Help with VPN network design

Unanswered Question
Jan 5th, 2009
User Badges:

We currently have a Gigabit SONET ring between several locations. We also filter all traffic through an "outsourced" method and don't have our own internal firewall system. We run through this external provider and use a proxy to access the outside world. They recently opened the necessary ports for us to use VPN for a few (maybe 20) end users to access our internal network.


I have a Cisco PIX 501 and need to use this device to allow users access. It will otherwise NOT be used to filter any internal traffic and the low bandwidth of 100Mbps is very limiting.


We have several Cisco Catalyst L3 4509 switches and the primary network connection is fed directly into this, which is then fed to other 4509's on different floor's of this building.


Our entire network is Gigabit Full-Duplex to every server and desktop.


Where on the network should this be placed to avoid a bottleneck and still grant access to VPN users? Most diagrams I've seen place this device in the center of the network with the internet being on one int, the internal being on another.


Would our best bet be an additional DS0 or 1 circuit with the PIX in between it and our Cat? We still have a few 2600's laying around the basement.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Mon, 01/05/2009 - 14:19
User Badges:
  • Green, 3000 points or more

Hi Thomas,


Several questions arises, but first 100Mbps bandwith is plenty and in your case this would be the last thing I would worry about:), assuming this is our outbound pipe.


To be honest to make things less complicated, if feasable, I would first try asking your outsourced secuirty/Firewall provider to terminate the RA VPN server in their firewall and have RA Vpn terminated there and authenticate your users against your Windows Active Directory.


Generally you will place a security device in the case of FW for RA VPN in your internet edge paremeter, although a firewall can be placed anywhere in your network usually PIX/ASA will have one leg touching the public network and another leg your private network thus providing VPN services specially if your vpn users will be connecting from the outside world/Internet.


You could also integrate the fw say if you have additional spared public IP address from your current Firewall/Service provider and assign that to pix501 outside interface and run firewall in parallel and pix501 inside in your core switch, but... the question is what is your outbound medium of the 100 MB is it ethernet handoff from provider? if so perhaps a dot1q trunk on the interface to accomodate the pix501 outside interface.. maybe this may complicate things a bit.



A t1 like you said could be another solution, you have 2600 series laying around , you could use that to terminate the t1 as internet router and pix behind it but I would first try to exaust other options first and to make it less costly but this solution is definatly feasable and managed by you, .. Im sure there are more ideas but your edge perimeter especially the firewall/service provider managed makes things a bit different from the standard setups/designs.


my 2 censt


Regards

Actions

This Discussion