Unless you're running the new PIX 7.0 software, the PIX won't work in
"one-arm" mode, so you'll need to use another of the PIX interfaces
for the connection to the rest of your network. I'll assume you'll
use the inside interface for that. The PIX also doesn't
automatically do proxy arp for VPN client addresses that are assigned
from the subnet the PIX interface is in, but you can force it to by
adding static arp entries with the "alias" keyword at the end. If
you have a large pool of addresses this is a pain, so it's usually
better to assign client addresses from a unique subnet and then make
sure the rest of your network routes traffic to that subnet to the
inside interface of the PIX. Since you'll be doing NAT between the
PIX and the clients, make sure you add the "isakmp nat-traversal 20"
command to your config. This enables the NAT-Traversal feature that
encapsulates ESP traffic in UDP/4500 packets if it detects NAT, which
is often necessary if either or both ends of the VPN are behind a NAT
device. None of the Cisco sample configs seem to include it, but
it's a very good feature and you should probably always use it when
configuring IPSec in a PIX.
I think that covers all your questions. If not, or you have more,
send 'em on and we'll see what we can do.
Good luck!
Dana
---
Dana J. Dawson Dana.Dawson (at) qwest (dot) com [email concealed]
Sr. Staff Engineer CCIE #1937
Qwest Communications
600 Stinson Blvd., Suite 1S
Minneapolis MN 55413-2620
"Hard is where the money is."
On Jun 10, 2005, at 1:18 PM, Tristan RHODES wrote:
> I want to use a Pix 515 device to setup a VPN for remote users.
>
> Here is what I think the connection will look like.
>
> [VPN-user]----[Internet]----[Egress-Firewall]----[6500-Router]----
> [VPN-515]
>
> Users will connect to their ISP and fire up the Cisco VPN client.
> They
> will connect to the VPN-515 device and start a VPN session. They will
> be assigned an IP on one of our internal networks. From then on, they
> should have access as if they were located on campus.
>
> Lets assume that the 6500 has an interface addressed 10.0.200.1/24.
> The VPN-515 has an outside IP address of 10.0.200.254/24.
>
> I am not sure how to configure the VPN-515 to make this happen.
> Should
> I use a second interface on the VPN-515 to connect back into the 6500,
> or should I do one-arm routing? Will I need a new IP network for
> users?
>
> Any help would be appreciated.
>
> Tristan Rhodes
> _______________________________________________
> VPN mailing list
> VPN (at) lists.shmoo (dot) com [email concealed]
> http://lists.shmoo.com/mailman/listinfo/vpn
>
_______________________________________________
VPN mailing list
VPN (at) lists.shmoo (dot) com [email concealed]
http://lists.shmoo.com/mailman/listinfo/vpn
"one-arm" mode, so you'll need to use another of the PIX interfaces
for the connection to the rest of your network. I'll assume you'll
use the inside interface for that. The PIX also doesn't
automatically do proxy arp for VPN client addresses that are assigned
from the subnet the PIX interface is in, but you can force it to by
adding static arp entries with the "alias" keyword at the end. If
you have a large pool of addresses this is a pain, so it's usually
better to assign client addresses from a unique subnet and then make
sure the rest of your network routes traffic to that subnet to the
inside interface of the PIX. Since you'll be doing NAT between the
PIX and the clients, make sure you add the "isakmp nat-traversal 20"
command to your config. This enables the NAT-Traversal feature that
encapsulates ESP traffic in UDP/4500 packets if it detects NAT, which
is often necessary if either or both ends of the VPN are behind a NAT
device. None of the Cisco sample configs seem to include it, but
it's a very good feature and you should probably always use it when
configuring IPSec in a PIX.
I think that covers all your questions. If not, or you have more,
send 'em on and we'll see what we can do.
Good luck!
Dana
---
Dana J. Dawson Dana.Dawson (at) qwest (dot) com [email concealed]
Sr. Staff Engineer CCIE #1937
Qwest Communications
600 Stinson Blvd., Suite 1S
Minneapolis MN 55413-2620
"Hard is where the money is."
On Jun 10, 2005, at 1:18 PM, Tristan RHODES wrote:
> I want to use a Pix 515 device to setup a VPN for remote users.
>
> Here is what I think the connection will look like.
>
> [VPN-user]----[Internet]----[Egress-Firewall]----[6500-Router]----
> [VPN-515]
>
> Users will connect to their ISP and fire up the Cisco VPN client.
> They
> will connect to the VPN-515 device and start a VPN session. They will
> be assigned an IP on one of our internal networks. From then on, they
> should have access as if they were located on campus.
>
> Lets assume that the 6500 has an interface addressed 10.0.200.1/24.
> The VPN-515 has an outside IP address of 10.0.200.254/24.
>
> I am not sure how to configure the VPN-515 to make this happen.
> Should
> I use a second interface on the VPN-515 to connect back into the 6500,
> or should I do one-arm routing? Will I need a new IP network for
> users?
>
> Any help would be appreciated.
>
> Tristan Rhodes
> _______________________________________________
> VPN mailing list
> VPN (at) lists.shmoo (dot) com [email concealed]
> http://lists.shmoo.com/mailman/listinfo/vpn
>
_______________________________________________
VPN mailing list
VPN (at) lists.shmoo (dot) com [email concealed]
http://lists.shmoo.com/mailman/listinfo/vpn
[ reply ]