Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help choosing appropriate Security Gateway appliance

    Scheduled Pinned Locked Moved Hardware
    3 Posts 2 Posters 953 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JoeBean
      last edited by

      I could use some help selecting between the SG-2220/SG-2440 for a network.  It's  a business client that's looking for a basic UTM gateway allowing for intrusion protection and virus scanning, and ideally site filtering, after having an intrusion last year with massive data loss.  They have a very slow internet connection (DSL 5/1) and little LAN traffic so even the SG-1000 would handle it if it could run squid/squidguard, but I'm guessing with only 4GB eMMC it would have trouble.

      All of that is simple enough.  The thing that's throwing a monkey wrench into it for me is that occasionally they need to use an EOL Cisco Pix gateway that tunnels traffic to a remote network at their head office where they VNC into computers on that network to access databases at HO.  HO absolutely refuse to use anything other than the Cisco Pix for this VPN even though it's EOL.  So they're stuck with it.  They also need access to the Pix for administration so it either has to be connected to DSL past the PFSense gateway or rules set up allowing it free access.

      I haven't set up a system like this before.  My original idea was to have 2 WAN ports, thus the SG-2440, and route traffic that needs it to go through the Pix.  But I'm wondering now if it wouldn't be possible to put the Pix on the LAN side, route traffic for their HO to it and set firewall rules to allow any traffic to/from the Pix through.  Would this be possible? If so, what kind of firewall rules would be required to allow admin traffic destined for the Pix through?

      1 Reply Last reply Reply Quote 0
      • W
        whosmatt
        last edited by

        Does the client have (or can they obtain) multiple static IP addresses on the WAN?  That, IMO, would be the easiest way to handle things.  pfSense as the primary gateway, but the PIX with its own public IP address and a private IP address that is on a network that pfSense has an interface on.  Static routes or policy based routing would route the appropriate traffic over the PIX and everything else through pfSense.

        1 Reply Last reply Reply Quote 0
        • J
          JoeBean
          last edited by

          @whosmatt:

          Does the client have (or can they obtain) multiple static IP addresses on the WAN?  That, IMO, would be the easiest way to handle things.  pfSense as the primary gateway, but the PIX with its own public IP address and a private IP address that is on a network that pfSense has an interface on.  Static routes or policy based routing would route the appropriate traffic over the PIX and everything else through pfSense.

          They only have 1 IP available at the moment but I'm assuming/hoping they will be able to obtain multiple IPs.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.