quick basic net design info with Cisco equipment

Hi - I have a small, old network for my company (software design shop) with 40 workstations, 20 users, 15 servers, and a single T1 connected to our Cisco 2610 router. The router is running an old version of the IOS and I do not have SmartNet for it, and the only security I have for my network is the access lists on that router.

I do have about 15-20 servers / services that need to be accessed by the internet on my network, as well as VPN clients connecting to our Microsoft PPTP VPN server.

Would a basic PIX 501 do the trick to secure up the network?

Furthermore, I'm running basic NAT on my router, and all my internal machines (Exchange, www) have one NIC each with an internal IP which is translated at the router to the public IP. I have a feeling that this is not a safe way to be doing things, but am unsure of how to allow access properly.

I've also been lookint at the IPCop firewall product, but was thinking that at PIX 501 would do the trick better. I'll also move my VPNing out to there as well.

Thoughts? Suggestions? If this is the wrong forum for this basic sort of questioning, I'd love a couple references to good resources.

Thanks in advance for info.

Reply to
brandon.vogel
Loading thread data ...

By moving to an ASA or a PIX would eliminate the need for the PPTP VPN and allow you to use IPSEC VPN

I would look away from the PIX line and look more into the ASA 5505

By implementing the firewall the NAT process would be performed on the firewall not the router, your router would just route packets at that point

look at the support options for the 2, you will need to support either products

Your welcome!

Reply to
Chad Mahoney

Gotcha.

Gotcha. Looking at the ASA 5505. I just don't want to get anything that is more than what I need or more than what I can manage.

One issue I have is with my Anti-SPAM server getting overloaded and Symantec has suggested I deploy something at the firewall level but I forget what feature that was. Any idea if the ASA 5505 can do that? Sorry so vague...

Understood. But is it a basically okay thing to have the 1 nic in each machine and 1 private IP and use NAT to translate at the firewall, or is that a big security risk (2 nics or something like that?)

Good point. As I've had no budget for this for 7 years, and don't expect one any time soon, I need to be able to sell the least expensive but still manageable product.

Thanks again.

Reply to
brandon.vogel

" snipped-for-privacy@gmail.com" wrote in news: snipped-for-privacy@i12g2000prf.googlegroups.com:

Many people are moving towards hardware appliances such as a Baracuda product or an Ironport product. This sits in front of your mail complex and does spam / virus protection before it hits your network.

Reply to
Paddrino

If you've only got a T1, you might find it's worth getting your mail hosted in such a way to avoid wasting bandwidth/CPU time locally on bouncing/blocking/ignoring spammers. Although if you don't have a budget then, well, never mind!

Reply to
alexd

PIX 501 can not run the latest version of the software which requires memory that the 501 does not have, the 5505 is the replacement for the 501

The ASA is not a spam filter, one suggestion would be to possibly move to a spam appliance such as Barracuda or DoubleCheck

Well you can obtain more IP address from your carrier, once you do that you can then assign one of the extra (or as many as you want) IP's for the NAT address that will be visible on the internet.

formatting link
Look at the global pools for NAT it will explain....

Well you can expect to spend around $400 dollars a year for a smart net, I can not speak of the other solution. However, one thing to mention is how much of a price can you pay to secure your network? Can you call the provider and get replacement equipment? Also the IPCOP solution is a software based firewall, which means you have to produce the hardware it runs on, which could also fail. Also whatever OS you load IPCOP on will be directly exposed to the internet, so your OS better be secure.

No Problem!

Reply to
Chad Mahoney

As per the user and servers you must be having 5mbs max traffic running around!! You need a Firewall to secure the Internal/DMZ network from External/ Internet threats.

For DMZ Servers you need VPN Module running in Firewall. You should have IPSEC for VPN , Site-to-Site , Clinet-to-Site, Remote- to-Site

PIX 501 is obseleted now you can try ASA but you need antispam solution as well. And with PIX you need to purchase another software/ hardware product.

You can have NAT done on your Firewall as it wil help you maintaing the security in inside network.

IPCOP is software product and here you need Hardware product for 1st line security.

I think you should take some UTM device as a starter. You can look for fortinet,watchguard,sonicwall products.. UTM is not so expensive easy to Manage/Admin/Config with GUI Interface. It will last for long

Rate if helped

Rgds..CK

Reply to
CK

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.