Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Firewall position

I posted this one in the General VPN discussion without success. I thought I would try it here.

I am in the process of setting up 3 branch sites to one headend site with a Hub and Spoke design. All spoke sites will communicate with each other as well as Internet access through the Hub site via a 1721 router at the Hub. All VPNs will terminate on the S0 int of the 1721. Then if they want Hub LAN access they will continue through fa0. If the hub sites want Internet access, they will redirect off the S0 and out the T1. I have a Pix 515 that I would like to implement in the design. The only thing is I only have the 1721 router and one T1 to the Intenet from the S0 of the 1721. If I put the Pix behind the router, the Hub LAN will have go through the firewall for Intenet as well as VPN traffic which is fine. But the Hub Sites coming in with Internet bound traffic will not pass through the PIX. I would like to put the Pix in front of the router like in the following diagram:

Internet ->Pix->1721 VPN router->Hub LAN.

This would be fine because Internet bound traffic from the Spokes would redirect off of the S0 of the 1721, and then pass through the Pix ACLs before getting to the Internet. The only problem is that there is not a T1 CSU/DSU card for the Pix.

Question - Does anyone have a suggestion of how I can accomplish all Internet bound traffic to pass through the Pix with only my one T1, VPN router, and Pix?



New Member

Re: Firewall position

What about having your PIX and VPN in parallel?



Dirty Hub




Clean Hub/network

New Member

Re: Firewall position

What do you mean by dirty hub? My main problem is that I need a T1 CSU/DSU to connect to the Internet and I only know of a router that can do this. Is it possible to take a standalone CSU/DSU and cable it to the PIX with CAT5?

CreatePlease to create content