Help choosing appropriate Security Gateway appliance



  • I could use some help selecting between the SG-2220/SG-2440 for a network.  It's  a business client that's looking for a basic UTM gateway allowing for intrusion protection and virus scanning, and ideally site filtering, after having an intrusion last year with massive data loss.  They have a very slow internet connection (DSL 5/1) and little LAN traffic so even the SG-1000 would handle it if it could run squid/squidguard, but I'm guessing with only 4GB eMMC it would have trouble.

    All of that is simple enough.  The thing that's throwing a monkey wrench into it for me is that occasionally they need to use an EOL Cisco Pix gateway that tunnels traffic to a remote network at their head office where they VNC into computers on that network to access databases at HO.  HO absolutely refuse to use anything other than the Cisco Pix for this VPN even though it's EOL.  So they're stuck with it.  They also need access to the Pix for administration so it either has to be connected to DSL past the PFSense gateway or rules set up allowing it free access.

    I haven't set up a system like this before.  My original idea was to have 2 WAN ports, thus the SG-2440, and route traffic that needs it to go through the Pix.  But I'm wondering now if it wouldn't be possible to put the Pix on the LAN side, route traffic for their HO to it and set firewall rules to allow any traffic to/from the Pix through.  Would this be possible? If so, what kind of firewall rules would be required to allow admin traffic destined for the Pix through?



  • Does the client have (or can they obtain) multiple static IP addresses on the WAN?  That, IMO, would be the easiest way to handle things.  pfSense as the primary gateway, but the PIX with its own public IP address and a private IP address that is on a network that pfSense has an interface on.  Static routes or policy based routing would route the appropriate traffic over the PIX and everything else through pfSense.



  • @whosmatt:

    Does the client have (or can they obtain) multiple static IP addresses on the WAN?  That, IMO, would be the easiest way to handle things.  pfSense as the primary gateway, but the PIX with its own public IP address and a private IP address that is on a network that pfSense has an interface on.  Static routes or policy based routing would route the appropriate traffic over the PIX and everything else through pfSense.

    They only have 1 IP available at the moment but I'm assuming/hoping they will be able to obtain multiple IPs.