Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX/Network Design Question

My company has a main office and 4 branch sites.

Currently we have 1 T1 connection to the Internet at corporate, and DSL connections at the branches. We are intending to upgrade the DSL connections to T1's and add VPN networking to each site using PIX's. Our initial estimates suggest that we'll need more than a T1's bandwidth to aggregate the remote sites and handle our general Internet traffic. We've decided that we'll get another T1 at corporate, however, our existing provider will not offer BGP, nor do we want to use them (in long term/unbreakable contract). So we'll end up with 2 T1's, and 2 seperate public IP networks. Here's my options as I see it.

1. Get a single, 3 interface PIX at corporate, utilizing 1 interface for general default Internet traffic (the outside interface), 1 interface for VPN traffic, and the last interface for the inside.


2. My second option is to install dual PIX's. One to handle all of my Internet traffic, and the other to handle the VPN traffic. The problem I see here is that I will need a router in house as a Default Gateway that can send the outbound traffic to the appropriate PIX.

Any thoughts on how you would do it?

All input would be greatly appreciated.



New Member

Re: PIX/Network Design Question

About network design consideration. You should evaluate your needs before... not choose the solution. Buying more bandwith is a solution, not your need. Do you really need more bandwith? Maybe, maybe not. Before buying more bandwith, look to manage your trafic, it's less expensive. (with a box like Packeteer) If you carefully manage your trafic and you are sure you need more bandwith, you have many solutions: an other T1 (as you suggest), replace actual pipe with a 10 Mbps or more, buy from one or many provider. If you need "high availability", you can look for different providers but you can have many links with the same provider in a HA configuration, yes it's possible. My preference is to have only one provider for all sites. In that case, you bypass the so frequent Internet bottleneck because ISP generally don't suffer bottleneck within their own network. And also, it's more secure for your internal communication. For instance, you can configure IP TTL to 5 or 6 hops just enough to join each sites within the same provider. Another advantage: if you have communication problems, you know where to knock. Choose a very good provider, not the cheapest, and sign only a 1 year contract. My suggestion: begin with a Packeteer and keep your actual T1 in your main site, this box will serve you with a T1, a 10 Mbps and even a 100 Mbps Internet access then it's a very good investment. Shape your trafic and analyze the situation.

Best regards


New Member

Re: PIX/Network Design Question


First, I would look at a single PIX (either 515 or 525), and also install Cisco VPN Concentrator 3015 or 3030 at the central site, and put either 3005 VPN Hardware Clients or perhaps a 1700 or 2600 series router(s) with VPN/FW feature set at the branches.

There's a bunch of different ways to go with it, but those are a couple ideas. I can't see a need for two separate PIXs, unless you want to set them up in the failover configuration...

Another thing I would do is have the two internet T1s terminated on a 2600 router just outside of your PIX, and run the 2600's ethernet into the PIX, or create a DMZ between the PIX and the 2600. It sounds like your stuck with your current ISP, but I would try my hardest to build in some fault tolerance, by buying the second T1 from a totally different provider, hopefully fed from a totally different CO and upstream provider(s) than the original ISP comes from. This way, you can weather an outage at either CO, or either carrier, or even a sudden termination of the contract, and still have the other one operational...

If you're really stuck with the contract on your current ISP, that's the direction I'd go: Get the second T1 from another provider. This has the added benefit of not letting the ISP benefit from the long term contract by getting more business because of it.

I wouldn't buy a PIX for the VPN and separate one for the Internet, if you're really wanting to buy a second box, go with the VPN Concentrator. But be sure to attach both to the DMZ so they can benefit from the dual-homed internet.

You also don't need BGP for anything, it being a private network. I would also not separate the VPN from the Internet traffic, as you are evidentally headed into a dual-homed internet feed, you'd also be most of the way to having redundant feeds for both internet and VPN. It would be a shame to go all that way, and then deny yourself the benefit of that fault tolerance.

Another thing to try, rather than upgrade your internet pipe is to try reducing the general internet traffic by installing some web cache appliances, like the Cisco Content Engines. Certainly the central site would be the first place to install one. Depending on your traffic flow, a smaller cache at the branches may help. You can use Cisco's WCCP or Layer 4 protocols to redirect web traffic to the caches. This may reduce internet traffic enough to eliminate the need for the second internet link altogether.

Finally, are the branch DSL links from the same provider as the long term contract ISP? Are these DSL links internet links or private network links? If they are not from the same provider, you may want to just get dedicated T1's to the central site from each branch and install a four port router (maybe a 2600 or 3600) at the central site to run the branch offices from that facility. Then you don't have to sweat the complexity of a VPN and just stay with classic leased line technology. Keep in mind that VPN is a native IP service. If you ever want to run other protocols across these links, like IPX, Appletalk, etc, you'll need to get into added complexities of GRE tunnels to get that traffic encapsulated in IP. You'll need to have some pretty beefy boxes to do all that at T1 speeds if you end up in that situation.

That was alot, hope it all made sense. If you want to discuss offline at all, my email is:

New Member

Re: PIX/Network Design Question


I think, you can hv a single PIX + one (or) two

routers with policy based routing (to route vpn

traffic thru one link (or) to a particular next hop address) configured on the PIX default

gateway router.


You can hv the perimeter router perform the load

balancing. Just go thru the following link

New Member

Re: PIX/Network Design Question


This is a typical setup for a full IPSec VPN mesh using PIX's. With the latest PIX code you can setup Lan-to-Lan VPNs and only the traffic to and from the sites will be encrypted so as far as bandwith limitations I don't know if you will have a problem there. I have set up an almost identical solution and it is working very nice. I have even setup up remote access VPN with the Cisco unity client for road warriors on some of these sites. This solution requires no extra concentrator as the pix can handle everything. You'll be suprised at the amount of processing these PIX's can handle. As far as BGP is concerned it is a non issue since your networks are stub networks. This can all take place on just 2 interfaces on these boxes need for a third unless you have requirements for a DMZ. Feel free to email me if you have any personal questions

Good Luck.


New Member

Re: PIX/Network Design Question

I am sure you can get away with one PIX firewall. A second one is a big drain on cost. The question I have is do you need another IP block? If what you need is more bandwidth can you provider not provide you with a multiplexed set of T1's or move you to a LAN extension technology using the block you are already on? It might give you the chance to renegogtiate that contract!!!

CreatePlease to create content