3845 VPN support from inside thru 2600 border/choke router

Discussion in 'Cisco' started by w2k3newbie, Jan 19, 2006.

  1. w2k3newbie

    w2k3newbie Guest

    A little background:
    I've got an Internet T1 line feeding a 2600 as my border / choke router
    to the outside world, and a pair of Linux-based firewall machines
    between the 2600 and my primary internal RFC 1918-numbered network. The
    ethernet side off the 2600 is my "DMZ" where I attach web servers, web
    proxy/firewall/bastion_combo servers for my internal websurfers, smtp
    gateways, those two Linux iptables-based firewall machines, etc. We do
    not allow general NAT thru these firewalls, only isolated machines on
    our insides can access specific addressed hosts on the outside, and
    specific addresses hosts from the outside can get forward-masq'ed thru
    to specific internal machines on our insides (e.g. pcAnywhere hosts
    for remote support, etc). In short, full routabilty between my internal
    RFC1918 networks and the outside world is deliberately non-existant.

    This has proven to be a pretty good security model over the years with
    the limited budget I have to work with, and we still get essential
    Internet access (email, proxied web and file xfers, some limited NAT'ed
    and forward-masq'ed hosts, etc) to keep most users happy.

    I've got four other smaller & different internal networks, all
    RFC1918-numbered as well, and routed to each other and also to that
    main internal network with a C3640 full of 10/100 modules in the
    middle. It's purely an "internal" router only. I've got inbound and
    outbound access-lists on pretty much each interface on the 3640 to
    enforce who can get to what within my internal networks -- necessary
    for internal security reasons.

    Needless to say, performance thru the 3640 just doesn't cut it anymore
    with today's bandwidth hog apps, so we've bought a 3845 (Adv IP Svcs
    IOS) and filled it with new 10/100 modules to go in place of the old
    3640. So far so good... the 3845 can smoke the 3640 with ease and the
    internal router thruput bottlenecks are now all but disappeared.
    (would like to have full gigabit routing wirespeed on a bunch of
    interfaces, but no funding to buy a "big boys" BFR9000 or whatever
    router and must settle for the 3845 as the most we can afford)

    The need for VPN:
    Up until now, we've had no real means of allowing any VPN connections
    from the outside world to come into our inner networks, but the new
    3845 seems to have considerable VPN support built-in. Problem is... I
    really don't want to expose an interface on the 3845 directly to the
    raw untamed Internet.

    How could I best accomplish allowing incoming VPN connections to be
    handled by my 3845 residing in the midst of a bunch of internal
    networks without making it too vulnerable to the wild untamed lawless
    Internet hooligans out there? My 2600 choke/border router has the acl
    from hell on all inbound traffic. My Linux firewall boxes have rather
    limited VPN-masq-ing capability (i.e., only a single GRE tunnel at a
    time for Windows PPTP), etc. Mostly we'd be wanting to support
    employees at home to connect in via software-based VPN client on a
    Windows PC over their cablemodem or DSL Internet services.

    Can my 2600 be made to allow or forward just enough GRE and/or IPSec
    VPN traffic from an explicitly enumerated list of outside addresses to
    an interface on the 3845 (if I connect one 10/100 interface to the
    "DMZ" behind the 2600?

    I've also got an old PIX 501 lying around unused, since configuring it
    was such a PITA and the Linux boxes proved more easy for me to make the
    specific firewalls to do what I needed, plus my boss refused to buy
    SmartNet for the PIX and it has an ancient version of software in it
    that has some security holes in it.... so it sits in the scrap pile.

    Help! I'm pretty green at VPNs and would greatly appreciate it if
    anyone could point me to some config guides and examples that might
    cover what I'd like to accomplish here.
    w2k3newbie, Jan 19, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.