04-19-2003 05:43 PM - edited 03-09-2019 02:57 AM
Scenario: customer has eight sites, two of which are on an ethernet-type broadband connection (this is a service locally provided, with the router being fully transparent at the ISP side - you just plug an RJ45 in a socket and you are on the Net, with public IP address), six other sites are on ADSL. At present there is no connectivity between the sites (no VPNs or whatever). All sites are small (between 5 and 25 users each). In the future, more ADSL sites may be added. The two ethernet-sites have the main mail servers (Exchange), using XOSoft WANSync Exchange for replication (this product basically syncs the servers continuously across the WAN link).
The idea is:
The sites on ADSL will each be connected to the two ethernet sites (each ADSL site will have two VPNs: one to each of the ethernet sites). The Ethernet sites will have a VPN between them, and the VPNs to all of the ADSL sites. In other words: each ADSL site has two VPNs, and each ethernet site has seven VPNs at this stage (may have more later).
To do this, I am looking at getting 837's for each of the ADSL sites, and a 501 for one of the ethernet sites and a 515E for the other ethernet site. My question: would there be any likely issues with this?? Many thanks in advance!
GS
04-20-2003 12:07 PM
HI.
> I am looking at getting 837's for each of the ADSL sites
I would go with a pix 501 for the remote ADSL sites. It seems to me more suitable for the job.
If you place a router as VPN endpoint, there is a higher risk of the router being compromized (related to pix), and from there an attacker has access to all the other networks.
The pix has PPPoE support for ADSL, so you do not need a router only a compatible ADSL modem.
> ... and a 501 for one of the ethernet sites
The pix 501 supports a limitted number of VPN tunnels, and might be too "small" for the job. I would place a pix 506 or 515 there.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b18.html
Will the ADSL sites have a static fixed public IP address?
What services are you planning to provide via the VPN?
You can consider limitting VPN traffic and allow only traffic from the smaller branches to the mail servers, and not to the whole network.
In general - the pix boxes can do the job well as you defined.
Yizhar
04-21-2003 03:57 PM
Thanks very much for your reply Yizhar - however the problem is that where I am (New Zealand), ADSL is different from elsewhere (we use PPPoA with static or dynamic IP address supplied by ISP through a DHCP-type setup, and forced NAT). This makes it hard (and according to some sources impossible) to use VPNs across 501's on an ADSL connection. Which is why I went for the 837's. I need a device with built-in ADSL router...
Sites will have fixed IP, services will be Exchange email, web browsing, remote access for us for troubleshooting purposes...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide