3 PIX VPN questions - FUN FUN FUN

Discussion in 'Cisco' started by frishack, Mar 10, 2006.

  1. frishack

    frishack Guest

    Hope these aren't stupid questions, but here goes, some background
    I have a PIX 515 6.3(5) at head office; remote sites are 1720's or
    1750's running a flavor of 12.1 (due to memory shortage, cannot
    upgrade) connected via site to site VPNs to this PIX. I have 3
    questions that I can't seem to sort out. Please help me if you know the

    1. Can I use BGP with the 1700s over this VPN to my network of routers
    that are on the internal network? Are there any caveats in this
    situation? My Internal routers are connected via
    Frame/Wireless/dedicated lines to a 3640 on the internal network, and
    are already successfully running BGP?

    2. How can I route traffic from one remote VPN site to another remote
    VPN site. I have added the appropriate subnets to the crypto ACL on
    each router, and added entries to the NAT 0 ACL, but still can't route
    between VPN subnets. Any idea what else is needed? The VPN remote sites
    can all successfully route to the other internal(non VPN) WAN sites.

    3. Currently I have to bounce these VPN remote site users off an
    internal proxy in order to allow them to browse the internet. This is
    a problem for me as squid is not passing the credentials to our
    Websense server, preventing me from tracking usage of individuals, as
    they all appear to be the same user to Websense. Is there a PIX rule
    where traffic can't go back out the same interface it came in on? I
    seem to remember something like this, but can't find the info again.
    Is there a workaround to this situation? Something I'm missing?

    frishack, Mar 10, 2006
    1. Advertisements

  2. frishack

    Cliff Guest

    1) Yes 1700 support IBGP and EBGP. Depending on IOS vers im sure...
    2) The way I would do it is..
    Have my remote sites dial into my network internally. Then have all
    traffic pass through an internal router, which does all your routing
    between sites. Then have one gateway out, going to your squid server,
    then your pix, then finally a border router, or your isp.

    So your network topology would look in this order.

    Border Router or Pix
    Squid (Proxy)
    Internal Router
    | |
    Remote Site Remote Site Remote Site
    Cisco 1700 Cisco 1700 Cisco 1700

    3) This would change when I changed my network topology to how I stated

    I doubt I helped ya that much but hopefully inspired some idea's for
    Cliff, Mar 10, 2006
    1. Advertisements

  3. Yes, in PIX 6.3(5), traffic cannot go out the same logical interface
    it came in on.

    The PIX 515 supports logical interfaces in 6.3(5). A logical
    interface is an 802.1Q VLAN that is associated with an IP address
    range. And of course the PIX 515 supports multiple physical interfaces.

    The PIX 515 supports PIX 7.0 and PIX 7.1. PIX 7.0 has a number
    of configuration changes relative to 6.x; one of them allows
    you to route traffic back through the same interface provided
    that a VPN is involved.
    Walter Roberson, Mar 11, 2006
  4. frishack

    frishack Guest

    Thanks for you your answer Walter. I have decided to buy a couple of
    ASA 5510's which include PIX level 7 code. We also have need of the
    concentrator functionality built in to this device.
    frishack, Mar 16, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.