3 PIX VPN questions - FUN FUN FUN

Hope these aren't stupid questions, but here goes, some background
first:
I have a PIX 515 6.3(5) at head office; remote sites are 1720's or
1750's running a flavor of 12.1 (due to memory shortage, cannot
upgrade) connected via site to site VPNs to this PIX. I have 3
questions that I can't seem to sort out. Please help me if you know the
answers:

1. Can I use BGP with the 1700s over this VPN to my network of routers
that are on the internal network? Are there any caveats in this
situation? My Internal routers are connected via
Frame/Wireless/dedicated lines to a 3640 on the internal network, and
are already successfully running BGP?

2. How can I route traffic from one remote VPN site to another remote
VPN site. I have added the appropriate subnets to the crypto ACL on
each router, and added entries to the NAT 0 ACL, but still can't route
between VPN subnets. Any idea what else is needed? The VPN remote sites
can all successfully route to the other internal(non VPN) WAN sites.

3. Currently I have to bounce these VPN remote site users off an
internal proxy in order to allow them to browse the internet. This is
a problem for me as squid is not passing the credentials to our
Websense server, preventing me from tracking usage of individuals, as
they all appear to be the same user to Websense. Is there a PIX rule
where traffic can't go back out the same interface it came in on? I
seem to remember something like this, but can't find the info again.
Is there a workaround to this situation? Something I'm missing?

thanks
tical

 

1) Yes 1700 support IBGP and EBGP. Depending on IOS vers im sure...
2) The way I would do it is..
Have my remote sites dial into my network internally. Then have all
traffic pass through an internal router, which does all your routing
between sites. Then have one gateway out, going to your squid server,
then your pix, then finally a border router, or your isp.

So your network topology would look in this order.

Internet(ISP)
|
Border Router or Pix
|
Pix
|
Squid (Proxy)
|
Internal Router
| |
|
VPN VPN VPN
Remote Site Remote Site Remote Site
Cisco 1700 Cisco 1700 Cisco 1700


3) This would change when I changed my network topology to how I stated
before.


I doubt I helped ya that much but hopefully inspired some idea's for
you.

 

Yes, in PIX 6.3(5), traffic cannot go out the same logical interface
it came in on.

The PIX 515 supports logical interfaces in 6.3(5). A logical
interface is an 802.1Q VLAN that is associated with an IP address
range. And of course the PIX 515 supports multiple physical interfaces.

The PIX 515 supports PIX 7.0 and PIX 7.1. PIX 7.0 has a number
of configuration changes relative to 6.x; one of them allows
you to route traffic back through the same interface provided
that a VPN is involved.

 

Thanks for you your answer Walter. I have decided to buy a couple of
ASA 5510's which include PIX level 7 code. We also have need of the
concentrator functionality built in to this device.