Cisco 800 doing IPSec, where to place pfSense box?

  • Client has Cisco 800 series box connecting back to application web server(s) over IPsec.  It's the only firewall.  I'm wanting to add pfsense.

    They have a single public facing IP address. 
    My goal is to put in place squid transparent proxy, lightsquid, pfBlockerNG and generally visibility.

    What is the best way to add pfsense?  Edge, in front of Cisco box?  Behind it and bridge two LAN ip's ? (it's a single c subnet).

    Future / more info.
    Four departments, less than 100 devices.  I expect to have two physical LAN port for segmenting / layer 2 switch, etc.

    Thoughts or feedback appreciated.

  • LAYER 8 Netgate

    Why not just ditch the Cisco 800 and have pfSense do the ipsec tunnel?

  • The client paid ~$2500 (x2) recently for two of them (production) ; and a spare in case one fails.  They don't want me to touch it.

    The vendor who sold it to them takes responsibility for keeping the tunnel up (monitoring) and helping diagnose 'internet connectivity'… ha!
    edit: 'vendor' is also the application services (web based)

    They prefer I do not touch it... although I've been tempted to replace it and leave it unplugged... d

    Thanks for any thoughts.

  • My suggest solution was to add a second internet facing IP and add pfsense on that way.  Create a second gateway address that we can then point everything to and add a route to the existing IPsec / gateway / application.  It seems we're going this way; no additional cost to add an IP address (fiber).


Log in to reply