利用者:Pixconfiguration

PIX Deployment Situations The Cisco PIX and ASA VPN abilities have their origins within Cisco IOS VPN technologies. VPNs were very first launched in the Cisco IOS router product line after which put into the actual PIXs in an early 5.by release. Such as the routers and also the concentrators, Cisco PIXs support many VPN solutions such as IPsec, PPTP, as well as L2TP. Because of their flexibility, they may be utilized in many different situations. The ASA has been around since before summer August 2005. The actual ASA is a distinctive hybrid protection product, getting capabilities in the PIX, VPN 3000, as well as IDS 4200 sensors. This section will focus on how PIX and ASA security home appliances can be used to improve the VPN solution in your network.

Particularly, the actual area covers the following:

L2L as well as Distant Entry Connections

The Special Capabilities associated with PIXs as well as ASAs

L2L as well as Distant Access Connections PIXs and ASAs support L2L and distant access contacts. For distant entry options, the PIXs and ASAs could be Simple VPN Servers and the PIX 501 and 506E can be Simple VPN Remotes (clients). As I pointed out within Chapter Nine, "Concentrator Site-to-Site Contacts," I prefer to use Cisco hubs with regard to L2L periods and concentrators for distant access contacts. With the introduction of the ASA protection home appliances, they also can terminate SSL VPNs, with similar SSL abilities when compared to VPN Three thousand concentrators.

Routers support improved routing as well as QoS abilities more than Cisco PIX and ASA security appliances and VPN Three thousand concentrators. In addition, VPN Three thousand concentrators scale better for distant entry contacts and are easy to setup. However, the Cisco PIX as well as ASA protection home appliances, first of all, supply better-integrated and much more comprehensive protection services compared to routers as well as concentrators. Consequently, if you want to increase your VPN solution with security and firewall capabilities and place it in a single container, or maybe you'll need enhanced address translation service with regard to VPNs which terminate on the VPN gadget, the PIX or even ASA is a far better choice than the usual modem or a concentrator.

Special Capabilities of PIXs and ASAs I favor to use PIXs or ASAs inside a VPN solution when I need sophisticated address translation capabilities in addition to advanced firewall and protection services. There are three main functions the PIX as well as ASA protection appliances possess over Cisco VPN 3000 concentrators as well as IOS-based hubs with regards to VPN implementations: deal with translation, stateful firewall services, as well as redundancy.

Deal with Translation The PIX was originally developed by Network Interpretation being an address interpretation gadget in 94'. Right from the start, the PIX has already established it's roots within address translation. The actual concentrator's address interpretation capabilities are very minimum as well as Cisco routers' capabilities are dependent primarily on deal with translation involving two logical locations: inside and outside. Nevertheless, the PIX's deal with translation capabilities are designed for several interfaces easily, with different translation guidelines for various interfaces. Coverage deal with interpretation is one of its primary strengths. Often I have attempted to manage complicated deal with translation policies, for example bidirection NAT on a multi-interfaced modem, after which shortly gave up and easily set up the same guidelines on a PIX.

Stateful Firewall Services Using the introduction of FOS 6.by as well as Seven.0, the PIX as well as ASA security home appliances provide among the best, if not the best, integrated stateful firewall software services on the market, including assistance for IPv4 and IPv6. Apart from carrying out stateful firewall software capabilities, they assistance superb software layer examination and filtering abilities, such as detailed inspection associated with software coating information such as HTTP, FTP, SMTP, ESMTP, multimedia applications, tone of voice, and many others. They support advanced safeguard as well as detection functions to safeguard against TCP flood assaults, The dynamic naming service spoofing, fragmentation assaults, web host attacks, and e-mail attacks. The PIX as well as ASA is also used to identify and block im programs, peer-to-peer file sharing applications, along with other programs which tunnel visitors via internet services, for example AOL's Im, KaZaA, as well as GoToMyPC.

Redundancy Cisco PIXs support stateful failover for redundancy associated with connections. Before FOS Seven.Zero, though, this particular didn't consist of redundancy with regard to VPN periods; neither did it permit both PIXs, inside a failover settings, in order to process visitors. With the intro associated with FOS Seven.Zero, each PIXs or even ASAs inside a failover settings can actively process traffic; this is referred to as Active/Active failover. Cisco routers don't support this type of redundancy, however the VPN Three thousand concentrators use VCA. However, along with VCA, any kind of remote access contacts dropped by an unsuccessful concentrator must be rebuilt through the remote access clients through the grasp of the cluster, therefore temporary lack of connectivity may happen.

Along with 7.0 of the FOS software program, if one from the PIXs (or even ASAs) inside a failover settings isn't able, all the required VPN information currently exists alternatively redundant PIX, and also the repetitive PIX may immediately start processing visitors for that VPN visitors. This solution supplies a true stateful failover configuration not only with regard to VPN traffic, however for any visitors moving with the PIXs.

Be aware

Active/Active failover is load managing based on the VCA code within VPN Three thousand concentrators, as well as active/standby failover offers stateful failover with regard to VPN periods.

Failover times in between PIXs or ASAs have been decreased in order to subsecond instances when serial-based failover can be used and three mere seconds whenever LAN-based failover can be used. Another great function within FOS Seven.Zero is actually zero-downtime software upgrades. You are able to update the actual PIX or even ASA without needing to restart it, which may be extremely important for mission-critical VPN applications.

Cisco ASR Network 2900 Cisco 3900 Cisco 3750 Cisco 7600 Cisco Routers Cisco Router Cisco Switches Cisco Security Cisco Wireless Cisco VPN Client Cisco AsA Cisco 3560 Cisco 6748 Cisco 6704 Buy Cisco Sell Cisco

5281242012tue