Joined on 03-15-2008
TechSoup Member
Thanks in advance for any who read and reply!
Background: I'm in the process of upgrading our central offices to a T1. We have about 25 employee's there, but we've got another 50+ employee's spread across 15 locations in 4 States. And we're seeing slowdowns for remote staff accessing our Outlook Web Access, SharePoint as well as a few VOIP phones services. Currently we have a DSL /w a Linksys Broadband router Combo that manages our IP routing and Port forwarding. Previously, in my experience with T1 service at my last employer, the Router and Firewall were provided and configured by our ISP through the state. This time however I'm on my own.
Now, I have a Cisco Pix Firewall 506e that was donated to the organization but are these adiquite for T1 service? They have 10/100 EN, does this bottle neck and choak the T1's potential? And if so what suggestions would you have on a Firewall to use?
A T1 connection is about 1.544 megabits per second. Which is not very fast. Even if you're connecting to 15 sites with together, any over the shelf firewall will do just fine. A PIX 506e is even better.
But if you'e providingyour own equipment to terminate the T1, then you're probably going to need a router with a T1 module if the ISP didn't provide one for you.
Good luck.
Quynh
Joined on 03-17-2008
TechSoup Member
The 506e should have no problems handling a T1 worth of traffic.
You should be aware though that, even though the firewall was given to you, the license to use the software is non-transferable. In order to be legal you need to buy a smart net contract for the pix, which are fairly expensive but also provide hardware replacement and configuration assistance whenever you need it.
-Jeff
What heppen to the products that is end of sale, and end of life. Do Cisco expect us to pull it off our shelves and close our business if we dont buy newer products?
What do we do with donated Cisco equipments? It is not mention in their EULA.
I manage a network for a company who invested in a PIX 515 at the main office and has about 10 offsite locations using either PIX 506's or cisco routers with VPN software pack. The 506's are out of support by a year I think. So you can't purchase a Smart Net for them so you can't get a new CCO login in order to download software from Cisco's website. Cisco offers no support for these, unless you can find a documented security flaw in the version of the software you have on the PIX. If you can do that, then you can get a one time download from cisco for newer software for any device. Cisco is very hard to work with sometimes. But their equipment is top notch, so it we learn to deal.
Keith
Joined on 03-15-2008
TechSoup Member
Wow, Thanks a million for the great feedback!
Quynh, we are terminated with a router, I'm in the process of finding out from my ISP what if any level of control I have over the device.
And on the PIX it would seem it might serve as a good startup/temporary solution, however I might be better off picking up something new or perhaps homebrewing my own Linux box for the task (any suggestions on a good user-friendly project?). I just wanted to make sure that standard 10/100 EN cards were adequate for T1 because I knew the DSU/CSU has special specs and I didn't want to bottle neck my new pipe.
I have installed quite a few PFSENSE, it's easy and powerful with ton of software module up for grab.
Get any modular router and put in a CSU/DSU module for the /30 serial link to your ISP. Make sure that it have an Ethernet port to connect to your PIX. I normally use a 1700 serie since it doesnt require alot of processing.
The ISP here in the SF BAY typically provide it's customer with a Cisco 1721 router.
Let me know if you need any configuration help. I'll do it for free, just like my current job. hehe
Quynh
Joined on 03-17-2008
TechSoup Member
Joined on 06-09-2003
Davenport, Iowa USA
If you want to home brew a fire wall I suggest you start with m0n0wall
http://m0n0.ch/wall/
I've got three in production and have been very happy with the results. One is on a 4mb cable connection so it can handle T1 and above.
Dave
Joined on 10-05-2007
TechSoup Member
Gotta agree with DWELP. I have always been a Cisco-sexual....I think I got physically sick when I installed my first M0n0wall...but a year later I have 12 of them in place and I really like the features. You can get them pre-built in a very small PIX like package for around $300 +/-. I would suggest if you do this, buy the fanless version as I have had 3 of the regular ones with fans that the fans have already went bad in.
Joined on 06-09-2003
Davenport, Iowa USA
The one on the 4mb connection is running on an ancient PII 266MHZ NEC with 64 or 96 meg of ram. It's a great way to use old hardware you can have several stacked up as spares in case you have a hardware failure.
For the others I have deployed I picked up some IDE to CF card adapters and some 32MB compact flash cards. So there is no hard drive or CD rom needed to boot the fire wall. I think the cost was under $10.00 for the adapter and flash card.
Dave
Joined on 05-07-2003
TechSoup Member
I have 5 remote offices and use Cisco Pix 506e for them that I purchased through Tech Soup. I use Verizon DSL with 3 megs down and 768 up for my connections, and I am running a Terminal Server that allows my users to connect back to access our main database through a VPN Tunnel. The main Cisco rig is an ASA 5510 with a CSC module that filters spam, viruses and all the other dirty stuff. When FIOS becomes available, I will connect with that.
We just installed Time Warner's fiber business solution and have been very happy with it. We only have the 5 MB package but it's the same up and down so it works great for the VOIP and VPN's. And the cost of the fiber compared to the T1's from AT&T is unbelievable, saving a lot of money.
Joined on 03-15-2008
TechSoup Member
For starters thanks again for all the feedback. It's been a huge help.
I tried and failed with created a pfSense Box. Everything was running pretty well in my test environment but when I moved the box to the live system my Switch popped every port I tried it in. I lost 3 ports on my switch because of some bad nic or something. :(
Anyway I took another look at the PIX 506e and came to find out that the organization had purchased 2 from techsoup about a year ago. So I did a little research and got it reset to factory settings. Currently I have it up on the live environment and it works great serving the T1 internet to my network as a gateway. My problem now is I can't get any of my outside IPs to translate to my inside servers.
The PIX IPs are Inside 10.1.1.254 and outside 10.2.2.2
My webserver is running https over standard port 443 and inside ip is 10.1.1.2
I want to use my 10.2.2.3 outside address to forward on port 443 to my webserver
These are (I believe) the relevant config lines:
…
access-list inside_access_in permit ip any any
access-list inbound permit tcp host 10.2.2.3 eq https interface outside eq https
…
ip address outside 10.2.2.2 255.255.255.248
ip address inside 10.1.1.254 255.255.255.0
…
pdm location 10.2.2.3 255.255.255.255 outside
pdm location 10.1.1.2 255.255.255.255 inside
…
global (outside) 2 interface
global (inside) 3 interface
nat (inside) 2 10.1.1.0 255.255.255.0 0 0
static (inside,outside) tcp interface https 10.1.1.2 https netmask 255.255.255.255 0 0
static (outside,inside) tcp 10.1.1.2 https 10.2.2.3 https netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.2.2.1 1
…
http 10.1.1.0 255.255.255.0 inside
…
name 10.1.1.2 webserver
object-group service SECURE_WEB
port-object eq https
static (inside,outside) 10.2.2.3 10.1.1.2 netmask 255.255.255.255
access-list External_access_in extended permit tcp any host webserver object-group SECURE_WEB
You can add more services by putting more port-object. The web gui is a little more friendlier. :smile;