RE: [fw-wiz] VPN Design - is it possible

If you ASSUME:

1. That each 'Site A' PIX has a different out side address
2. They are not configured using the Cisco Fail-over feature

Then there shouldn't be any reason that you couldn't build separate HW-HW
VPN tunnels from each remote site PIX. This would be an Admin nightmare
though as each tunnel will have to be built manually from each box one
end-point pair at a time.

Who 'owns' the IP block at 'Site A'? If it is your home company and not the
ISPs then a simpler and more reliable solution might be (all though more

1. Install a Router outside of the 'Site A' PIXs. A 2621Xm can be bought for
about $1500.00 and a VWIC-2MFT-T1-D1 (2 - T1 integrated CSUs) for about
$250. This leaves room for and additional VWIC card.
2. Upgrade the 'Site A' PIXs to 515Es with Fail-over. The VPN unrestricted
can be had for about $4K
3. Setup BGP Routing between that Router and both ISPs.

You could than connect the 'Site A' PIXs in- Fail-over mode and enjoy the
same reliability between sites. This Site to Site reliability is real
controlled by the Remote Sites as each only has a single ISP with no backup
or fail-over route. A secondary benefit of this solution is that as you grow
at the Home site you can add Internet T1s into the External Router by simply
adding VWIC cards

-----Original Message-----
From: firewall-wizards-admin@xxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-admin@xxxxxxxxxxxxxxxxxx] On Behalf Of Julian M D
Sent: Wednesday, December 21, 2005 10:18 AM
To: firewall-wizards@xxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] VPN Design - is it possible


I have been given the task to accomplish some kind of failover using
PIX firewall and 2 ISP's connections as follows:

Site A - 2 PIX 506E , 2ISP - 1LAN
Site B, C, D, E, PIX 501 , 1ISP
Site F - PIX 515, 1DMZ, 1ISP

------VPN -------SITE B PIX----------VPN SITE F PIX
SITE A PIX 1 -------VPN--------SITE C PIX----------VPN SITE F PIX
(ISP1) -------VPN--------SITE D PIX----------VPN SITE F PIX
-------VPN--------SITE E PIX----------VPN SITE F PIX

------VPN -------SITE B PIX ----------VPN SITE F PIX
SITE A PIX 2-------VPN--------SITE C PIX----------VPN SITE F PIX
(ISP2) -------VPN--------SITE D PIX----------VPN SITE F PIX
-------VPN--------SITE E PIX----------VPN SITE F PIX

My question is : is it possible to have 2 separate VPN connection to
the same SITE ( looking from B,C,D,E point of view - they would see
the LAN behind SITE A using 2 separate IPSec tunnels)? Has anyone done
or seen anything similar? Do you have a better plan using the given,

Best regards to all, and Happy "Secure" Holidays Everyone!

firewall-wizards mailing list

firewall-wizards mailing list

Relevant Pages

  • Pix fail-over questions
    ... I have two questions regarding Pix fail-over. ... I have 2 515Es running 6.3that I'd like to upgrade ... at another site (one Pix in each switch, ...
  • RE: Router with security features
    ... Subject: Router with security features ... Cisco makes an even cheaper and smaller pix firewall. ... Pix 520's it just does not come with more powerful hardware. ...
  • RE: Router with security features
    ... Subject: Router with security features ... Well when looking at firewalls you have to understand that a PIX is a PC ... If you want the firewall to work well, ...
  • RE: PIX Question
    ... to say on the locking down a router and yes the firewall will block internal ... With out some sort of filtering on the ... edge router you will still leave yourself open to certain attacks. ... Subject: PIX Question ...
  • Re: Question on dynamic routing and PIX VPN
    ... >servers are behind a PIX and I need to use an IPSEC VPN to link the sites. ... Those customers are insisting the fact they ... I have a router which I own. ... Each packet coming in through one of the decidated SDSL interfaces ...