So the biggest problem I can see with your proposed layout is that having the access point on the outside of the router/firewall is that your access point is going to be the one getting the IP from the cable modem and if your cable modem is one of those that only hands out one IP, there isnt going to be one available for your router. You said your access point is a wireless router, so if it has the ability to hand out DHCP addresses and stuff then thats cool, you could set it up like this:
Cable Modem-->--AP-->--Router
The problem you are going to have with this is prohibiting anyone who manages to authenticate to the AP from getting out to the internet. Does your AP have the ability to create Access-Lists? If so you can create one to permit only IPSEC traffic from your AP to the Router. The possible problem with this is the risk of that access-list getting applied to all the traffic coming from the Router (because the Router is plugged into the AP, the traffic from the Router is gonna have to go through the AP to get to the cable modem). How that works is going to depend on how specific you can get with the application of the ACL's on your AP (like whether you can only apply that ACL to wireless users as opposed to wireless and ethernet).
The alternatives could be to get another cheap router and set it up like:
Cable Modem-->--Router1-->--AP-->--Router2-->--Switch-->--PC's
Router2 would be your 3des firewall/vpn box. This setup is gonna depend a lot on the capabilities of your AP. Mostly you need to be able to restrict traffic from that AP from going out Router1 and permit only traffic to go to Router2. If you had the capability to do Access Lists on the AP I would say you could possibly go so far as to create an ACL on that AP to only permit IPSEC traffic to Router2. The AP would hang off the integrated switch of Router1. Plug Router2 into the integrated switch for Router1 as well. Dont plug Router2 into the AP, as an ACL's you have defined on the AP will probably apply to the traffic coming from Router2 as well and that could make weird stuff happen...unless your AP lets you define where you apply the ACL's (on the wireless side or the ethernet side).
The other option is this:
Cable Modem-->--Router-->--AP and switch with PC's
In this setup you'd put the AP and the switch with the PC's attached to it behind the same router. You could do some MAC address filtering on your AP to only permit your MAC address. If your firewall/router has the ability to accept a VPN tunnel into its inside interface as opposed to the outside you could then fire up your VPN tunnel to encrypt your wireless session. If your AP has ACL capabilties you could create an ACL on the AP to only permit IPSEC traffic to your router, that should prohibit anyone who might spoof your mac address and figure out all your wireless security from getting onto your network, because they'd also have to have your VPN software and know your username/password for your VPN setup.
Make sense? If it were me I'd use the last option. Its pretty simple and you dont have to mess with Access-Lists if you dont want to (making one will give you some extra security though).
Facebook
Twitter