I have been asked to work on a customer request to replave his non cisco FW with a pix 525 and also to come up with a VPN solution using this PIX 525.
I am not a FW guy as my main experience is with routing/switching but I did read some documentations and had some hands on with a PIX 501 and cisco vpn300 client. I was able to bring up the vpn connection even if all tests did not pass (need to troubleshoot further).
Customer has his main site with an application running on a webserver that need to be accessed only via vpn from: 3rd party + from few remote users.
The solution I want to propose to customer is:
PIX 525 as vpn server + Cisco vpn 3000 client on all remote users pcs.
PIX 525 as vpn server + windows vpn client on all remote users pcs
PIX 525 as vpn server + PIX 501 at 3rd party + windows vpn client on all remote users pcs
First I want you to confirm that those otions are feasable. Then what option should I go for knowing that remote users are only about 10.
Customer has no tacacs or radius so should I go for statis userid/pass configured on PIX525?
Any idea, advise, suggestion is welcome. Thanks in advance
Yes, you can have the PIX-525 as the easy VPN server and the 800 router as the easy VPN client.
You don't have an ASA 5505 or a small router for easy vpn client?
You can use either PIX or VPN3002 HW client, but both are discontinued.
I think is the best solution because the PIX-525 will act as a Firewall and the VPN server.
Then all clients will connect via VPN using the Cisco IPsec VPN client software.
The advantage of this option is that you don't need to install the software VPN on the clients (not a problem, just 10 clients)
The problem is that it does not come with split-tunneling and don't provide as good protection as the Cisco software.
This is also valid and you can do an EasyVPN connection where the 525 is the server and the 501 the client.
Local authentication on the PIX-525 sounds fine.
As a recommendation, the PIXes are EoS and the replacement are the ASAs.
Hope it helps.