Firewall Wizards mailing list archives

RE: VPN Design - is it possible

From: "Sanford Reed" <sanford.reed () cox net>
Date: Thu, 22 Dec 2005 15:17:46 -0500

If you ASSUME:

1. That each 'Site A' PIX has a different out side address 
AND 
2. They are not configured using the Cisco Fail-over feature 

Then there shouldn't be any reason that you couldn't build separate HW-HW
VPN tunnels from each remote site PIX. This would be an Admin nightmare
though as each tunnel will have to be built manually from each box one
end-point pair at a time.

Who 'owns' the IP block at 'Site A'? If it is your home company and not the
ISPs then a simpler and more reliable solution might be (all though more
costly):

1. Install a Router outside of the 'Site A' PIXs. A 2621Xm can be bought for
about $1500.00 and a VWIC-2MFT-T1-D1 (2 - T1 integrated CSUs) for about
$250. This leaves room for and additional VWIC card.
2. Upgrade the 'Site A' PIXs to 515Es with Fail-over. The VPN unrestricted
can be had for about $4K 
3. Setup BGP Routing between that Router and both ISPs. 

You could than connect the 'Site A' PIXs in- Fail-over mode and enjoy the
same reliability between sites. This Site to Site reliability is real
controlled by the Remote Sites as each only has a single ISP with no backup
or fail-over route. A secondary benefit of this solution is that as you grow
at the Home site you can add Internet T1s into the External Router by simply
adding VWIC cards



-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Julian M D
Sent: Wednesday, December 21, 2005 10:18 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] VPN Design - is it possible

Hi,

I have been given the task to accomplish some kind of failover using
PIX firewall and 2 ISP's connections as follows:

Site A - 2 PIX 506E , 2ISP - 1LAN
Site B, C, D, E, PIX 501 , 1ISP
Site F - PIX 515, 1DMZ, 1ISP

                    ------VPN -------SITE B PIX----------VPN SITE F PIX
SITE A PIX 1 -------VPN--------SITE C PIX----------VPN SITE F PIX
     (ISP1)     -------VPN--------SITE D PIX----------VPN SITE F PIX
                   -------VPN--------SITE E PIX----------VPN SITE F PIX

                   ------VPN -------SITE B PIX ----------VPN SITE F PIX
SITE A PIX 2-------VPN--------SITE C PIX----------VPN SITE F PIX
     (ISP2)     -------VPN--------SITE D PIX----------VPN SITE F PIX
                   -------VPN--------SITE E PIX----------VPN SITE F PIX

My question is : is it possible to have 2 separate VPN connection to
the same SITE ( looking from B,C,D,E point of view - they would see
the LAN behind SITE A using 2 separate IPSec tunnels)? Has anyone done
or seen anything similar? Do you have a better plan using the given,
options??

Best regards to all, and Happy "Secure" Holidays Everyone!

Julian
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

VPN Design - is it possible Julian M D (Dec 22)
- RE: VPN Design - is it possible Paul Melson (Dec 22)
- RE: VPN Design - is it possible Sanford Reed (Dec 28)
- <Possible follow-ups>
- SV: VPN Design - is it possible Skough Axel U/IT-S (Dec 22)