Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN design with Firewall

I am in the process of setting up 3 branch sites to one headend site with a Hub and Spoke design. All spoke sites will communicate with each other as well as Internet access through the Hub site via a 1721 router at the Hub. All VPNs will terminate on the S0 int of the 1721. Then if they want Hub LAN access they will continue through fa0. If the hub sites want Internet access, they will redirect off the S0 and out the T1. I have a Pix 515 that I would like to implement in the design. The only thing is I only have the 1721 router and one T1 to the Intenet from the S0 of the 1721. If I put the Pix behind the router, the Hub LAN will have go through the firewall for Intenet as well as VPN traffic which is fine. But the Hub Sites coming in with Internet bound traffic will not pass through the PIX. I would like to put the Pix in front of the router like in the following diagram:

Internet ->Pix->1721 VPN router->Hub LAN.

This would be fine because Internet bound traffic from the Spokes would redirect off of the S0 of the 1721, and then pass through the Pix ACLs before getting to the Internet. The only problem is that there is not a T1 CSU/DSU card for the Pix.

Question - Does anyone have a suggestion of how I can accomplish all Internet bound traffic to pass through the Pix with only my one T1, VPN router, and Pix?



  • Other Security Subjects
New Member

Re: VPN design with Firewall

In regards to my above scanario, is it possible to terminate the T1 with an external CSU/DSU and then run CAT5 from the CSU/DSU to the firewall? Is this an option so I can keep the Pix in front of the VPN router?



This widget could not be displayed.