Cisco Support Community
Community Member

Network Design/VPN Question

I work with a SOHO who would like to provide remote VPN access to a handful of staff and I'm new to VPN configs.

After some research, I thought the PIX 501 would meet their VPN needs, but I'm not sure of the best way to implement it.

The office is connected to the Internet by a Linksys DSL router that currently handles DHCP & firewall services. Web and email traffic to their single static public IP is forwarded to the workgroup server (an OS X server providing file/mail/web) on the inside.

I'd originally planned to simply replace the Linksys device with the PIX and let it handle the DSL connection, DHCP, firewall and VPN, but after doing more reading about configuring the PIX, I'm wondering if that's the best idea.

Is it possible to keep the existing Linksys DSL router in place handling all the existing services and integrate the PIX solely for the VPN? I know I could provide all existing services plus VPN access with another Linksys product, but I need the VPN to be compatible with Mac OS X and that's why I chose the PIX 501 (10 user license).

What I'm really needing are resources to help me decide the best way to deploy the PIX. Should I replace the existing Linksys DSL router (which means I'd have to do some static IP assignments because I have about 14 different devices on the office network, not including any remote VPN clients)? Or can I keep the Linksys in place doing all that it is currently doing and have it do VPN passthrough to the PIX to handle only VPN connections? I understand that I can have the PIX redirect DHCP requests to another device (like the Linksys) to get around the DHCP limitation of the PIX.

Any suggestions or resources to help me would be greatly appreciated. Thanks!

Community Member

Re: Network Design/VPN Question

Why do you use a PIX for the VPN connection? Maybe it's simpler with a cisco VPN concentrator.

Re: Network Design/VPN Question

A heads-up: the 10 user license has nothing to do with VPN clients. The "user" license is the number of users on the inside network allowed to traverse to the outside network (ie the Internet). The VPN client is unlimited for user licenses, but theoretically limited by hardware. You stated you have about 14 devices and if they are all users, you will have to upgrade to a PIX with a 50 user license.

A 50 user PIX501 is $845 list. A Cisco 871 router with firewall IOS is $799. A little cheaper, plus you get better features (I think) like no user restriction, NetFlow, NBAR, more routing protocols, and you still get unlimited VPN!

The router (and the PIX) will be able to support everything you've posted about. I would replace the Linksys completely and just run one router/firewall.

Part#: CISCO871-SEC-K9

Post if you have more questions.

Community Member

Re: Network Design/VPN Question

Thanks for the reply. I've already purchased the PIX 501, so I'm going to try to make that work, but I appreciate the suggestion of the 871 router.

Does the 10 user restriction on the PIX apply to *all* inside clients or just those using DHCP? I actually have 12 client computers inside but wouldn't have a problem statically assigning IPs to a few of them to stay within the 10 user limit if it only applies to DHCP clients.

Re: Network Design/VPN Question

It applies to all devices on the inside, DHCP'd or static. You will have to upgrade the license.

HTH and please rate.

CreatePlease to create content