Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1000
Views
13
Helpful
3
Replies

IPVPN Implementation

vipinrajrc
Level 3
Level 3

‎09-25-2011 07:28 PM - edited ‎03-04-2019 01:43 PM

Hi Experts,

I need to implemet an IP VPN in one of my clients.

Currently they have a PIX firewall. Its software version is too old, that not even support TAB key.

It has two interfaces one is inside and other is outside. I have attached a sample figure alog with this post. please see it.

Clinet requirement is to implement multiple S2SVPN to different branches they have. They are going to purchase a 2800 router with security bundle.

my doubt is like where i need to put this 2800 router?? PIX cannot be removed.

My opinion is given below. Please advice

===============================

1) infornt of PIX, directly facing to internet

===============================

a )   In this case i need to put a public IP in the interface that is connected to the pix, right??

b)   Can i use 2800 as VPN termination end?

c)  Will 2800 support failover mechnism for multiple ISP.

This 2800ISR mainly using for VOIP traffic or something

=============================

2) Back of PIX ( ot the inside interface)

=============================

a) I need to change the gateway as this, right?

b ) Can i use 2800 as VPN termination end? , will PIX passthrough IPSEC traffic?? do i need to configure anything more?

Thanks

Vipin

Thanks and Regards, Vipin
Labels:
Preview file
862 KB
0 Helpful
3 Replies 3

Marwan ALshawi
VIP Alumni
VIP Alumni

‎09-25-2011 11:15 PM

well it is better and recommended to have the router facing the WAN/Internet and the Firewall/PIX behind it which will give you to layer of security

in the router terminate the VPN tunnel/connections and in the firewall you can inspect and do packet filtering as the VPN traffic will pass through the firewall as unencrypted ( decrypted at the router termination point )

also the router can give you more flexibility if you planing to add more remote sites with routers in hub and spoke topology runing DMVPN with multipoint GRE tunnels and IPSEC encryption as future option too

router can Handel QoS and differnt WAN/Internet links batter than firewall

also if there is any plan to add additional Internet link the router can perform policy based routing and load balancing over to differnt links better than a firewall

Hope this help

if helpful Rate

shehinpm1
Level 1
Level 1
In response to Marwan ALshawi

‎09-26-2011 02:34 AM

Hi marvan,

i may also configure almost same scenarion later,so can u just paste a sample configuration of site 2 mulitsite vpn or  DMVPN for quick configuration understanding,i have some documents but if i get some live config will be so helpfull.

i worked only in MPLS L3 vpn enviorment.

Thx in advance.

0 Helpful
Customers Also Viewed These Support Documents