Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Firewalling mixed environment with ADSL: doing it right?

Scenario: customer has eight sites, two of which are on an ethernet-type broadband connection (this is a service locally provided, with the router being fully transparent at the ISP side - you just plug an RJ45 in a socket and you are on the Net, with public IP address), six other sites are on ADSL. At present there is no connectivity between the sites (no VPNs or whatever). All sites are small (between 5 and 25 users each). In the future, more ADSL sites may be added. The two ethernet-sites have the main mail servers (Exchange), using XOSoft WANSync Exchange for replication (this product basically syncs the servers continuously across the WAN link).

The idea is:

The sites on ADSL will each be connected to the two ethernet sites (each ADSL site will have two VPNs: one to each of the ethernet sites). The Ethernet sites will have a VPN between them, and the VPNs to all of the ADSL sites. In other words: each ADSL site has two VPNs, and each ethernet site has seven VPNs at this stage (may have more later).

To do this, I am looking at getting 837's for each of the ADSL sites, and a 501 for one of the ethernet sites and a 515E for the other ethernet site. My question: would there be any likely issues with this?? Many thanks in advance!


  • Other Security Subjects
New Member

Re: Firewalling mixed environment with ADSL: doing it right?


> I am looking at getting 837's for each of the ADSL sites

I would go with a pix 501 for the remote ADSL sites. It seems to me more suitable for the job.

If you place a router as VPN endpoint, there is a higher risk of the router being compromized (related to pix), and from there an attacker has access to all the other networks.

The pix has PPPoE support for ADSL, so you do not need a router only a compatible ADSL modem.

> ... and a 501 for one of the ethernet sites

The pix 501 supports a limitted number of VPN tunnels, and might be too "small" for the job. I would place a pix 506 or 515 there.

Will the ADSL sites have a static fixed public IP address?

What services are you planning to provide via the VPN?

You can consider limitting VPN traffic and allow only traffic from the smaller branches to the mail servers, and not to the whole network.

In general - the pix boxes can do the job well as you defined.


New Member

Re: Firewalling mixed environment with ADSL: doing it right?

Thanks very much for your reply Yizhar - however the problem is that where I am (New Zealand), ADSL is different from elsewhere (we use PPPoA with static or dynamic IP address supplied by ISP through a DHCP-type setup, and forced NAT). This makes it hard (and according to some sources impossible) to use VPNs across 501's on an ADSL connection. Which is why I went for the 837's. I need a device with built-in ADSL router...

Sites will have fixed IP, services will be Exchange email, web browsing, remote access for us for troubleshooting purposes...

This widget could not be displayed.