Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
272
Views
0
Helpful
2
Replies

Firewalling mixed environment with ADSL: doing it right?

gspark
Level 1
Level 1

‎04-19-2003 05:43 PM - edited ‎03-09-2019 02:57 AM

Scenario: customer has eight sites, two of which are on an ethernet-type broadband connection (this is a service locally provided, with the router being fully transparent at the ISP side - you just plug an RJ45 in a socket and you are on the Net, with public IP address), six other sites are on ADSL. At present there is no connectivity between the sites (no VPNs or whatever). All sites are small (between 5 and 25 users each). In the future, more ADSL sites may be added. The two ethernet-sites have the main mail servers (Exchange), using XOSoft WANSync Exchange for replication (this product basically syncs the servers continuously across the WAN link).

The idea is:

The sites on ADSL will each be connected to the two ethernet sites (each ADSL site will have two VPNs: one to each of the ethernet sites). The Ethernet sites will have a VPN between them, and the VPNs to all of the ADSL sites. In other words: each ADSL site has two VPNs, and each ethernet site has seven VPNs at this stage (may have more later).

To do this, I am looking at getting 837's for each of the ADSL sites, and a 501 for one of the ethernet sites and a 515E for the other ethernet site. My question: would there be any likely issues with this?? Many thanks in advance!

GS

Labels:
0 Helpful
2 Replies 2

yizhar
Level 1
Level 1

‎04-20-2003 12:07 PM

HI.

> I am looking at getting 837's for each of the ADSL sites

I would go with a pix 501 for the remote ADSL sites. It seems to me more suitable for the job.

If you place a router as VPN endpoint, there is a higher risk of the router being compromized (related to pix), and from there an attacker has access to all the other networks.

The pix has PPPoE support for ADSL, so you do not need a router only a compatible ADSL modem.

> ... and a 501 for one of the ethernet sites

The pix 501 supports a limitted number of VPN tunnels, and might be too "small" for the job. I would place a pix 506 or 515 there.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b18.html

Will the ADSL sites have a static fixed public IP address?

What services are you planning to provide via the VPN?

You can consider limitting VPN traffic and allow only traffic from the smaller branches to the mail servers, and not to the whole network.

In general - the pix boxes can do the job well as you defined.

Yizhar

0 Helpful

gspark
Level 1
Level 1
In response to yizhar

‎04-21-2003 03:57 PM

Thanks very much for your reply Yizhar - however the problem is that where I am (New Zealand), ADSL is different from elsewhere (we use PPPoA with static or dynamic IP address supplied by ISP through a DHCP-type setup, and forced NAT). This makes it hard (and according to some sources impossible) to use VPNs across 501's on an ADSL connection. Which is why I went for the 837's. I need a device with built-in ADSL router...

Sites will have fixed IP, services will be Exchange email, web browsing, remote access for us for troubleshooting purposes...

0 Helpful
Customers Also Viewed These Support Documents