I have two routers each connected to two providers (running BGP) providing redundant VPN routes. I also want to add a PIX for security and proxy of internal users. Is the best way.... to create a subnet that an ethernet interface of each BGP router and one from the PIX all connect to? That way no traffic from the VPN hits the production network and is still authenticated throught the PIX. This sounds logical and works on paper, but how about real life?
So the outside interface of your PIX will be connected to this new subnet off the two routers? Then when your vpn tunnel terminates on the outside of the PIX, it will then be authenticated to get inside? All users inside will authenticate to get out? It sounds good to me. Youll probably want to use two PIXs in failover for redundancy too.
yes, it does in the real life. Based on your statement you guys are conserned about redundancy. Thus, by buying 2 pixes (one active and another one failover) will suit your "redundant" needs. As a matter of fact, you can get a second box paying only for the hardware, depending on the model that you are looking for is about $2k. Talk to your sales rep. Also, you can have a stateful failover between those pixes. Actually, it is mostly 66% stateful :) based on cisco's documentation. On the router you would have to put an acl letting thru the vpn traffic and turminating it on the pix.
and if you really want to use Intrusion detection features on the routers as well as pix, instead of buying expesive solution of ids, you can do that as well. But you have to realise, that IDS on the router and on the pix will eat up resources!
Also, depending on available ports on your router, you may want to purchase a cat, that would connect two routers and two pixes.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...