Re: PIX 501 VPN setup help

dayron · ‎06-06-2002

I am trying to set up a VPN for my comapny so we can replicate our SQL db to an affiliate company. I am new to the VPN arena. The affiliate recommended the PIX 501(they use a PIX 515). I now have the 501 and now I'm wondering if this was the right equipment. Here is my current network setup:

OUTSIDE (legit IP address)

Cisco 1700 router (managed by our ISP. Want's to charge $400 a month to manage our VPN), with NAT enabled.

INSIDE (NAT)

192.168.11.1(inside of the router) -254

MS SQL 7.0 server, Exchange server, File-Print server, XP clients

I have assigned the PIX 501 'outside' port 192.168.11.9. I did not plan to use the 'inside' interface. I have had my ISP assign a legitimate IP address to the VPN NAT address. What ports do I need to have opened for the VPN to function?

I basically want all my network to continue using the 1700 router as the default gateway. I want the VPN to be established to the afiliate company and have the SQL server use the VPN for replication and possibly have a few remote users connect into our network via VPN.

Could someone help me with A) Is the 501 the right box for this, and B) configuration considerations I may have overlooked? Do I have to add a second NIC and connect the SQL server to the inside interface of the 501?

Thanks!

p.krane · ‎06-13-2002

Well the PIX is a stateful packet filter. It expects traffic to flow through it so it can filter accordingly. It will not perform any routing functions or anything off the outside interface. That said, I think you’re going to need to re-think your topology. The PIX should be the final gateway to the Internet for all your internal clients. Then the PIX should gateway at your ISP’s router. You can then set things up for the PIX to terminate the VPN instead of the ISP’s router and then you won’t need their “management” fees. Take a look at the PIX installation guide and other docs for more details.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/

http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Hardware:PIX

I think the PIX is a good choice for you, it just requires a major rethinking of your topology.

dayron · ‎06-13-2002

Hey. Thanks for your input. I have been reading the docs and am finding all that you said. I am quite new to routing/VPN, so my thinging was if traffic was to pass through the PIX I 'd have to have licensing for all clients that passed through it. Anyway...thanks for the info!

wilsc02 · ‎07-19-2002

I don't know if you got all the answers you wanted yet, but you might also try something like their VPN Hardware Client. Again, however, it would be expecting traffic to flow through it. The PIX is the better choice, but you need to be aware of the user limitations on the 501. You get it with either a 10 or 50 user license. If that becomes the main firewall for your company (it doesn't sound like there is a firewall already in place) then you will need to be aware of how many people will be accessing the Internet as well as how many internal addresses are to be accessed in reverse. Those all count towards your license limit, and the PIX grabs them on a first-come first-served basis.