RE: [fw-wiz] How AAA in PIX Firewall ?
From: Wes Noonan (mailinglists_at_wjnconsulting.com)
To: "'Adel Guia Cruz'" <email@example.com>, <firstname.lastname@example.org> Date: Wed, 3 Dec 2003 20:03:57 -0600
1) Not necessarily. You could go netopia or something similar for the remote
sites. If not, the cost of 15 PIX 501's would be somewhere in the $6000-7000
range which is about $3000 more give or take what a 515E-UR would cost.
2) I would recommend setting up a content filtering server as that sounds
more in line with what you really need. PIX supports Websense and N2H2 for
Don't sweat the English. It's better than my Spanish. :-)
> -----Original Message-----
> From: Adel Guia Cruz [mailto:email@example.com]
> Sent: Wednesday, December 03, 2003 17:51
> To: firstname.lastname@example.org; 'Adel Guia Cruz'; firewall-
> Subject: RE: [fw-wiz] How AAA in PIX Firewall ?
> 1) The problem of use site-to-site VPN is that I need to buy 1 PIX
> peer remote office (Total of 15 PIX 501) and this is more expensive that
> individual VPN, or not ?
> 2)I need AAA for controlling users access to the Internet. My network is
> Microsoft Windows Network with 2 Domain Controller and I need to
> Authenticate, filter URL and log the activity of the user that will use
> trough the PIX , How can I do that ? I know that exist RADIUS server
> software, but the problems is if they do that, and what of this SERVER do
> In case of controlling remote access to the firewall I only need
> Thanks and I´m sorry because my English is not good, my native language
> -----Mensaje original-----
> De: Wes Noonan [mailto:email@example.com]
> Enviado el: miércoles, 03 de diciembre de 2003 14:55
> Para: 'Adel Guia Cruz'; firstname.lastname@example.org
> Asunto: RE: [fw-wiz] How AAA in PIX Firewall ?
> 1) The PIX 506 should work fine, as long as you don't need more than 2
> interfaces, failover or more than 25 VPN peers. You mention that you need
> 75, but you might be better served using site-to-site VPN connections
> instead of individual VPNs for each user. If you really need 75 VPN peers
> though, then you have to go with a 515 or larger.
> 2) Are you wanting AAA for controlling access to the firewall or
> user access to the internet. If the prior you can use local usernames or
> RADIUS for authentication. If the latter, you can still use RADIUS for
> authentication though I believe that you largely give up the ability to do
> authorization or accounting without TACACS+.
> Wes Noonan
> > -----Original Message-----
> > From: email@example.com [mailto:firewall-
> > firstname.lastname@example.org] On Behalf Of Adel Guia Cruz
> > Sent: Wednesday, December 03, 2003 13:45
> > To: email@example.com
> > Subject: [fw-wiz] How AAA in PIX Firewall ?
> > I need to implement a Firewall, VPN and IDS solution in my Central
> > network. The network structure is one Central Office with 150 nodes (50
> > nodes need Internet access) and 15 Remote Small Office with 5 node peer
> > Remote Office.
> > The Central Office have only one internet connection HDSL 256Kbps and
> > remote office are connected to Central Office thought Internet.
> > I think that Cisco PIX Firewall is a good choice but I need some advise:
> > 1- How to implement AAA (Authentication, Authorization, Accounting)
> > PIX firewall. I now that Cisco have the "Cisco Secure Access Control
> > Server"
> > for AAA but is very expensive. Is possible to implement AAA without
> > Secure ACS" in PIX firewall, if is possible what will bee the
> > ?
> > 2- Is PIX 506 sufficient to me, or I need the next PIX 515-UR? I
> > at
> > less 75 concurrent VPN connections.
> > Thanks
> > _______________________________________________
> > firewall-wizards mailing list
> > firstname.lastname@example.org
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> firewall-wizards mailing list
firewall-wizards mailing list