Debsyl99
asked on
Cisco Pix Site-to-site VPN behind NAT ADSL Router
Hi
I'm pretty much a lamer when it comes to this sort of thing so I appreciate any help you can give. We've got three sites all happily networked using site - to -site vpns, cisco 506e at our head office and 501's everywhere else. We run a windows 2000 native mode domain that spans these sites, each of which has a site server. However these have adsl, no nat, static ip's and have been easy to setup. Now I need to bring a new site online. There are only two pc's here, but both need simultaneous file and exchange server access to our main site, and the vpn client won't deal with two simultaneous connections. At this site though we have a static public ip, and an adsl router (SpeedTouch 536) that's performing NAT and uses PPoA, so i can plug the pix into the adsl router and it'll pick up an internal ip.
Here's what it looks like:
Internet -> ADSL Router (Pub Static IP) - Internal IP Range 10.0.0.0 +DHCP -> PC's (dhcp from router)
This is what I need it to do:
Main Site 506e ->(secure tunnel) -> ADSL Router ->Pix 501 -> PC's
So -
1)Can I get a secure connection between a pix 501 at this site and our 506e at the main site?
2) If so how?
I've assigned max points as you may need to be patient with me, but if you can help me get this sorted you'll save the Charity I work for £220 in tech support costs and we could use the saving. Please ask for any info you need, and thanks for all help in advance,
Deb :))
I'm pretty much a lamer when it comes to this sort of thing so I appreciate any help you can give. We've got three sites all happily networked using site - to -site vpns, cisco 506e at our head office and 501's everywhere else. We run a windows 2000 native mode domain that spans these sites, each of which has a site server. However these have adsl, no nat, static ip's and have been easy to setup. Now I need to bring a new site online. There are only two pc's here, but both need simultaneous file and exchange server access to our main site, and the vpn client won't deal with two simultaneous connections. At this site though we have a static public ip, and an adsl router (SpeedTouch 536) that's performing NAT and uses PPoA, so i can plug the pix into the adsl router and it'll pick up an internal ip.
Here's what it looks like:
Internet -> ADSL Router (Pub Static IP) - Internal IP Range 10.0.0.0 +DHCP -> PC's (dhcp from router)
This is what I need it to do:
Main Site 506e ->(secure tunnel) -> ADSL Router ->Pix 501 -> PC's
So -
1)Can I get a secure connection between a pix 501 at this site and our 506e at the main site?
2) If so how?
I've assigned max points as you may need to be patient with me, but if you can help me get this sorted you'll save the Charity I work for £220 in tech support costs and we could use the saving. Please ask for any info you need, and thanks for all help in advance,
Deb :))
ASKER
Hi
I'm not sure I'm understanding you but here goes. The problem is that this site has a router/modem that picks up a static ip, presumable via dhcp from the isp via PPoA. I can't get them to let us have a no-nat solution without getting a new isp and this contract has a long time to run. (would another router do it? I have no idea)
I can get the pix to pick up a reserved ip from the adsl router via dhcp, but can't route the ipsec traffic for the vpn.
The other sites all operate no-nat adsl, so the site-site vpn setup was something I could manage.
I'm really needing a step by step if possible? Can I get a tunnel up given the pix's current outside interface is 10.0.02 (allocated from the pain in the a** router) and I don't seem to be able to change it?
I'm not sure I'm understanding you but here goes. The problem is that this site has a router/modem that picks up a static ip, presumable via dhcp from the isp via PPoA. I can't get them to let us have a no-nat solution without getting a new isp and this contract has a long time to run. (would another router do it? I have no idea)
I can get the pix to pick up a reserved ip from the adsl router via dhcp, but can't route the ipsec traffic for the vpn.
The other sites all operate no-nat adsl, so the site-site vpn setup was something I could manage.
I'm really needing a step by step if possible? Can I get a tunnel up given the pix's current outside interface is 10.0.02 (allocated from the pain in the a** router) and I don't seem to be able to change it?
I must admit that I have never tried such a setup. But if the tunnel when aimed at the ADSL router does indeed reach the PIX, then I believe NAT-T would work for a site2site VPN. But I am not sure.
If the public IP isn't mapped directly to the PIX, I guess you can't make a site2site at all. In this case another option could be to setup this PIX as an "easy VPN client", but I don't know if that will satisfy your needs.
If the public IP isn't mapped directly to the PIX, I guess you can't make a site2site at all. In this case another option could be to setup this PIX as an "easy VPN client", but I don't know if that will satisfy your needs.
I have had this exact scenario myself.
The easiest solution would be to take the ADSL Router out (if you can). I used an ADSL Ethernet Modem to interface the CISCO PIX with.
I highly reccomend the ADSLNation X-Modem, it feautures "LiveIP" - this basically serves the CISCO directly with the ISP, so the modem is invisible as it were.
Details of the X-Modem can be found here: http://www.adslnation.co.uk/
Hope this helps?
The easiest solution would be to take the ADSL Router out (if you can). I used an ADSL Ethernet Modem to interface the CISCO PIX with.
I highly reccomend the ADSLNation X-Modem, it feautures "LiveIP" - this basically serves the CISCO directly with the ISP, so the modem is invisible as it were.
Details of the X-Modem can be found here: http://www.adslnation.co.uk/
Hope this helps?
Oh, the best bit about my proposed solution is that the modem only costs approx £30! :)
If you have any further questions just ask! Thanks.
If you have any further questions just ask! Thanks.
ASKER
Hi foobar
Thanks for your post. Did you successfully manage to get your pix to pick up the public ip then? Assuming that you did how did you do it? Any more detailed information on this setup would be great before I go out and buy it,
Ta
Deb :)
Thanks for your post. Did you successfully manage to get your pix to pick up the public ip then? Assuming that you did how did you do it? Any more detailed information on this setup would be great before I go out and buy it,
Ta
Deb :)
Hi Deb,
Yes with the X-Modem it works wonderfully.
ADSL Line ---> X-Modem ---> CISCO PIX
Configure the X-Modem with your ADSL ISP credentials and then connect the X-Modem to the CISCO PIX Firewall (ethernet).
On the CISCO PIX Configure the outside interface to dhcp, example:
"ip address outside dhcp setroute"
This will tell the CISCO PIX to obtain the IP address automatically from the X-Modem (the x-modem passes the external address to the CISCO PIX)
Works great! :) Good Luck!
Yes with the X-Modem it works wonderfully.
ADSL Line ---> X-Modem ---> CISCO PIX
Configure the X-Modem with your ADSL ISP credentials and then connect the X-Modem to the CISCO PIX Firewall (ethernet).
On the CISCO PIX Configure the outside interface to dhcp, example:
"ip address outside dhcp setroute"
This will tell the CISCO PIX to obtain the IP address automatically from the X-Modem (the x-modem passes the external address to the CISCO PIX)
Works great! :) Good Luck!
Here is a caption from the ADSLNation website about the "livedns" feature of the X-Modem
"Our unique Live IP technology makes the X-Modem invisible to the computer. With Live IP the public IP address issued by the Internet service provider is passed-through from the modem to the host to enable full compatibility with the widest range of software & games."
This make the modem unique to most other adsl modems and routers, as it makes it compatible with devices such as the CISCO Pix Firewall.
"Our unique Live IP technology makes the X-Modem invisible to the computer. With Live IP the public IP address issued by the Internet service provider is passed-through from the modem to the host to enable full compatibility with the widest range of software & games."
This make the modem unique to most other adsl modems and routers, as it makes it compatible with devices such as the CISCO Pix Firewall.
Deb, does it have to be a site to site vpn? Is there a server at this fourth site also?
If not, for just two users and all the grief it appears to be giving you, it might be an option to use the Cisco VPN client instead.
If not, for just two users and all the grief it appears to be giving you, it might be an option to use the Cisco VPN client instead.
As Keith mentioned above, that is another option. However if you have purchased a PIX Firewall I'd guess you'd really like to use it?
ASKER
Hi
Thanks for the replies. We've been using the vpn client - starts up with windows, they connect and then login. Works great except we can only have one person in through the vpn client at a time. Although there are only two pc's there are 17 users at this site - so there may well be more pc's in time. Anyhow I have a pix so if I can use it I will.
Hi - Voltz-dk - you mentioned setting the pix up as an easy vpn client. Could you give me more info about that please?
Basically the users at this site need access to our exchange server and our file servers. Ideally they would logon to the domain directly as the site links are quick enough but they can use a terminal server if necessary.
I've ordered the x-modem as even if it doesn't work we'll still be able to use it at another site we have coming on (with single pc) - so I'll let you know how that goes.
Any other ideas?
Thanks again,
Deb :))
Thanks for the replies. We've been using the vpn client - starts up with windows, they connect and then login. Works great except we can only have one person in through the vpn client at a time. Although there are only two pc's there are 17 users at this site - so there may well be more pc's in time. Anyhow I have a pix so if I can use it I will.
Hi - Voltz-dk - you mentioned setting the pix up as an easy vpn client. Could you give me more info about that please?
Basically the users at this site need access to our exchange server and our file servers. Ideally they would logon to the domain directly as the site links are quick enough but they can use a terminal server if necessary.
I've ordered the x-modem as even if it doesn't work we'll still be able to use it at another site we have coming on (with single pc) - so I'll let you know how that goes.
Any other ideas?
Thanks again,
Deb :))
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Voltz makes a good suggestion although I am not sure why you can only connect one vpn client at a time using the Cisco client.
ASKER
Hi
Thanks Voltz-dk - I got the vpn up and running today using easy vpn server on the main pix and easy-vpn remote on, well, the remote one. The PC can login to the domain, and has access to all resources - so far so good. One slight problem though - there's no internet access. I can ping the domain controller no problem, and resolve names within the domain. Nslookup also works with dns pointing at the domain controller and can resolve sites externally. It seems to me that http just isn't getting out. So the access lists may need checking. I can't post any configs right now as I'm not on site - but I wondered if I anyone had any initial ideas of what I may have missed? I'll be back on site tomorrow afternoon.
It kind of goes like this:
Easy vpn server ->Internet->(Public IP )ADSL Router(nat and dhcp to pix) ->(outside interface 10.0.0.2)Pix (inside interface 192.168.3.1)-DHCP to PC - (IP range 192.168.3.2-192.168.3.7).
If I can get this sorted I can close this question out.
Thanks to Foobar too - but doesn't look like I'll need the modem now.
Thanks again,
Deb :))
Thanks Voltz-dk - I got the vpn up and running today using easy vpn server on the main pix and easy-vpn remote on, well, the remote one. The PC can login to the domain, and has access to all resources - so far so good. One slight problem though - there's no internet access. I can ping the domain controller no problem, and resolve names within the domain. Nslookup also works with dns pointing at the domain controller and can resolve sites externally. It seems to me that http just isn't getting out. So the access lists may need checking. I can't post any configs right now as I'm not on site - but I wondered if I anyone had any initial ideas of what I may have missed? I'll be back on site tomorrow afternoon.
It kind of goes like this:
Easy vpn server ->Internet->(Public IP )ADSL Router(nat and dhcp to pix) ->(outside interface 10.0.0.2)Pix (inside interface 192.168.3.1)-DHCP to PC - (IP range 192.168.3.2-192.168.3.7).
If I can get this sorted I can close this question out.
Thanks to Foobar too - but doesn't look like I'll need the modem now.
Thanks again,
Deb :))
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Oh - and thanks Keith for your comments - I'm not sure why the vpn client can't connect more than one pc at a time - I had assumed that this was due to two connections emanating from the same external ip address. Should this not be the case? We have about another ten sites to connect so I'd like to avoid this scenario again if possible.
Cheers
Deb :))
Cheers
Deb :))
As mentioned above it works just like a client. So you need to configure split-tunneling on the easy vpn server.
Have you configured your clients for "transparent tunneling" on the transport tab of the VPN client? (UDP encapsulation for NAT/PAT) Also, you need to enable NAT-T on the PIX they connect to. (isakmp nat-traversal 20). That should allow you to have more than 1 client from 1 point.
ASKER
"Have you configured your clients for "transparent tunneling" - No I haven't but I will have a look at this tomorrow - thanks.
So basically all I need to do is send the command "isakmp nat-traversal 20" command to the server pix - and more than one pc can connect via the vpn client from a single site? Regardless of having a pix there or not?
So basically all I need to do is send the command "isakmp nat-traversal 20" command to the server pix - and more than one pc can connect via the vpn client from a single site? Regardless of having a pix there or not?
Here's a description of NAT-T: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a00800946af.shtml
While it is written for 3000-series VPN concentrators, the concept is the same. The main difference is that the PIX doesn't support the TCP encapsulation described.
Hope that explains it all, otherwise just repost :)
While it is written for 3000-series VPN concentrators, the concept is the same. The main difference is that the PIX doesn't support the TCP encapsulation described.
Hope that explains it all, otherwise just repost :)
ASKER
Thanks - I'll give that a read and get back to you tomorrow about how I get on with it (In UK).
If you have a problem with your Windows 2000 server than I'm there, but his firewall pix stuff at the moment may as well be French sometimes, but I really appreciate the help so far. If we can use the vpn client on more than one machine from a single site simultaneously, then I've been given bad advice by our support contractors who told me in no uncertain terms I needed another pix.
If you have a problem with your Windows 2000 server than I'm there, but his firewall pix stuff at the moment may as well be French sometimes, but I really appreciate the help so far. If we can use the vpn client on more than one machine from a single site simultaneously, then I've been given bad advice by our support contractors who told me in no uncertain terms I needed another pix.
lol, part-timer, you going home? I've still got 30 minutes of SAN levelling before i can get out of here. (2 miles from Gatwick Airport)
ASKER
Lol - no such grandeur for me. They booted me out at five - they never had access before so they don't miss it yet !
Hey Debs,
Did you get the X-Modem in the end? Have you tried using it with the CISCO PIX?
Did you get the X-Modem in the end? Have you tried using it with the CISCO PIX?
ASKER
Hi
Yes I did get the x-modem - no unfortunately I didn't get it to go in alongside the pix. I really tried but it was having none of it so I gave up as I needed to get this done. However I will be able to use it at the next site where they'll just be using the vpn client software. Thanks for your suggestions though.
Anyway happily I got this up and running today - internet access and all so thanks to everyone for their help. I've assigned points based on what was helpful to finding a solution for this particular question as I thought that was only fair.
Thanks again and best wishes,
Deb :))
Yes I did get the x-modem - no unfortunately I didn't get it to go in alongside the pix. I really tried but it was having none of it so I gave up as I needed to get this done. However I will be able to use it at the next site where they'll just be using the vpn client software. Thanks for your suggestions though.
Anyway happily I got this up and running today - internet access and all so thanks to everyone for their help. I've assigned points based on what was helpful to finding a solution for this particular question as I thought that was only fair.
Thanks again and best wishes,
Deb :))
Or is it you have a PIX-to-PIX fo 2 sites and need help adding the 3rd site?