Cisco Support Community
Community Member

VPN and PIX design

I have two routers each connected to two providers (running BGP) providing redundant VPN routes. I also want to add a PIX for security and proxy of internal users. Is the best way.... to create a subnet that an ethernet interface of each BGP router and one from the PIX all connect to? That way no traffic from the VPN hits the production network and is still authenticated throught the PIX. This sounds logical and works on paper, but how about real life?

PS I have read the VPN primer whitepaper.


Re: VPN and PIX design

So the outside interface of your PIX will be connected to this new subnet off the two routers? Then when your vpn tunnel terminates on the outside of the PIX, it will then be authenticated to get inside? All users inside will authenticate to get out? It sounds good to me. You’ll probably want to use two PIX’s in failover for redundancy too.

Community Member

Re: VPN and PIX design

yes, it does in the real life. Based on your statement you guys are conserned about redundancy. Thus, by buying 2 pixes (one active and another one failover) will suit your "redundant" needs. As a matter of fact, you can get a second box paying only for the hardware, depending on the model that you are looking for is about $2k. Talk to your sales rep. Also, you can have a stateful failover between those pixes. Actually, it is mostly 66% stateful :) based on cisco's documentation. On the router you would have to put an acl letting thru the vpn traffic and turminating it on the pix.

and if you really want to use Intrusion detection features on the routers as well as pix, instead of buying expesive solution of ids, you can do that as well. But you have to realise, that IDS on the router and on the pix will eat up resources!

Also, depending on available ports on your router, you may want to purchase a cat, that would connect two routers and two pixes.

Community Member

Re: VPN and PIX design

It works in real life

作成コンテンツを作成するには してください