headers
Paul R. Yaskowski | 9 Apr 2004 05:39

Recommendations

I'm looking to setup a site-to-site VPN the replace a leased line used
solely for AS/400 access. I have a couple questions as to what I should get.

The main office consists of about 25 users with static SDSL. The remote
office is about 5 users with dynamic ADSL.

I've looked at the PIX-501, but I've always been a little scared of per-user
licensing. If I purchased a 10-user PIX-501, and set it behind the SDSL at
the main office, it would only allow 10 users to get Internet access?

No matter what product I choose, would a site-to-site VPN work with a static
address on one side and a dynamic on the other?

Would any PIX handle PPPoE with a dynamically assigned IP?

The company is cost-conscious, and I've looked at the PIX-506E, without the
per-user licensing, but it is 50% more.

Any comments or suggestions as to which products I should look at would be a
great boon to me. I prefer Cisco products, because I am familiar with their
interface, but am flexible.

I would appreciate any help with this, I had Cisco certs back in the
hey-day, but I worked with them so rarely that I let the certs expire.

Paul
Permalink | Reply | 11 comments |
headers
David Pierson | 9 Apr 2004 10:42
Picon

Re: Recommendations

Paul,

Do have a look at Snapgear www.cyberguard.com/snapgear as they do not charge
a per-user licensing for their VPN. The LITE+ will do up to 0.5Mbps 3DES and
the SME530 up to 3Mbps with 3DES or 8Mbps AES. Depends how much traffic you
think you'll have.
The equipment is a joy to use too. The reason you don't hear as much about
them on the VPN channels may be that their stuff just works and their lucky
admins like me don't have any hassles. :-)

Cheers
David
----- Original Message -----
From: "Paul R. Yaskowski" <paul <at> yaskowski.com>
To: <vpn <at> lists.shmoo.com>
Sent: Friday, April 09, 2004 1:39 PM
Subject: [VPN] Recommendations

> I'm looking to setup a site-to-site VPN the replace a leased line used
> solely for AS/400 access. I have a couple questions as to what I should
get.
>
> The main office consists of about 25 users with static SDSL. The remote
> office is about 5 users with dynamic ADSL.
>
> I've looked at the PIX-501, but I've always been a little scared of
per-user
> licensing. If I purchased a 10-user PIX-501, and set it behind the SDSL at
> the main office, it would only allow 10 users to get Internet access?
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Michael Ray | 9 Apr 2004 14:48

Re: Recommendations

On Thu, 8 Apr 2004 23:39:58 -0400, you wrote:

>I'm looking to setup a site-to-site VPN the replace a leased line used
>solely for AS/400 access. I have a couple questions as to what I should get.
>
>The main office consists of about 25 users with static SDSL. The remote
>office is about 5 users with dynamic ADSL.
>
>I've looked at the PIX-501, but I've always been a little scared of per-user
>licensing. If I purchased a 10-user PIX-501, and set it behind the SDSL at
>the main office, it would only allow 10 users to get Internet access?
>
>No matter what product I choose, would a site-to-site VPN work with a static
>address on one side and a dynamic on the other?
>
>Would any PIX handle PPPoE with a dynamically assigned IP?
>
>The company is cost-conscious, and I've looked at the PIX-506E, without the
>per-user licensing, but it is 50% more.
>
>Any comments or suggestions as to which products I should look at would be a
>great boon to me. I prefer Cisco products, because I am familiar with their
>interface, but am flexible.
>
>I would appreciate any help with this, I had Cisco certs back in the
>hey-day, but I worked with them so rarely that I let the certs expire.
>
>Paul
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Siddhartha Jain | 9 Apr 2004 09:22
Picon
Favicon

Re: Recommendations

> I've looked at the PIX-501, but I've always been a
> little scared of per-user
> licensing. If I purchased a 10-user PIX-501, and set
> it behind the SDSL at
> the main office, it would only allow 10 users to get
> Internet access?

Yes, it will only allow 10 IP addresses to pass out to
the internet. Maybe, you could setup a web proxy (if
its only web access that your users want) and then NAT
it to go out. That way you can do with a 10-user
license.

> 
> No matter what product I choose, would a
> site-to-site VPN work with a static
> address on one side and a dynamic on the other?

Yes, you can do this. Look at:
http://cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

> 
> Would any PIX handle PPPoE with a dynamically
> assigned IP?

Why do you want to do PPPoE? Do IPSec.

> The company is cost-conscious, and I've looked at
> the PIX-506E, without the
> per-user licensing, but it is 50% more.
(Continue reading)

Permalink | Reply | 3 comments |
headers
Hart, Kevin | 9 Apr 2004 15:06

RE: Recommendations


>>I've looked at the PIX-501, but I've always been a little scared of
per-user
>>licensing. If I purchased a 10-user PIX-501, and set it behind the SDSL at
>>the main office, it would only allow 10 users to get Internet access?

Yes...10 user license means just that. You'll need to order the PIX 501 with
a 50 user license if you want
more connections. For the main site, I would go with a 506E.

>>No matter what product I choose, would a site-to-site VPN work with a
static
>>address on one side and a dynamic on the other?

Yes, the PIX can do IPSEC LAN to LAN tunnels with dynamic IP at one site.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration
_example09186a0080094680.shtml

>>Would any PIX handle PPPoE with a dynamically assigned IP?

Yes...Pix with PPPOE:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration
_example09186a00801055dd.shtml

Watch for wraps on the URLs

Kevin
(Continue reading)

Permalink | Reply | 0 comments |
headers
Paul R. Yaskowski | 9 Apr 2004 17:28

RE: Recommendations

The PPPoE is for authenticating the DSL.

I've considered SmoothWall, but I don't plan on being here too long, and I'd
hate to leave them with something no one else knows about. If you need Cisco
help, you can get Cisco help.

A $90K AS/400 and a $400/month leased line between offices less than a half
mile apart that should be merged. They're about broke now.

Paul

-----Original Message-----
From: Siddhartha Jain [mailto:losttoy2000 <at> yahoo.co.uk] 
Sent: Friday, April 09, 2004 3:23 AM
To: Paul R. Yaskowski; vpn <at> lists.shmoo.com
Subject: Re: [VPN] Recommendations

> I've looked at the PIX-501, but I've always been a
> little scared of per-user
> licensing. If I purchased a 10-user PIX-501, and set
> it behind the SDSL at
> the main office, it would only allow 10 users to get
> Internet access?

Yes, it will only allow 10 IP addresses to pass out to
the internet. Maybe, you could setup a web proxy (if
its only web access that your users want) and then NAT
it to go out. That way you can do with a 10-user
license.
(Continue reading)

Permalink | Reply | 2 comments |
headers
Siddhartha Jain | 10 Apr 2004 09:12
Picon
Favicon

RE: Recommendations

Umm, so you are using PPPoE only for authentication?
You can do that in IPSec with pre-shared keys. 

 --- "Paul R. Yaskowski" <paul <at> yaskowski.com> wrote: >
The PPPoE is for authenticating the DSL.
> 
> I've considered SmoothWall, but I don't plan on
> being here too long, and I'd
> hate to leave them with something no one else knows
> about. If you need Cisco
> help, you can get Cisco help.
> 
> A $90K AS/400 and a $400/month leased line between
> offices less than a half
> mile apart that should be merged. They're about
> broke now.
> 
> Paul
> 
> -----Original Message-----
> From: Siddhartha Jain
> [mailto:losttoy2000 <at> yahoo.co.uk] 
> Sent: Friday, April 09, 2004 3:23 AM
> To: Paul R. Yaskowski; vpn <at> lists.shmoo.com
> Subject: Re: [VPN] Recommendations
> 
> > I've looked at the PIX-501, but I've always been a
> > little scared of per-user
> > licensing. If I purchased a 10-user PIX-501, and
> set
(Continue reading)

Permalink | Reply | 1 comment |
headers
Travis Watson | 10 Apr 2004 19:58

Re: Recommendations

Paul,

You've already received some good recommendations and I don't mean to poor it 
on, but you may want to look at m0n0wall as well for the smaller 
site--particularly if management is cheap (http://m0n0.ch/wall/).  It's 
pretty cool stuff and the price is right.

Having said that, I usually lean toward Netscreen.  They are very reasonable 
in price, solid, and easy to manage.  The only caustion I would give you is 
that the 5-series has the 10 user and "unlimited" option for VPN.  Ten nodes 
through a tunnel can happen pretty quickly and the unlimited option just 
about doubles the price.  The 10 user limitation is for VPN only, however, 
not general connectivity.

Good luck.

--Travis

On Thursday 08 April 2004 08:39 pm, Paul R. Yaskowski wrote:
> I'm looking to setup a site-to-site VPN the replace a leased line used
> solely for AS/400 access. I have a couple questions as to what I should
> get.
>
> The main office consists of about 25 users with static SDSL. The remote
> office is about 5 users with dynamic ADSL.
>
> I've looked at the PIX-501, but I've always been a little scared of
> per-user licensing. If I purchased a 10-user PIX-501, and set it behind the
> SDSL at the main office, it would only allow 10 users to get Internet
> access?
(Continue reading)

Permalink | Reply | 4 comments |
headers
Paul R. Yaskowski | 11 Apr 2004 01:15

RE: Recommendations

PPPoE for authentication to Verizon, the DSL provider.

Paul

-----Original Message-----
From: vpn-bounces+paul=yaskowski.com <at> lists.shmoo.com
[mailto:vpn-bounces+paul=yaskowski.com <at> lists.shmoo.com] On Behalf Of
Siddhartha Jain
Sent: Saturday, April 10, 2004 3:12 AM
To: vpn <at> lists.shmoo.com
Subject: RE: [VPN] Recommendations

Umm, so you are using PPPoE only for authentication?
You can do that in IPSec with pre-shared keys. 

 --- "Paul R. Yaskowski" <paul <at> yaskowski.com> wrote: >
The PPPoE is for authenticating the DSL.
> 
> I've considered SmoothWall, but I don't plan on
> being here too long, and I'd
> hate to leave them with something no one else knows
> about. If you need Cisco
> help, you can get Cisco help.
> 
> A $90K AS/400 and a $400/month leased line between
> offices less than a half
> mile apart that should be merged. They're about
> broke now.
> 
> Paul
(Continue reading)

Permalink | Reply | 0 comments |
headers
Dana J. Dawson | 12 Apr 2004 17:43
Favicon

Re: Recommendations

One issue I've had with Netscreen firewalls in the past is that I've never managed to get them to support IPSec pass-thru for generic IPSec clients through the Netscreen in router mode with PAT (i.e. not using NAT-Traversal or any other type of TCP/UDP encapsulation of the IPSec traffic).  Is this a known limitation of the Netscreen, or is there a trick I haven't found?  I haven't tried the latest software, so maybe this is no longer an issue - the last version I've tried is 4.0.3r3.0 in a 5XP.

Dana



Travis Watson wrote:
Paul, You've already received some good recommendations and I don't mean to poor it on, but you may want to look at m0n0wall as well for the smaller site--particularly if management is cheap (http://m0n0.ch/wall/). It's pretty cool stuff and the price is right. Having said that, I usually lean toward Netscreen. They are very reasonable in price, solid, and easy to manage. The only caustion I would give you is that the 5-series has the 10 user and "unlimited" option for VPN. Ten nodes through a tunnel can happen pretty quickly and the unlimited option just about doubles the price. The 10 user limitation is for VPN only, however, not general connectivity. Good luck. --Travis On Thursday 08 April 2004 08:39 pm, Paul R. Yaskowski wrote:
I'm looking to setup a site-to-site VPN the replace a leased line used solely for AS/400 access. I have a couple questions as to what I should get. The main office consists of about 25 users with static SDSL. The remote office is about 5 users with dynamic ADSL. I've looked at the PIX-501, but I've always been a little scared of per-user licensing. If I purchased a 10-user PIX-501, and set it behind the SDSL at the main office, it would only allow 10 users to get Internet access? No matter what product I choose, would a site-to-site VPN work with a static address on one side and a dynamic on the other? Would any PIX handle PPPoE with a dynamically assigned IP? The company is cost-conscious, and I've looked at the PIX-506E, without the per-user licensing, but it is 50% more. Any comments or suggestions as to which products I should look at would be a great boon to me. I prefer Cisco products, because I am familiar with their interface, but am flexible. I would appreciate any help with this, I had Cisco certs back in the hey-day, but I worked with them so rarely that I let the certs expire. Paul _______________________________________________ VPN mailing list VPN <at> lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn
_______________________________________________ VPN mailing list VPN <at> lists.shmoo.com http://lists.shmoo.com/mailman/listinfo/vpn 
_______________________________________________
VPN mailing list
VPN <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply | 2 comments |

Gmane