Firewall Wizards mailing list archives
RE: VPN Design - is it possible
From: "Sanford Reed" <sanford.reed () cox net>
Date: Thu, 22 Dec 2005 15:17:46 -0500
If you ASSUME: 1. That each 'Site A' PIX has a different out side address AND 2. They are not configured using the Cisco Fail-over feature Then there shouldn't be any reason that you couldn't build separate HW-HW VPN tunnels from each remote site PIX. This would be an Admin nightmare though as each tunnel will have to be built manually from each box one end-point pair at a time. Who 'owns' the IP block at 'Site A'? If it is your home company and not the ISPs then a simpler and more reliable solution might be (all though more costly): 1. Install a Router outside of the 'Site A' PIXs. A 2621Xm can be bought for about $1500.00 and a VWIC-2MFT-T1-D1 (2 - T1 integrated CSUs) for about $250. This leaves room for and additional VWIC card. 2. Upgrade the 'Site A' PIXs to 515Es with Fail-over. The VPN unrestricted can be had for about $4K 3. Setup BGP Routing between that Router and both ISPs. You could than connect the 'Site A' PIXs in- Fail-over mode and enjoy the same reliability between sites. This Site to Site reliability is real controlled by the Remote Sites as each only has a single ISP with no backup or fail-over route. A secondary benefit of this solution is that as you grow at the Home site you can add Internet T1s into the External Router by simply adding VWIC cards -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Julian M D Sent: Wednesday, December 21, 2005 10:18 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] VPN Design - is it possible Hi, I have been given the task to accomplish some kind of failover using PIX firewall and 2 ISP's connections as follows: Site A - 2 PIX 506E , 2ISP - 1LAN Site B, C, D, E, PIX 501 , 1ISP Site F - PIX 515, 1DMZ, 1ISP ------VPN -------SITE B PIX----------VPN SITE F PIX SITE A PIX 1 -------VPN--------SITE C PIX----------VPN SITE F PIX (ISP1) -------VPN--------SITE D PIX----------VPN SITE F PIX -------VPN--------SITE E PIX----------VPN SITE F PIX ------VPN -------SITE B PIX ----------VPN SITE F PIX SITE A PIX 2-------VPN--------SITE C PIX----------VPN SITE F PIX (ISP2) -------VPN--------SITE D PIX----------VPN SITE F PIX -------VPN--------SITE E PIX----------VPN SITE F PIX My question is : is it possible to have 2 separate VPN connection to the same SITE ( looking from B,C,D,E point of view - they would see the LAN behind SITE A using 2 separate IPSec tunnels)? Has anyone done or seen anything similar? Do you have a better plan using the given, options?? Best regards to all, and Happy "Secure" Holidays Everyone! Julian _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VPN Design - is it possible Julian M D (Dec 22)
- RE: VPN Design - is it possible Paul Melson (Dec 22)
- RE: VPN Design - is it possible Sanford Reed (Dec 28)
- <Possible follow-ups>
- SV: VPN Design - is it possible Skough Axel U/IT-S (Dec 22)