zero) and say what interface to send that
traffic to.  But that's as far as "routing" goes.

Also, the CCIE was probably taking into account for CPU/Memory
horsepower for each remote site's data throughput.

This is what I would do to modify the design plan.

For the remote sites that are connecting via xDSL or Cable-Modem:
Substitute the 1720+PIX 506 for a PIX 501.  This combines the
Firewall/VPN Tunnel and "Router" functionality into to, and allows for
safe access to the internet for those remote offices without having to
traverse the Central Site for this access.  At the same time, the VPN
Tunnels can be dynamically or statically configured.  Most remote
"offices" that use xDSL or Cable-Modem don't have more than 10 users, so
the PIX 501 is perfect for this job.... you have the option of a 10 or
50 user license (read 10 or 50 IPs statically assigned for translation)
anyway.  This would also meet the customers' requirement for cost
efficiency.

If the remote "sites" require more than 5 VPN Peers, i.e., they are
connecting to more than just the Central Site for a partial meshed VPN
configuration, then the 506 and a 1720 should be used instead.

If you are using Local-POP FR Internet connections, I would stick to the
1720/PIX 506 combination, which still gives you that Internet access and
VPN Tunnel support, all without the "Split-Tunnel" security risk.

... And now the caveat to the PIX 501.  You might have some trouble
getting the 501 to work with certain Cable-Modems.  This problem is only
present when the Cable provider is extremely "less-than-helpful" about
MAC Address management and their "policies" on MAC registration in
conjunction with the Modem.  Some Cable-Modems don't have the ability to
locally reset its MAC table registration, and you have to rely on the
cable provider to perform this reset procedure, allowing the PIX
interface to register itself with the Cable-modem/Network.  If they
aren't willing to do it on the basis that they only support PC setups,
then your up a creek with out a paddle.  Otherwise, the PIX works with
most cable-modems without problem.  This goes for the 501 and the 506
IIRC.

Hope this helps.

Mark




-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Jeffrey Reed
Sent: Tuesday, May 28, 2002 10:12 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX + VPN Router or Just VPN Router? [7:45315]

Sorry for being so vague, I'm just going off a short conversation and a
design drawn on a beer-stained napkin...

The core PIX is shown as a 515E + VAC with 506s at remote sites.

Jeffrey Reed
Classic Networking, Inc.

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, May 28, 2002 10:24 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX + VPN Router or Just VPN Router? [7:45315]

I agree.  I am confused.

When you say the core pix, is that another 506?

Sorry but like I am confused.






"Henry D."
Sent by: [EMAIL PROTECTED]
05/29/2002 11:00 AM
Please respond to "Henry D."


        To:     [EMAIL PROTECTED]
        cc:
        Subject:        Re: PIX + VPN Router or Just VPN Router?
[7:45315]


What you are describing doesn't really make sense. You say
you have connections back to the core site from all remotes.
If that was the case there would be no reason for the pix at remote
sites or an obvious reason for vpn tunnels between remotes and the core
site.
In that case, you could just put the core pix in front of the core site
and
the remotes,
terminate the remotes before the core pix, and no need for all the other
mess.

But I have a feeling there is more involved than we know at the
moment.....:(


""Jeffrey Reed""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I am curious about recommendations on remote office connections when
VPNs
> are involved. Today, in two separate occasions I ran into designs that
> showed remote sites with a small 1720 router and a PIX 506. The 506
> terminated one end of a tunnel back to the core PIX and the 1720
facilitated
> the frame connection. All traffic will be going back to the core, then
if
> needed, to the Internet through the central sites main connection.
>
> Why cant you just use the 1720s ability to terminate a tunnel and
drop
all
> non-encrypted traffic and eliminate the need for the PIX? This would
reduce
> the costs of both the initial purchase as well as ongoing support.
What
are
> the downsides to a design without a PIX at the remote site?
>
> Thanks!!
>
> Jeff




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45343&t=45315
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to