PIX/VPN with multiple subnets.

Discussion in 'Cisco' started by Gary, Nov 22, 2003.

  1. Gary

    Gary Guest

    I have a Router (3660) to Pix (520) VPN working fine and would like to route a new separate public subnet down the VPN. I do not need to route the existing subnet (199.199.92.40/29) behind the PIX at the moment as it is just used here for other machines not behinfd the PIX and to bring up the VPN.

    The end points (Public) of the VPN are in subnet 1, but I need subnet 2 (i.e a new range) to route down the VPN tunnel and to hit servers behind the PIX.

    Currently it looks like this
    A o ISP 3660 Public IP is 199.199.64.6/24 and private is 10.1.1.0/24
    B o Our 3640 is IP 199.199.92.35/29
    C o Our PIX Outside is 199.199.92.40/29
    D o Our Pix Inside is 10.20.0.1/24
    E o Our Switch inside is 10.20.0.2/24

    We want to route 199.199.94.8/29 behind the PIX (C) to servers on private address's in the 10.20.0.0/24 range (E).

    The reason for this is that the ISP have blocked all lower ports such as telnet, ping, ssh,smtp etc etc so I want people coming into the second public subnet to be routed down the VPN on whatever port to the private address space behind the PIX.

    Questions.
    1. How do I get the 3660 to send the public traffic down the VPN - Do I just add the range to the relevant access-lists for nonat (i.e Do not Nat It.)and VPN (i.e Make it eligible for the VPN)
    2. Do I need a router on the inside i.e ISP Edge Router ---> Our Edge Router ---> Our PIX ---> Inside Router ???
    3. What else do I need to setup.

    I do not fully understand how the VPN would be used in this scenario and have routed multiple subnets across a PIX to an inside router no problem, but this is slightly different.

    What should inside servers be set up as - Would they have IP's from the public range or private address's from the VPN range

    PIX Access Lists are
    ===============
    access-list nonat permit ip 10.20.0.0 255.255.255.0 10.1.1.0 255.255.255.0
    access-list nonat permit ip host 199.199.92.40 10.1.1.0 255.255.255.0
    access-list 100 permit ip 10.20.0.0 255.255.255.0 10.1.1.0 255.255.255.0
    access-list 100 permit ip host 199.199.92.40 10.1.1.0 255.255.255.0
    access-list 100 permit ip 10.20.0.0 255.255.255.0 host 199.199.64.6
    access-list 100 permit icmp 10.20.0.0 255.255.255.0 host 199.199.64.6
    access-list 100 permit icmp 10.20.0.0 255.255.255.0 host 10.1.1.1


    3660 Access Lists are
    ================
    access-list 180 permit ip 10.1.1.0 0.0.0.255 10.20.0.0 0.0.0.255
    access-list 180 permit ip 10.1.1.0 0.0.0.255 host 199.199.92.40
    access-list 180 permit ip host 199.199.64.6 10.20.0.0 0.0.0.255
    access-list 180 permit ip 199.199.94.0 0.0.0.255 10.20.0.0 0.0.0.255
    access-list 180 permit ip 199.199.94.0 0.0.0.255 199.199.92.40

    route-map nonat permit 10
    match ip address 130

    access-list 130 deny ip 10.1.1.0 0.0.0.255 10.20.0.0 0.0.0.255
    access-list 130 deny ip 10.1.1.0 0.0.0.255 host 199.199.92.40
    access-list 130 deny ip 199.199.94.8 0.0.0.7 10.20.0.0 0.0.0.255
    access-list 130 permit ip 10.1.1.0 0.0.0.255 any

    Should there be a route statement somewhere for the 94 range i.e to the PIX (199.199.92.40) or to our 3640 router (199.199.92.35) ???


    Thanks
    Gary
     
    Gary, Nov 22, 2003
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.