Mark, this was very helpful. I appreciate the response!! Jeffrey Reed Classic Networking, Inc.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Odette II Sent: Wednesday, May 29, 2002 2:28 AM To: [EMAIL PROTECTED] Subject: RE: PIX + VPN Router or Just VPN Router? [7:45315] This may be the answer to your question... >From what I gather, your design description says that you have a central office, with several point-to-point Frame Relay connections to some remote "sites", as well as you will have in the future, several more remote "sites" that will be connecting via xDSL, CableModem, or even local-POP FR-to-Internet connections. For those broadband and Local-POP-Frame Internet connections, a VPN Tunnel is needed to connect to the Central sites' LAN. For those Broadband and POP-Frame connections to the net, you want to also give the remote sites internet access, so you figure to just route them out the Internet GW of the Central Site... which is the same ingress point of the VPN Tunnel termination. Here in lays the problem. You can't route VPN traffic (encrypted data) in and back out the same interface. VPN's don't route... PIXen don't route... they only allow traffic to pass from one interface to the next (defined by rules). Now, even though the PIX doesn't have "routing" functionality, you can specify a default route (quad zero) and say what interface to send that traffic to. But that's as far as "routing" goes. Also, the CCIE was probably taking into account for CPU/Memory horsepower for each remote site's data throughput. This is what I would do to modify the design plan. For the remote sites that are connecting via xDSL or Cable-Modem: Substitute the 1720+PIX 506 for a PIX 501. This combines the Firewall/VPN Tunnel and "Router" functionality into to, and allows for safe access to the internet for those remote offices without having to traverse the Central Site for this access. At the same time, the VPN Tunnels can be dynamically or statically configured. Most remote "offices" that use xDSL or Cable-Modem don't have more than 10 users, so the PIX 501 is perfect for this job.... you have the option of a 10 or 50 user license (read 10 or 50 IPs statically assigned for translation) anyway. This would also meet the customers' requirement for cost efficiency. If the remote "sites" require more than 5 VPN Peers, i.e., they are connecting to more than just the Central Site for a partial meshed VPN configuration, then the 506 and a 1720 should be used instead. If you are using Local-POP FR Internet connections, I would stick to the 1720/PIX 506 combination, which still gives you that Internet access and VPN Tunnel support, all without the "Split-Tunnel" security risk. ... And now the caveat to the PIX 501. You might have some trouble getting the 501 to work with certain Cable-Modems. This problem is only present when the Cable provider is extremely "less-than-helpful" about MAC Address management and their "policies" on MAC registration in conjunction with the Modem. Some Cable-Modems don't have the ability to locally reset its MAC table registration, and you have to rely on the cable provider to perform this reset procedure, allowing the PIX interface to register itself with the Cable-modem/Network. If they aren't willing to do it on the basis that they only support PC setups, then your up a creek with out a paddle. Otherwise, the PIX works with most cable-modems without problem. This goes for the 501 and the 506 IIRC. Hope this helps. Mark -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jeffrey Reed Sent: Tuesday, May 28, 2002 10:12 PM To: [EMAIL PROTECTED] Subject: RE: PIX + VPN Router or Just VPN Router? [7:45315] Sorry for being so vague, I'm just going off a short conversation and a design drawn on a beer-stained napkin... The core PIX is shown as a 515E + VAC with 506s at remote sites. Jeffrey Reed Classic Networking, Inc. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 28, 2002 10:24 PM To: [EMAIL PROTECTED] Subject: Re: PIX + VPN Router or Just VPN Router? [7:45315] I agree. I am confused. When you say the core pix, is that another 506? Sorry but like I am confused. "Henry D." Sent by: [EMAIL PROTECTED] 05/29/2002 11:00 AM Please respond to "Henry D." To: [EMAIL PROTECTED] cc: Subject: Re: PIX + VPN Router or Just VPN Router? [7:45315] What you are describing doesn't really make sense. You say you have connections back to the core site from all remotes. If that was the case there would be no reason for the pix at remote sites or an obvious reason for vpn tunnels between remotes and the core site. In that case, you could just put the core pix in front of the core site and the remotes, terminate the remotes before the core pix, and no need for all the other mess. But I have a feeling there is more involved than we know at the moment.....:( ""Jeffrey Reed"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I am curious about recommendations on remote office connections when VPNs > are involved. Today, in two separate occasions I ran into designs that > showed remote sites with a small 1720 router and a PIX 506. The 506 > terminated one end of a tunnel back to the core PIX and the 1720 facilitated > the frame connection. All traffic will be going back to the core, then if > needed, to the Internet through the central sites main connection. > > Why cant you just use the 1720s ability to terminate a tunnel and drop all > non-encrypted traffic and eliminate the need for the PIX? This would reduce > the costs of both the initial purchase as well as ongoing support. What are > the downsides to a design without a PIX at the remote site? > > Thanks!! > > Jeff Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45343&t=45315 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]