Which firewall do I need? 1

[LawnBoy]

I have a series of small process control networks currently being fed by individual DSL circuits through individual firewalls. As you can imagine, trying to monitor these circuits from a single workstation is a PITA. Besides, DSL just plain sucks and I've ordered a T-1 to replace them.

I'm looking for a single appliance that I can created multiple discrete firewalls with. I'd like to bring the T-1 (already converted to ethernet) into one port and then have up to 4 completely isolated rulesets on isolated ports to feed the different control systems, i.e.
Ruleset1 = outside<->inside1
Ruleset2 = outside<->inside2 etc.

I need full functionality on all rulesets; would an appliance with "DMZ ports" give me that? Some of these networks have duplicate IP schemes and handling NAT on each inside port is a must.

The total traffic load will be fairly small, the main point is so that vendors can VPN to their respective systems. I assume that I will need to continue to provide VPN servers on each network, or could this same appliance terminate the VPN and route the connection to the appropriate network?

I'm a novice when it comes to firewalls so any advice would be appreciated.


--
The stagehand's axiom: "Never lift what you can drag, never drag what you can roll, never roll what you can leave.

 

[Supergrrover]

With the ASA5510 Security Plus bundle you can have up to 5 separate security contexts (separate firewalls.) It is fairly complicated so I don't think this setup would be for a novice but you can always give it a try and see how it comes out. I'm always surprised to see what I can do when I need to. If all else fails you can always hire a consultant to set it up and you can just to the management.

Here is a link to the security context guide. See if it was what you were thinking of.

http://www.cisco.com/en/US/products...s_configuration_example09186a00808d2b63.shtml

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[LawnBoy]

That was really looking good until I read

Some features are not supported, which include VPN

Do you know if it would allow VPN passthrough? I don't have to have it terminated at the appliance.

It is fairly complicated

Trust me, it'd be simpler than what I've got running now. I'm not a novice with tcp/ip, just haven't played with firewalls all that much. If I could afford a consultant I'd have them pick the appliance...

Thanks for the lead, that helps a lot. Juniper's SSG-20 also looks like it might fit the bill.

--
The stagehand's axiom: "Never lift what you can drag, never drag what you can roll, never roll what you can leave.

 

[Supergrrover]

It can't terminate the VPN in transparent mode but it will allow pass through.
I haven't seen the Juniper line since it was NetScreen but I have heard good things about it. (I didn't like the Netscreen products but I think that was just me.) Don't know if it's any less complicated. Good luck. It you choose the ASA, just keep posting here until we get it sorted out. Good Luck.


Brent
Systems Engineer / Consultant
CCNP, CCSP