Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Odd Firewall Recomandations Needed.

  1. #1
    Junior Member
    Join Date
    Jun 2003
    Posts
    9

    Question Odd Firewall Recomandations Needed.

    Well all, I have one more project I am looking for recommendations for. I need a firewall, priced up to $3500 which will do the following:

    1. Accept two incoming connections (do not need to be physical, I can use a hub).
    2. Can connect each connection to the respective internal network.
    3. VPN Capable.
    4. 5.5 mbps 3DES Throughput minimum.
    5. Does not need outbound traffic load balancing. Primary worry is inbound.

    Basically, I have three networks and several users outside of my primary location (outside = 2/27 [30u], 3/27 [20u], 4/27 [15u] & users; inside = 1/27 [30u] & 5/27 [30u]). Each outside connection has a VPN tunnel to each of the inside connections. The outside units each have a SonicWALL SOHO3. Inside we have two SOHO3s. I primarily want to have better throughput, records and management. The system rarely drops bellow 3.5 mbps needed throughput.

    I was told using a hub and a Cisco PIX-515E-R would work. I was also to Checkpoint would require an unlimited IP license to do this, pricing it well out of reach. Are there any other options?

    Thanks all!
    NoTx

    -Searching for Answers

  2. #2
    My recommendation would be to get that cisco router. But instead of using SOHO, set up VLAN connections with your outside sources. This would create better through put.

    Also, in regards the firewall. Set up an extended ACL(access list) on the router. This proves to be very efficient in most VLAN set-ups.

    Just a suggestion.

    Scat
    If the scatman can do it so can you.

  3. #3
    AO Veteran NeuTron's Avatar
    Join Date
    Apr 2003
    Posts
    550
    Originally posted here by Scatman420
    My recommendation would be to get that cisco router. But instead of using SOHO, set up VLAN connections with your outside sources. This would create better through put.

    Also, in regards the firewall. Set up an extended ACL(access list) on the router. This proves to be very efficient in most VLAN set-ups.

    Just a suggestion.

    Scat
    He needs a firewall, not a router. And you can't setup VLANS on a router to my knowledge, they are configured on switches. NoTx- Im trying to remember the name of a comnpany that makes a product that should suit your needs. I'll get back to you on it.
    -NeuTron

  4. #4
    Junior Member
    Join Date
    Jun 2003
    Posts
    9
    Originally posted here by Scatman420
    My recommendation would be to get that cisco router. But instead of using SOHO, set up VLAN connections with your outside sources. This would create better through put.

    Also, in regards the firewall. Set up an extended ACL(access list) on the router. This proves to be very efficient in most VLAN set-ups.

    Scat
    Ok. You lost me. What router? And how do you setup a vlan to remote locations bypassing their firewalls?

    Please explain.
    NoTx

    -Searching for Answers

  5. #5
    Senior Member
    Join Date
    May 2003
    Posts
    115
    we're currently using cisco 515 with our cisco vpn 3xxx. works beautifully and very affordable around your price range. the 515 has 3 int, int/ext/dmz, obviously dmz is where the vpn.

    -w0rm3y

  6. #6
    Junior Member
    Join Date
    Jun 2003
    Posts
    9
    Will the 515 really accept (via hub) two seperate connections to the internet (seperate WAN connections)? As I have been told?
    NoTx

    -Searching for Answers

  7. #7
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Here's the 515 manuals. http://www.cisco.com/en/US/products/...ides_list.html

    Good luck.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  8. #8
    Senior Member
    Join Date
    Jan 2002
    Posts
    458
    Originally posted here by NoTx
    Will the 515 really accept (via hub) two seperate connections to the internet (seperate WAN connections)? As I have been told?
    You can certainly connection multiple WAN connections with the use of a hub or switch, but the bigger question is how the Internet connections will be used. Are they both going to remain active simultaneously? If so, you will have trouble with routing because you have no way to distinguish one default routing path from another. The solution to this is to use BGP, but it doesn't sound to me like this is the case. If they are simply for redundancy purposes, you could certainly use weighted statics to get the job done. Also, if these are strictly for VPN connectivity, you should be OK as well.

    As far as a recommendation, it really depends much on how much you plan on managing this firewall. If your config will be fairly static, I would suggest the PIX-515. However, if you plan on having complex policies or a very dynamic rulebase, the Checkpoint solution is definately the way to go. IMHO if you can afford it, Checkpoint is the better solution all-around because of some of it's optional features that can be expanded. Such as SecureClient for VPN's, which allows you to manage and enforce a personal FW policy on the remote users side. Checkpoint can definately get a little expensive though depending on the environment. The beauty of it is that CP runs very well on linux, so you have a very cheap hardware solution, and can just worry about the FW licensing.

    CP licenses their software based on the number of protected hosts, or in other words the number of IP addresses on your network. If it is more than 250, I think you are forced to go with an unlimited license.

    Good Luck!!

  9. #9
    Junior Member
    Join Date
    Jun 2003
    Posts
    9
    You can certainly connection multiple WAN connections with the use of a hub or switch, but the bigger question is how the Internet connections will be used. Are they both going to remain active simultaneously? If so, you will have trouble with routing because you have no way to distinguish one default routing path from another. The solution to this is to use BGP, but it doesn't sound to me like this is the case. If they are simply for redundancy purposes, you could certainly use weighted statics to get the job done. Also, if these are strictly for VPN connectivity, you should be OK as well.
    I have one subnet using one and another subnet using the other (1/27 and 5/27). These are full time active, each at 2.5 mbps. A VPN connection is being sent to each subnet currently, would need that to remain the case.

    CP licenses their software based on the number of protected hosts, or in other words the number of IP addresses on your network. If it is more than 250, I think you are forced to go with an unlimited license.
    It is for an office with 5 Servers and 30 users. However, I was told by Checkpoint reps that because of using two external IPs I would require a Unlimited IP liscence... which costs more than all the machines in the office combined.

    So there should be no problem doing this with the 515, though? Thanks for all your help!
    NoTx

    -Searching for Answers

  10. #10
    Member
    Join Date
    Jun 2002
    Posts
    44
    NoTx....heres my recommendation...im assuming that your internet connections are dedicated serial connections, not DSL or Cable. If this is the case, then get rid of all the SOHO equip. get yourself a Cisco 2600 and purchase 2 WIC cards to be added into the 2600. You can run static routes to prioritize your outbound traffic and use BGP for your inbound traffice.
    Then purchase a cisco PIX 515 to handle your security and VPN connections.


    If you are looking more for redundancy of Hardware, you can purchase 2 cisco 1700s, a hub, and a cisco Pix. Again you will have to purchase the 2 WIC cards (one for each router), configure both of them for HSRP and BGP. The HSRP can monitor your main connection and if it does down, or if the router crashes, the PIX will redirect packets to the secondary router. Here are some links for you.

    Connect one router to multiple ISPs (not load sharing)

    Load Sharing over one router to multiple ISPs


    Use HSRP to provide redundancy of Multihomed network
    Os1LaYr5

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •