3 PIX VPN questions - FUN FUN FUN

Discussion in 'Cisco' started by frishack@gmail.com, Mar 10, 2006.

  1. Guest

    Hope these aren't stupid questions, but here goes, some background
    first:
    I have a PIX 515 6.3(5) at head office; remote sites are 1720's or
    1750's running a flavor of 12.1 (due to memory shortage, cannot
    upgrade) connected via site to site VPNs to this PIX. I have 3
    questions that I can't seem to sort out. Please help me if you know the
    answers:

    1. Can I use BGP with the 1700s over this VPN to my network of routers
    that are on the internal network? Are there any caveats in this
    situation? My Internal routers are connected via
    Frame/Wireless/dedicated lines to a 3640 on the internal network, and
    are already successfully running BGP?

    2. How can I route traffic from one remote VPN site to another remote
    VPN site. I have added the appropriate subnets to the crypto ACL on
    each router, and added entries to the NAT 0 ACL, but still can't route
    between VPN subnets. Any idea what else is needed? The VPN remote sites
    can all successfully route to the other internal(non VPN) WAN sites.

    3. Currently I have to bounce these VPN remote site users off an
    internal proxy in order to allow them to browse the internet. This is
    a problem for me as squid is not passing the credentials to our
    Websense server, preventing me from tracking usage of individuals, as
    they all appear to be the same user to Websense. Is there a PIX rule
    where traffic can't go back out the same interface it came in on? I
    seem to remember something like this, but can't find the info again.
    Is there a workaround to this situation? Something I'm missing?

    thanks
    tical
    , Mar 10, 2006
    #1
    1. Advertising

  2. Cliff Guest

    1) Yes 1700 support IBGP and EBGP. Depending on IOS vers im sure...
    2) The way I would do it is..
    Have my remote sites dial into my network internally. Then have all
    traffic pass through an internal router, which does all your routing
    between sites. Then have one gateway out, going to your squid server,
    then your pix, then finally a border router, or your isp.

    So your network topology would look in this order.

    Internet(ISP)
    |
    Border Router or Pix
    |
    Pix
    |
    Squid (Proxy)
    |
    Internal Router
    | |
    |
    VPN VPN VPN
    Remote Site Remote Site Remote Site
    Cisco 1700 Cisco 1700 Cisco 1700


    3) This would change when I changed my network topology to how I stated
    before.


    I doubt I helped ya that much but hopefully inspired some idea's for
    you.
    Cliff, Mar 10, 2006
    #2
    1. Advertising

  3. In article <>,
    <> wrote:
    >I have a PIX 515 6.3(5)


    >Is there a PIX rule
    >where traffic can't go back out the same interface it came in on?


    Yes, in PIX 6.3(5), traffic cannot go out the same logical interface
    it came in on.

    The PIX 515 supports logical interfaces in 6.3(5). A logical
    interface is an 802.1Q VLAN that is associated with an IP address
    range. And of course the PIX 515 supports multiple physical interfaces.

    The PIX 515 supports PIX 7.0 and PIX 7.1. PIX 7.0 has a number
    of configuration changes relative to 6.x; one of them allows
    you to route traffic back through the same interface provided
    that a VPN is involved.
    Walter Roberson, Mar 11, 2006
    #3
  4. Guest

    Thanks for you your answer Walter. I have decided to buy a couple of
    ASA 5510's which include PIX level 7 code. We also have need of the
    concentrator functionality built in to this device.
    , Mar 16, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,759
    Martin Bilgrav
    Feb 6, 2004
  2. Tom
    Replies:
    4
    Views:
    651
  3. Marko Uusitalo
    Replies:
    1
    Views:
    1,487
    Frank Durham
    Apr 11, 2005
  4. Svenn
    Replies:
    3
    Views:
    707
    Svenn
    Mar 13, 2006
  5. Luke

    Fun fun fun

    Luke, Oct 7, 2003, in forum: Computer Support
    Replies:
    3
    Views:
    548
    Petit Alexi
    Oct 7, 2003
Loading...

Share This Page