headers
Paul R. Yaskowski | 9 Apr 2004 05:39

Recommendations

I'm looking to setup a site-to-site VPN the replace a leased line used
solely for AS/400 access. I have a couple questions as to what I should get.

The main office consists of about 25 users with static SDSL. The remote
office is about 5 users with dynamic ADSL.

I've looked at the PIX-501, but I've always been a little scared of per-user
licensing. If I purchased a 10-user PIX-501, and set it behind the SDSL at
the main office, it would only allow 10 users to get Internet access?

No matter what product I choose, would a site-to-site VPN work with a static
address on one side and a dynamic on the other?

Would any PIX handle PPPoE with a dynamically assigned IP?

The company is cost-conscious, and I've looked at the PIX-506E, without the
per-user licensing, but it is 50% more.

Any comments or suggestions as to which products I should look at would be a
great boon to me. I prefer Cisco products, because I am familiar with their
interface, but am flexible.

I would appreciate any help with this, I had Cisco certs back in the
hey-day, but I worked with them so rarely that I let the certs expire.

Paul
Permalink | Reply |
headers
Travis Watson | 10 Apr 2004 19:58

Re: Recommendations

Paul,

You've already received some good recommendations and I don't mean to poor it 
on, but you may want to look at m0n0wall as well for the smaller 
site--particularly if management is cheap (http://m0n0.ch/wall/).  It's 
pretty cool stuff and the price is right.

Having said that, I usually lean toward Netscreen.  They are very reasonable 
in price, solid, and easy to manage.  The only caustion I would give you is 
that the 5-series has the 10 user and "unlimited" option for VPN.  Ten nodes 
through a tunnel can happen pretty quickly and the unlimited option just 
about doubles the price.  The 10 user limitation is for VPN only, however, 
not general connectivity.

Good luck.

--Travis

On Thursday 08 April 2004 08:39 pm, Paul R. Yaskowski wrote:
> I'm looking to setup a site-to-site VPN the replace a leased line used
> solely for AS/400 access. I have a couple questions as to what I should
> get.
>
> The main office consists of about 25 users with static SDSL. The remote
> office is about 5 users with dynamic ADSL.
>
> I've looked at the PIX-501, but I've always been a little scared of
> per-user licensing. If I purchased a 10-user PIX-501, and set it behind the
> SDSL at the main office, it would only allow 10 users to get Internet
> access?
(Continue reading)

Permalink | Reply |
headers
Dana J. Dawson | 12 Apr 2004 17:43
Favicon

Re: Recommendations

One issue I've had with Netscreen firewalls in the past is that I've never managed to get them to support IPSec pass-thru for generic IPSec clients through the Netscreen in router mode with PAT (i.e. not using NAT-Traversal or any other type of TCP/UDP encapsulation of the IPSec traffic).  Is this a known limitation of the Netscreen, or is there a trick I haven't found?  I haven't tried the latest software, so maybe this is no longer an issue - the last version I've tried is 4.0.3r3.0 in a 5XP.

Dana



Travis Watson wrote:
Paul, You've already received some good recommendations and I don't mean to poor it on, but you may want to look at m0n0wall as well for the smaller site--particularly if management is cheap (http://m0n0.ch/wall/). It's pretty cool stuff and the price is right. Having said that, I usually lean toward Netscreen. They are very reasonable in price, solid, and easy to manage. The only caustion I would give you is that the 5-series has the 10 user and "unlimited" option for VPN. Ten nodes through a tunnel can happen pretty quickly and the unlimited option just about doubles the price. The 10 user limitation is for VPN only, however, not general connectivity. Good luck. --Travis On Thursday 08 April 2004 08:39 pm, Paul R. Yaskowski wrote:
I'm looking to setup a site-to-site VPN the replace a leased line used solely for AS/400 access. I have a couple questions as to what I should get. The main office consists of about 25 users with static SDSL. The remote office is about 5 users with dynamic ADSL. I've looked at the PIX-501, but I've always been a little scared of per-user licensing. If I purchased a 10-user PIX-501, and set it behind the SDSL at the main office, it would only allow 10 users to get Internet access? No matter what product I choose, would a site-to-site VPN work with a static address on one side and a dynamic on the other? Would any PIX handle PPPoE with a dynamically assigned IP? The company is cost-conscious, and I've looked at the PIX-506E, without the per-user licensing, but it is 50% more. Any comments or suggestions as to which products I should look at would be a great boon to me. I prefer Cisco products, because I am familiar with their interface, but am flexible. I would appreciate any help with this, I had Cisco certs back in the hey-day, but I worked with them so rarely that I let the certs expire. Paul _______________________________________________ VPN mailing list VPN <at> lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn
_______________________________________________ VPN mailing list VPN <at> lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn 
_______________________________________________
VPN mailing list
VPN <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply |
headers
Travis Watson | 13 Apr 2004 03:47

Re: Recommendations

Dana,

I guess I'm not quite following.  Are you talking about outbound IPSec client 
connections?  That shouldn't be a problem at all unless you tweaked the MTU 
to a small size on purpose.  You aren't trying to PAT outbound connections, 
are you?

--Travis

On Monday 12 April 2004 08:43 am, Dana J. Dawson wrote:
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
>   <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
>   <title></title>
> </head>
> <body bgcolor="#ffffff" text="#000000">
> One issue I've had with Netscreen firewalls in the past is that I've
> never managed to get them to support IPSec pass-thru for generic IPSec
> clients through the Netscreen in router mode with PAT (i.e. not using
> NAT-Traversal or any other type of TCP/UDP encapsulation of the IPSec
> traffic).&nbsp; Is this a known limitation of the Netscreen, or is there a
> trick I haven't found?&nbsp; I haven't tried the latest software, so maybe
> this is no longer an issue - the last version I've tried is 4.0.3r3.0
> in a 5XP.<br>
> <br>
> Dana<br>
> <div class="moz-signature"><br>
> <img moz-do-not-send="true" src="file:///C:%5CMy%20Signature%20File.gif"
>  border="0"></div>
> <br>
> <br>
> Travis Watson wrote:
> <blockquote cite="mid200404101058.54790.travis <at> traviswatson.com"
>  type="cite">
>   <pre wrap="">Paul,
>
> You've already received some good recommendations and I don't mean to poor
> it on, but you may want to look at m0n0wall as well for the smaller
> site--particularly if management is cheap (<a class="moz-txt-link-freetext"
> href="http://m0n0.ch/wall/">http://m0n0.ch/wall/</a>).  It's pretty cool
> stuff and the price is right.
>
> Having said that, I usually lean toward Netscreen.  They are very
> reasonable in price, solid, and easy to manage.  The only caustion I would
> give you is that the 5-series has the 10 user and "unlimited" option for
> VPN.  Ten nodes through a tunnel can happen pretty quickly and the
> unlimited option just about doubles the price.  The 10 user limitation is
> for VPN only, however, not general connectivity.
>
> Good luck.
>
> --Travis
>
> On Thursday 08 April 2004 08:39 pm, Paul R. Yaskowski wrote:
>   </pre>
>   <blockquote type="cite">
>     <pre wrap="">I'm looking to setup a site-to-site VPN the replace a
> leased line used solely for AS/400 access. I have a couple questions as to
> what I should get.
>
> The main office consists of about 25 users with static SDSL. The remote
> office is about 5 users with dynamic ADSL.
>
> I've looked at the PIX-501, but I've always been a little scared of
> per-user licensing. If I purchased a 10-user PIX-501, and set it behind the
> SDSL at the main office, it would only allow 10 users to get Internet
> access?
>
> No matter what product I choose, would a site-to-site VPN work with a
> static address on one side and a dynamic on the other?
>
> Would any PIX handle PPPoE with a dynamically assigned IP?
>
> The company is cost-conscious, and I've looked at the PIX-506E, without the
> per-user licensing, but it is 50% more.
>
> Any comments or suggestions as to which products I should look at would be
> a great boon to me. I prefer Cisco products, because I am familiar with
> their interface, but am flexible.
>
> I would appreciate any help with this, I had Cisco certs back in the
> hey-day, but I worked with them so rarely that I let the certs expire.
>
> Paul
>
> _______________________________________________
> VPN mailing list
> <a class="moz-txt-link-abbreviated"
> href="mailto:VPN <at> lists.shmoo.com">VPN <at> lists.shmoo.com</a> <a
> class="moz-txt-link-freetext"
> href="http://lists.shmoo.com/mailman/listinfo/vpn">http://lists.shmoo.com/m
>ailman/listinfo/vpn</a> </pre>
>   </blockquote>
>   <pre wrap=""><!---->
> _______________________________________________
> VPN mailing list
> <a class="moz-txt-link-abbreviated"
> href="mailto:VPN <at> lists.shmoo.com">VPN <at> lists.shmoo.com</a> <a
> class="moz-txt-link-freetext"
> href="http://lists.shmoo.com/mailman/listinfo/vpn">http://lists.shmoo.com/m
>ailman/listinfo/vpn</a>
>
>   </pre>
> </blockquote>
> </body>
> </html>
Permalink | Reply |
headers
Dana J. Dawson | 13 Apr 2004 17:43
Favicon

Re: Recommendations

Travis,

Yes, that's exactly what I'm trying to do, but I haven't played any MTU games at all.  PAT is probably the most common configuration for small offices with a small firewall, frequently with a DSL connection providing a single dynamic IP address to the firewall.  In this situation, it would be nice to be able to use a VPN client from the LAN, but since there are still some clients that don't do NAT-Traversal (or any other form of encapsulation), support for pure IPSec pass-thru would be nice.  It'd be even nicer if it could handle multiple simultaneous clients, but I'd settle for even one at a time.  My cheap little Linksys and Netgear routers at home can do this, so it doesn't seem too much to expect the Netscreen to do it also.  I'm even willing to believe that it can, but I haven't found a way to do it.  I did, however, find a few queries about this exact issue on a Netscreen user forum, but no replies with solutions.

The symptoms are the classic ones when ESP isn't supported through PAT - ISAKMP succeeds, as does user authentication, and the VPN connection appears to be up, but no incoming data to the client works.  If I use NAT-T everything is fine, but some of the places I connect to don't support NAT-T yet, so that's not always an option.  Like I said, I'm willing to believe this is possible and that I just haven't found the correct incantation, but I think I've tried the obvious things (though I'm not nearly as comfortable with the Netscreen as I am with the PIX and other Cisco products - maybe they've polluted my brain).

Thanks!

Dana



Travis Watson wrote:
Dana, I guess I'm not quite following. Are you talking about outbound IPSec client connections? That shouldn't be a problem at all unless you tweaked the MTU to a small size on purpose. You aren't trying to PAT outbound connections, are you? --Travis 
_______________________________________________
VPN mailing list
VPN <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply |
headers
Hart, Kevin | 9 Apr 2004 15:06

RE: Recommendations


>>I've looked at the PIX-501, but I've always been a little scared of
per-user
>>licensing. If I purchased a 10-user PIX-501, and set it behind the SDSL at
>>the main office, it would only allow 10 users to get Internet access?

Yes...10 user license means just that. You'll need to order the PIX 501 with
a 50 user license if you want
more connections. For the main site, I would go with a 506E.

>>No matter what product I choose, would a site-to-site VPN work with a
static
>>address on one side and a dynamic on the other?

Yes, the PIX can do IPSEC LAN to LAN tunnels with dynamic IP at one site.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration
_example09186a0080094680.shtml

>>Would any PIX handle PPPoE with a dynamically assigned IP?

Yes...Pix with PPPOE:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration
_example09186a00801055dd.shtml

Watch for wraps on the URLs

Kevin

-----Original Message-----
From: Paul R. Yaskowski [mailto:paul <at> yaskowski.com]
Sent: Thursday, April 08, 2004 11:40 PM
To: vpn <at> lists.shmoo.com
Subject: [VPN] Recommendations

I'm looking to setup a site-to-site VPN the replace a leased line used
solely for AS/400 access. I have a couple questions as to what I should get.

The main office consists of about 25 users with static SDSL. The remote
office is about 5 users with dynamic ADSL.

I've looked at the PIX-501, but I've always been a little scared of per-user
licensing. If I purchased a 10-user PIX-501, and set it behind the SDSL at
the main office, it would only allow 10 users to get Internet access?

No matter what product I choose, would a site-to-site VPN work with a static
address on one side and a dynamic on the other?

Would any PIX handle PPPoE with a dynamically assigned IP?

The company is cost-conscious, and I've looked at the PIX-506E, without the
per-user licensing, but it is 50% more.

Any comments or suggestions as to which products I should look at would be a
great boon to me. I prefer Cisco products, because I am familiar with their
interface, but am flexible.

I would appreciate any help with this, I had Cisco certs back in the
hey-day, but I worked with them so rarely that I let the certs expire.

Paul

_______________________________________________
VPN mailing list
VPN <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply |
headers
Siddhartha Jain | 9 Apr 2004 09:22
Picon
Favicon

Re: Recommendations

> I've looked at the PIX-501, but I've always been a
> little scared of per-user
> licensing. If I purchased a 10-user PIX-501, and set
> it behind the SDSL at
> the main office, it would only allow 10 users to get
> Internet access?

Yes, it will only allow 10 IP addresses to pass out to
the internet. Maybe, you could setup a web proxy (if
its only web access that your users want) and then NAT
it to go out. That way you can do with a 10-user
license.

> 
> No matter what product I choose, would a
> site-to-site VPN work with a static
> address on one side and a dynamic on the other?

Yes, you can do this. Look at:
http://cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

> 
> Would any PIX handle PPPoE with a dynamically
> assigned IP?

Why do you want to do PPPoE? Do IPSec.

> The company is cost-conscious, and I've looked at
> the PIX-506E, without the
> per-user licensing, but it is 50% more.

Your management bought an AS/400 but can't afford a
PIX 506E?? :)

> 
> Any comments or suggestions as to which products I
> should look at would be a
> great boon to me. I prefer Cisco products, because I
> am familiar with their
> interface, but am flexible.
> 

Look at Sonicwall and NetScreen. Both pack in more
features that Cisco PIX, both have pretty good web
GUIs and simpler configuration.

A tip on PIX: If you plan on using its Web GUI, then
configure it from scratch using the GUI. If you
configure it from CLI during installation and later
try to switch to the GUI, you may run into trouble.

HTH,

Siddhartha

	
	
		
____________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html
Permalink | Reply |
headers
Paul R. Yaskowski | 9 Apr 2004 17:28

RE: Recommendations

The PPPoE is for authenticating the DSL.

I've considered SmoothWall, but I don't plan on being here too long, and I'd
hate to leave them with something no one else knows about. If you need Cisco
help, you can get Cisco help.

A $90K AS/400 and a $400/month leased line between offices less than a half
mile apart that should be merged. They're about broke now.

Paul

-----Original Message-----
From: Siddhartha Jain [mailto:losttoy2000 <at> yahoo.co.uk] 
Sent: Friday, April 09, 2004 3:23 AM
To: Paul R. Yaskowski; vpn <at> lists.shmoo.com
Subject: Re: [VPN] Recommendations

> I've looked at the PIX-501, but I've always been a
> little scared of per-user
> licensing. If I purchased a 10-user PIX-501, and set
> it behind the SDSL at
> the main office, it would only allow 10 users to get
> Internet access?

Yes, it will only allow 10 IP addresses to pass out to
the internet. Maybe, you could setup a web proxy (if
its only web access that your users want) and then NAT
it to go out. That way you can do with a 10-user
license.

> 
> No matter what product I choose, would a
> site-to-site VPN work with a static
> address on one side and a dynamic on the other?

Yes, you can do this. Look at:
http://cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_exa
mple09186a0080094680.shtml

> 
> Would any PIX handle PPPoE with a dynamically
> assigned IP?

Why do you want to do PPPoE? Do IPSec.

> The company is cost-conscious, and I've looked at
> the PIX-506E, without the
> per-user licensing, but it is 50% more.

Your management bought an AS/400 but can't afford a
PIX 506E?? :)

> 
> Any comments or suggestions as to which products I
> should look at would be a
> great boon to me. I prefer Cisco products, because I
> am familiar with their
> interface, but am flexible.
> 

Look at Sonicwall and NetScreen. Both pack in more
features that Cisco PIX, both have pretty good web
GUIs and simpler configuration.

A tip on PIX: If you plan on using its Web GUI, then
configure it from scratch using the GUI. If you
configure it from CLI during installation and later
try to switch to the GUI, you may run into trouble.

HTH,

Siddhartha

	
	
		
____________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html
Permalink | Reply |
headers
Siddhartha Jain | 10 Apr 2004 09:12
Picon
Favicon

RE: Recommendations

Umm, so you are using PPPoE only for authentication?
You can do that in IPSec with pre-shared keys. 

 --- "Paul R. Yaskowski" <paul <at> yaskowski.com> wrote: >
The PPPoE is for authenticating the DSL.
> 
> I've considered SmoothWall, but I don't plan on
> being here too long, and I'd
> hate to leave them with something no one else knows
> about. If you need Cisco
> help, you can get Cisco help.
> 
> A $90K AS/400 and a $400/month leased line between
> offices less than a half
> mile apart that should be merged. They're about
> broke now.
> 
> Paul
> 
> -----Original Message-----
> From: Siddhartha Jain
> [mailto:losttoy2000 <at> yahoo.co.uk] 
> Sent: Friday, April 09, 2004 3:23 AM
> To: Paul R. Yaskowski; vpn <at> lists.shmoo.com
> Subject: Re: [VPN] Recommendations
> 
> > I've looked at the PIX-501, but I've always been a
> > little scared of per-user
> > licensing. If I purchased a 10-user PIX-501, and
> set
> > it behind the SDSL at
> > the main office, it would only allow 10 users to
> get
> > Internet access?
> 
> Yes, it will only allow 10 IP addresses to pass out
> to
> the internet. Maybe, you could setup a web proxy (if
> its only web access that your users want) and then
> NAT
> it to go out. That way you can do with a 10-user
> license.
> 
> > 
> > No matter what product I choose, would a
> > site-to-site VPN work with a static
> > address on one side and a dynamic on the other?
> 
> Yes, you can do this. Look at:
>
http://cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_exa
> mple09186a0080094680.shtml
> 
> > 
> > Would any PIX handle PPPoE with a dynamically
> > assigned IP?
> 
> Why do you want to do PPPoE? Do IPSec.
> 
> > The company is cost-conscious, and I've looked at
> > the PIX-506E, without the
> > per-user licensing, but it is 50% more.
> 
> Your management bought an AS/400 but can't afford a
> PIX 506E?? :)
> 
> > 
> > Any comments or suggestions as to which products I
> > should look at would be a
> > great boon to me. I prefer Cisco products, because
> I
> > am familiar with their
> > interface, but am flexible.
> > 
> 
> Look at Sonicwall and NetScreen. Both pack in more
> features that Cisco PIX, both have pretty good web
> GUIs and simpler configuration.
> 
> A tip on PIX: If you plan on using its Web GUI, then
> configure it from scratch using the GUI. If you
> configure it from CLI during installation and later
> try to switch to the GUI, you may run into trouble.
> 
> HTH,
> 
> Siddhartha
> 
> 
> 
> 	
> 	
> 		
>
____________________________________________________________
> Yahoo! Messenger - Communicate instantly..."Ping" 
> your friends today! Download Messenger Now 
> http://uk.messenger.yahoo.com/download/index.html
> 
> _______________________________________________
> VPN mailing list
> VPN <at> lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn 

	
	
		
____________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html
Permalink | Reply |
headers
Paul R. Yaskowski | 11 Apr 2004 01:15

RE: Recommendations

PPPoE for authentication to Verizon, the DSL provider.

Paul

-----Original Message-----
From: vpn-bounces+paul=yaskowski.com <at> lists.shmoo.com
[mailto:vpn-bounces+paul=yaskowski.com <at> lists.shmoo.com] On Behalf Of
Siddhartha Jain
Sent: Saturday, April 10, 2004 3:12 AM
To: vpn <at> lists.shmoo.com
Subject: RE: [VPN] Recommendations

Umm, so you are using PPPoE only for authentication?
You can do that in IPSec with pre-shared keys. 

 --- "Paul R. Yaskowski" <paul <at> yaskowski.com> wrote: >
The PPPoE is for authenticating the DSL.
> 
> I've considered SmoothWall, but I don't plan on
> being here too long, and I'd
> hate to leave them with something no one else knows
> about. If you need Cisco
> help, you can get Cisco help.
> 
> A $90K AS/400 and a $400/month leased line between
> offices less than a half
> mile apart that should be merged. They're about
> broke now.
> 
> Paul
> 
> -----Original Message-----
> From: Siddhartha Jain
> [mailto:losttoy2000 <at> yahoo.co.uk] 
> Sent: Friday, April 09, 2004 3:23 AM
> To: Paul R. Yaskowski; vpn <at> lists.shmoo.com
> Subject: Re: [VPN] Recommendations
> 
> > I've looked at the PIX-501, but I've always been a
> > little scared of per-user
> > licensing. If I purchased a 10-user PIX-501, and
> set
> > it behind the SDSL at
> > the main office, it would only allow 10 users to
> get
> > Internet access?
> 
> Yes, it will only allow 10 IP addresses to pass out
> to
> the internet. Maybe, you could setup a web proxy (if
> its only web access that your users want) and then
> NAT
> it to go out. That way you can do with a 10-user
> license.
> 
> > 
> > No matter what product I choose, would a
> > site-to-site VPN work with a static
> > address on one side and a dynamic on the other?
> 
> Yes, you can do this. Look at:
>
http://cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_exa
> mple09186a0080094680.shtml
> 
> > 
> > Would any PIX handle PPPoE with a dynamically
> > assigned IP?
> 
> Why do you want to do PPPoE? Do IPSec.
> 
> > The company is cost-conscious, and I've looked at
> > the PIX-506E, without the
> > per-user licensing, but it is 50% more.
> 
> Your management bought an AS/400 but can't afford a
> PIX 506E?? :)
> 
> > 
> > Any comments or suggestions as to which products I
> > should look at would be a
> > great boon to me. I prefer Cisco products, because
> I
> > am familiar with their
> > interface, but am flexible.
> > 
> 
> Look at Sonicwall and NetScreen. Both pack in more
> features that Cisco PIX, both have pretty good web
> GUIs and simpler configuration.
> 
> A tip on PIX: If you plan on using its Web GUI, then
> configure it from scratch using the GUI. If you
> configure it from CLI during installation and later
> try to switch to the GUI, you may run into trouble.
> 
> HTH,
> 
> Siddhartha
> 
> 
> 
> 	
> 	
> 		
>
____________________________________________________________
> Yahoo! Messenger - Communicate instantly..."Ping" 
> your friends today! Download Messenger Now 
> http://uk.messenger.yahoo.com/download/index.html
> 
> _______________________________________________
> VPN mailing list
> VPN <at> lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn 

	
	
		
____________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html
_______________________________________________
VPN mailing list
VPN <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply |
headers
Michael Ray | 9 Apr 2004 14:48

Re: Recommendations

On Thu, 8 Apr 2004 23:39:58 -0400, you wrote:

>I'm looking to setup a site-to-site VPN the replace a leased line used
>solely for AS/400 access. I have a couple questions as to what I should get.
>
>The main office consists of about 25 users with static SDSL. The remote
>office is about 5 users with dynamic ADSL.
>
>I've looked at the PIX-501, but I've always been a little scared of per-user
>licensing. If I purchased a 10-user PIX-501, and set it behind the SDSL at
>the main office, it would only allow 10 users to get Internet access?
>
>No matter what product I choose, would a site-to-site VPN work with a static
>address on one side and a dynamic on the other?
>
>Would any PIX handle PPPoE with a dynamically assigned IP?
>
>The company is cost-conscious, and I've looked at the PIX-506E, without the
>per-user licensing, but it is 50% more.
>
>Any comments or suggestions as to which products I should look at would be a
>great boon to me. I prefer Cisco products, because I am familiar with their
>interface, but am flexible.
>
>I would appreciate any help with this, I had Cisco certs back in the
>hey-day, but I worked with them so rarely that I let the certs expire.
>
>Paul
>

I would look at the Netscreen 5GT products (standard and extendend)
and Fortinet's Fortigate 50A or 60 depending on your needs. Both
companies offer antivirus, higher level content control on top of
firewalling, IDS, VPN and traffic shaping, etc. 

Netscreen's option is a bit more for the AV and Deep Inspection while
Fortinet includes them standard. They are both easy to administer and
will work with your static to dynamic VPN requirements.

As a side note. Forinet was founded by one of the original Netscreen
founders.

http://www.netscreen.com/products/at_a_glance/ds_5gt.jsp
http://www.fortinet.com/doc/FGT50A_100DS.pdf

Mike
Permalink | Reply |
headers
David Pierson | 9 Apr 2004 10:42
Picon

Re: Recommendations

Paul,

Do have a look at Snapgear www.cyberguard.com/snapgear as they do not charge
a per-user licensing for their VPN. The LITE+ will do up to 0.5Mbps 3DES and
the SME530 up to 3Mbps with 3DES or 8Mbps AES. Depends how much traffic you
think you'll have.
The equipment is a joy to use too. The reason you don't hear as much about
them on the VPN channels may be that their stuff just works and their lucky
admins like me don't have any hassles. :-)

Cheers
David
----- Original Message -----
From: "Paul R. Yaskowski" <paul <at> yaskowski.com>
To: <vpn <at> lists.shmoo.com>
Sent: Friday, April 09, 2004 1:39 PM
Subject: [VPN] Recommendations

> I'm looking to setup a site-to-site VPN the replace a leased line used
> solely for AS/400 access. I have a couple questions as to what I should
get.
>
> The main office consists of about 25 users with static SDSL. The remote
> office is about 5 users with dynamic ADSL.
>
> I've looked at the PIX-501, but I've always been a little scared of
per-user
> licensing. If I purchased a 10-user PIX-501, and set it behind the SDSL at
> the main office, it would only allow 10 users to get Internet access?
>
> No matter what product I choose, would a site-to-site VPN work with a
static
> address on one side and a dynamic on the other?
>
> Would any PIX handle PPPoE with a dynamically assigned IP?
>
> The company is cost-conscious, and I've looked at the PIX-506E, without
the
> per-user licensing, but it is 50% more.
>
> Any comments or suggestions as to which products I should look at would be
a
> great boon to me. I prefer Cisco products, because I am familiar with
their
> interface, but am flexible.
>
> I would appreciate any help with this, I had Cisco certs back in the
> hey-day, but I worked with them so rarely that I let the certs expire.
>
> Paul
>
> _______________________________________________
> VPN mailing list
> VPN <at> lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply |

Gmane