I'm researching VPN's and looking to begin a VPN. I'm unsure what would be the best approach for a multiple site to site solution. Should I go PIX to PIX? VPN Router to PIX? VPN Router to VPN Router? VPN Concentrator? Looking for some suggestions.
I have 32 national business offices, 1100 remote users, and 2 distribution centers. Here's my idea: business offices, remote users, and distribution centers connect into a 7140 router. From there, the router will send remote users to a 3030 Concentrator, or extranet and business office traffic to a PIX 525 firewall. The firewall connects to the internal network. Do i need a 7140 router or will a lesser router work? Please analyze my meager idea and give feedback.
I like the 3030 solution for remote access and business offices. Also, you can define groups and filters to restrict extranet acccess to a few or a single server. You might look at the 3002 for the business offices tying back to the 3030. The router in front is just functioning as an outer firewall filtering traffic destined for the 3030 in a DMZ and can be a lesser router.
If the business offices use a 3002, i'm assuming i'll need to stick a router in from of that? maybe a 1700? at our headquarters then can i use a 2600? if i have the router and concentrator acting as firewall, do i really need a pix in there?
The 3002 has Ethernet in and Ethernet out so all you need a connection to the internet, possibly ADSL. Think of the 3002 as a single remote access client. Connect it to an ISP and it accesses the 3030 just like any home user. No additional hardware or software. (My 3002 is on order and I expect it to work this way)
We use the C1720 VPN Bundle for the remote sites (7 each with 5 or less users) to a central C3640. The C1720 VPN bundle has the VPN accellerator module installed. All routers have IP/FW plus IPSEC. All sites use ADSL for Internet and we have set up multiple point to point VPN tunnels on the C3640 and a single VPN tunnel from each of the remote sites. The C3640 also accepts the VPN client for support.
we ran two main sites with a 2501 in front and a 515 Unrestricted bundle, linking between them plus several software clients around Europe plus a few cisco 803.
I generally disagree with everything in one box (router dealing with VPN tunnel termination) because it is a single point of failure (from a security standpoint). The border router can have some filtering in place and then the hard work is done by the firewall. This allow spending less on the router and more on the firewall were $ are more effective in achieving performances and security (pix throughoutput allows almost wire speed on fast ethernet) which becomes fundamental if you have (encrypted) streams between DMZ. Hope it helps.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...