Re: PIX VPN, from nat without VPN to nat with it
Web Server forum
Back To The Forum Home!Search!Private Messaging System
Visit your User Control Panel!Register your FREE username now!Visit Our Calendar!View the Member List!Faqs!Search our Forums!

Web Server Talk Web Server Talk > WebserverTalk Community > VPN > Re: PIX VPN, from nat without VPN to nat with it




  Last Thread   Next Thread Next
  Show Printable Version Email this Page Subscribe to this Thread      Post New Thread    Post A Reply      

    Re: PIX VPN, from nat without VPN to nat with it  
John Harrigton


View Ip Address Report This Message To A Moderator Edit/Delete Message


 
09-16-04 01:47 AM

If I understand correctly you want to have your central location
running servers with routable IP addresses?  I hope I am
misunderstanding this point but that's another discussion.

You want to have each of the remote location PIX506 connect in to the
central PIX515 to access server-based resources.  Not a problem.

You create static LAN-to-LAN VPN tunnels between the 506s and the
single 515.  Think of it as a Hubbed Topology.  Using the appropriate
static route statements you have traffic route over the VPN.  If you
extend the static routes out properly (hopefully using a router, not
the PIX515  you can even have each location accessible across the
sites.

With enough planning and bandwidth, you could even create multiple L2L
tunnels creating a more meshed topology.  Mostly to interconnect the
more critical locations.  It would mean for faster transfers and
communication as all traffic wouldn't have to route through the
central site.  You do run the risk of tapping the throughput of the
PIX506 rather quickly though.

Side suggestion, if you can in any way afford it, an important point
is that your single point of failure is the lone PIX515.  Get that in
to an HA pair.  It's actually rather simple to configure.

- John




On 5 Jul 2004 03:55:05 -0700, nwu-cge@iximail.com (Allan Wilson)
wrote:

>Hi,
>
>I am not a cisco PIX guru, I just need to know if something is
>possible ;-)
>
>On a central site, I'd have a PIX 515 with VPN. On remote sites, a lot
>of PIX 506 with VPN capabilities too.
>
>Is it possible to do so.
>
>On the central site, we'd use real IP addressing for the servers. Ie,
>195.238.10.0/26 with .1 for the firewall, ,2, .3, .4 for the servers.
>
>On the renote site, we have most of the time a Private Network
>according to the RFC hide-nated to the IP of the external interface of
>the firewall.
>
>So, now, the RFC hide-nated networks get the external Ip of the PIX
>506 firewall if the need to get into 195.238.10.0/26. It works ok.
>
>Now, for security reasons, we'd need to have the nated data flow to be
>VPN encrypted and auth.
>
>What to add into the PIX 506 and PIX 515 to achieve so?
>
>Thank you,
>
>Allan




[ Post a follow-up to this message ]



    Sponsored Links  




 



   All times are GMT. The time now is 11:37 AM.      Post New Thread    Post A Reply      
  Last Thread   Next Thread Next


Most Popular forums 
Apache Server MySQL for Windows Sendmail
Red Hat Networking SuSe Linux Debian Linux
FreeBSD administration Sun Solaris administration Unix Shell programming
WebSphere Portal Server Exchange 2000 administration PostgreSQL administration
Linux Security Computer Security Firewalls

Forum Jump:
Rate This Thread:

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts 		HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is OFF
 
Medical and Health forum | Computer Games Reviews | Graphics design forum

Back To The Top
Home | Usercp | Faq | Register