we have to connect several machines around the world with the internet. The connection would be mainly dsl. Our machines offer several services like http-server, special programming interfaces and so on. We want to use the security-appliance to manage the access to the several services. E. g.: group "user" is only allowed to access port 80 in ip a.a.a.a. All members of group "admin" are allowed to access every service and members of group "programmers" are only allowed to access port 4321 on ip a.a.a.a and a.a.a.b. So we have found some features such a device should have (only the important ones):
- Access-Controll with the possibility to grant "rights" (ip-adresses, ports or protocolls) to users or better groups which can have multiple users
- Web-portal to offer instructions and grant access to web-based services (depending on the "rights" of the actuall user)
- VPN-Access for direct acces on non web-services (e. g. programming interface), nice would be Web-SSL-VPN
- Possiblity to tell actual IP-Adress of the device (when device has dynamic IP, similar to dyndns, we don't wan't to use an own bind-server)
- Very important: The device should work on DSL-accounts around the world so it should: - automatically get the right DSL-Parameters (vci, vpi, Annex protocol, PPPoE, PPPoA, PPTP ....) or - should be configurable for different countries or - should have different "DSL-hardware" for specific countries but most of the "non connection related" configuration should be identical (e. g. user/group-management, firewall-settings, LAN-settings .....)
Of course our company-bandwith isn't to big, wie have noch possibility to allow the devices to do a permanent VPN-connection to us. We have to establish the connections on demand.
Nice to have would be configuration export as plain text (or xml or similar) to check the configuration into subversion.
We have experimentet with the Cisco ASA5505 which fits most of the features but we have a lot of problems to connect them to the internet in different countries because the ASA dosn't "speak" the correct protocoll. We should be able to get the DSL-Parameters (ok, it is not easy but possible) so we could configure a device which supports the parameters. We have tried to use the ASA behind another router which would be deliverd by the local internet-provider but couldn't get it to work.
Any ideas which device we could use?
thank you for any ideas.
P. S. hope my english isn't to bad.