[VPN] Re: Cisco VPN for remote users - Pix 515
Tristan RHODES
TristanRhodes at weber.edu
Mon Jun 13 15:36:20 EDT 2005
Dana,
Thanks for your reply. I appreciate your time and effort.
I am running Pix 6.3 software so I will probably use the inside
interface like you said.
[6500](a)-----(b)[515](c)-----|
|(d) |
---------------------------------
Legend:
(a) = 6500 interface VLAN 200 (10.10.200.1/24)
(b) = Pix "outside" interface (10.10.200.254/24)
(c) = Pix "inside" interface (10.10.201.254/24)
(d) = 6500 interface VLAN 201 (10.10.201.1/24)
I think you are telling me that I should use a third network for
users... perhaps 10.10.203.0/24.
If this design is correct, my next step is to setup the VPN and routing
correctly. Any hints?
Tristan
>>> "Dana J. Dawson" <Dana.Dawson at qwest.com> wrote on 06/10/05 4:31
PM:
> Unless you're running the new PIX 7.0 software, the PIX won't work in
> "one-arm" mode, so you'll need to use another of the PIX interfaces
> for the connection to the rest of your network. I'll assume you'll
> use the inside interface for that. The PIX also doesn't
> automatically do proxy arp for VPN client addresses that are assigned
> from the subnet the PIX interface is in, but you can force it to by
> adding static arp entries with the "alias" keyword at the end. If
> you have a large pool of addresses this is a pain, so it's usually
> better to assign client addresses from a unique subnet and then make
> sure the rest of your network routes traffic to that subnet to the
> inside interface of the PIX. Since you'll be doing NAT between the
> PIX and the clients, make sure you add the "isakmp nat-traversal 20"
> command to your config. This enables the NAT-Traversal feature that
> encapsulates ESP traffic in UDP/4500 packets if it detects NAT, which
> is often necessary if either or both ends of the VPN are behind a NAT
> device. None of the Cisco sample configs seem to include it, but
> it's a very good feature and you should probably always use it when
> configuring IPSec in a PIX.
>
> I think that covers all your questions. If not, or you have more,
> send 'em on and we'll see what we can do.
>
> Good luck!
>
> Dana
>
> ---
> Dana J. Dawson Dana.Dawson at qwest.com
> Sr. Staff Engineer CCIE #1937
> Qwest Communications
> 600 Stinson Blvd., Suite 1S
> Minneapolis MN 55413-2620
>
> "Hard is where the money is."
>
> On Jun 10, 2005, at 1:18 PM, Tristan RHODES wrote:
>
>> I want to use a Pix 515 device to setup a VPN for remote users.
>>
>> Here is what I think the connection will look like.
>>
>> [VPN-user]----[Internet]----[Egress-Firewall]----[6500-Router]----
>> [VPN-515]
>>
>> Users will connect to their ISP and fire up the Cisco VPN client.
>> They
>> will connect to the VPN-515 device and start a VPN session. They
will
>> be assigned an IP on one of our internal networks. From then on,
they
>> should have access as if they were located on campus.
>>
>> Lets assume that the 6500 has an interface addressed 10.0.200.1/24.
>> The VPN-515 has an outside IP address of 10.0.200.254/24.
>>
>> I am not sure how to configure the VPN-515 to make this happen.
>> Should
>> I use a second interface on the VPN-515 to connect back into the
6500,
>> or should I do one-arm routing? Will I need a new IP network for
>> users?
>>
>> Any help would be appreciated.
>>
>> Tristan Rhodes
>> _______________________________________________
>> VPN mailing list
>> VPN at lists.shmoo.com
>> http://lists.shmoo.com/mailman/listinfo/vpn
>>
More information about the VPN
mailing list