RE: [fw-wiz] VPN Design - is it possible

If you ASSUME:

1. That each 'Site A' PIX has a different out side address
2. They are not configured using the Cisco Fail-over feature

Then there shouldn't be any reason that you couldn't build separate HW-HW
VPN tunnels from each remote site PIX. This would be an Admin nightmare
though as each tunnel will have to be built manually from each box one
end-point pair at a time.

Who 'owns' the IP block at 'Site A'? If it is your home company and not the
ISPs then a simpler and more reliable solution might be (all though more

1. Install a Router outside of the 'Site A' PIXs. A 2621Xm can be bought for
about $1500.00 and a VWIC-2MFT-T1-D1 (2 - T1 integrated CSUs) for about
$250. This leaves room for and additional VWIC card.
2. Upgrade the 'Site A' PIXs to 515Es with Fail-over. The VPN unrestricted
can be had for about $4K
3. Setup BGP Routing between that Router and both ISPs.

You could than connect the 'Site A' PIXs in- Fail-over mode and enjoy the
same reliability between sites. This Site to Site reliability is real
controlled by the Remote Sites as each only has a single ISP with no backup
or fail-over route. A secondary benefit of this solution is that as you grow
at the Home site you can add Internet T1s into the External Router by simply
adding VWIC cards

-----Original Message-----
From: firewall-wizards-admin@xxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-admin@xxxxxxxxxxxxxxxxxx] On Behalf Of Julian M D
Sent: Wednesday, December 21, 2005 10:18 AM
To: firewall-wizards@xxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] VPN Design - is it possible


I have been given the task to accomplish some kind of failover using
PIX firewall and 2 ISP's connections as follows:

Site A - 2 PIX 506E , 2ISP - 1LAN
Site B, C, D, E, PIX 501 , 1ISP
Site F - PIX 515, 1DMZ, 1ISP

------VPN -------SITE B PIX----------VPN SITE F PIX
SITE A PIX 1 -------VPN--------SITE C PIX----------VPN SITE F PIX
(ISP1) -------VPN--------SITE D PIX----------VPN SITE F PIX
-------VPN--------SITE E PIX----------VPN SITE F PIX

------VPN -------SITE B PIX ----------VPN SITE F PIX
SITE A PIX 2-------VPN--------SITE C PIX----------VPN SITE F PIX
(ISP2) -------VPN--------SITE D PIX----------VPN SITE F PIX
-------VPN--------SITE E PIX----------VPN SITE F PIX

My question is : is it possible to have 2 separate VPN connection to
the same SITE ( looking from B,C,D,E point of view - they would see
the LAN behind SITE A using 2 separate IPSec tunnels)? Has anyone done
or seen anything similar? Do you have a better plan using the given,

Best regards to all, and Happy "Secure" Holidays Everyone!

firewall-wizards mailing list

firewall-wizards mailing list