Hi, I have a pretty large computer network with 10 vlan, a core layer
3 switch and a 10mbit access to the internet.I'm looking for an appliance to: nat internal network accept at least 5 vpn tunnel from the internet each vpn client should be routed on the assigned vlan
Is there possible? Whitch is the appropiate firewall?
Thanks in advance
In PIX 6, if I recall correctly, it was not possible to initiate a VPN from a VLAN interface.
The PIX 7 documentation indicates that "any" interface can be used as a crypto endpoint; presumably that includes VLAN interfaces.
But it seems odd to me to put the encapsulated VPN traffic into seperate VLANs.
Or did you mean that you want each VPN client to *only* be able to reach a specific VLAN? Normally, VPN traffic just gets tossed through the routing phase and comes out on whatever interface (physical or VLAN) that the destination IP is on. If you have an internal network N and VPN client V is the only client that has N as a source address in a the "crypto map match address", and if you do not provide any static translations between the outside and network N, and if destination N was denied in the access-group applied "in" all the other interfaes, then there would be only one way for traffic to arrive destined for N (i.e., through that one VPN), and so routing would effectively seperate the traffic. If, though, the internal IP ranges overlapped, and you wanted internal network N to be a -different- VLAN when the traffic arrives from VPN V then when it arrived from VPN W, then you would need "security contexts" to do that.
All of the currently sold PIX and ASA models will accept at least
5 VPN tunnels.With PIX 6, to support 10 VLANs, you would need a PIX 525 with Unrestricted License or a PIX 535 with Unrestricted License.
With PIX 7, I can't tell from the datasheets how many VLANs are supported under which conditions. The PIX 515E is listed as supporting "up to" 25 VLANs, but that might require the Unrestricted license.
With ASA 7, the 5505 model supports 3 VLANs in one of the modes, and 20 VLANs in another mode. The 5510 supports 50 VLANs in the base software.
If you do need security contexts, it looks to me as if you would need an ASA 5520 and some optional licenses, or else a PIX 535 and some optional licenses.
Walter Roberson ha scritto:
Ok
Ok
I thought was a way to ensure stronger security.
Ok, so using "crypto map match address" i can assing source ip for each one vpn connecting client and using "in" acl on the vlan I can block undesired traffic.
But in this situation how to connetc pix and catalyst Layer 3?
Than you fro your time.
Luca
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.