[VPN] Re: Cisco VPN for remote users - Pix 515

Tristan RHODES TristanRhodes at weber.edu
Mon Jun 13 15:36:20 EDT 2005 

Dana,

Thanks for your reply.  I appreciate your time and effort.

I am running Pix 6.3 software so I will probably use the inside
interface like you said.

[6500](a)-----(b)[515](c)-----|
    |(d)                                    |
    ---------------------------------

Legend:
(a) = 6500 interface VLAN 200 (10.10.200.1/24)
(b) = Pix "outside" interface (10.10.200.254/24)
(c) = Pix "inside" interface (10.10.201.254/24)
(d) = 6500 interface VLAN 201 (10.10.201.1/24)

I think you are telling me that I should use a third network for
users... perhaps 10.10.203.0/24.

If this design is correct, my next step is to setup the VPN and routing
correctly.  Any hints?

Tristan
  
>>> "Dana J. Dawson" <Dana.Dawson at qwest.com> wrote on 06/10/05 4:31
PM:
> Unless you're running the new PIX 7.0 software, the PIX won't work in
 
> "one-arm" mode, so you'll need to use another of the PIX interfaces 

> for the connection to the rest of your network.  I'll assume you'll 

> use the inside interface for that.  The PIX also doesn't  
> automatically do proxy arp for VPN client addresses that are assigned
 
> from the subnet the PIX interface is in, but you can force it to by 

> adding static arp entries with the "alias" keyword at the end.  If  
> you have a large pool of addresses this is a pain, so it's usually  
> better to assign client addresses from a unique subnet and then make 

> sure the rest of your network routes traffic to that subnet to the  
> inside interface of the PIX.  Since you'll be doing NAT between the 

> PIX and the clients, make sure you add the "isakmp nat-traversal 20" 

> command to your config.  This enables the NAT-Traversal feature that 

> encapsulates ESP traffic in UDP/4500 packets if it detects NAT, which
 
> is often necessary if either or both ends of the VPN are behind a NAT
 
> device.  None of the Cisco sample configs seem to include it, but  
> it's a very good feature and you should probably always use it when 

> configuring IPSec in a PIX.
> 
> I think that covers all your questions.  If not, or you have more,  
> send 'em on and we'll see what we can do.
> 
> Good luck!
> 
> Dana
> 
> ---
> Dana J. Dawson                     Dana.Dawson at qwest.com 
> Sr. Staff Engineer                 CCIE #1937
> Qwest Communications
> 600 Stinson Blvd., Suite 1S
> Minneapolis  MN  55413-2620
> 
> "Hard is where the money is."
> 
> On Jun 10, 2005, at 1:18 PM, Tristan RHODES wrote:
> 
>> I want to use a Pix 515 device to setup a VPN for remote users.
>>
>> Here is what I think the connection will look like.
>>
>> [VPN-user]----[Internet]----[Egress-Firewall]----[6500-Router]---- 
>> [VPN-515]
>>
>> Users will connect to their ISP and fire up the Cisco VPN client.  

>> They
>> will connect to the VPN-515 device and start a VPN session.  They
will
>> be assigned an IP on one of our internal networks.  From then on,
they
>> should have access as if they were located on campus.
>>
>> Lets assume that the 6500 has an interface addressed 10.0.200.1/24.
>> The VPN-515 has an outside IP address of 10.0.200.254/24.
>>
>> I am not sure how to configure the VPN-515 to make this happen.   
>> Should
>> I use a second interface on the VPN-515 to connect back into the
6500,
>> or should I do one-arm routing?  Will I need a new IP network for
>> users?
>>
>> Any help would be appreciated.
>>
>> Tristan Rhodes
>> _______________________________________________
>> VPN mailing list
>> VPN at lists.shmoo.com 
>> http://lists.shmoo.com/mailman/listinfo/vpn 
>>

More information about the VPN mailing list