?
Solved

MIND BENDER!!!!

Posted on 2003-03-31
5
Medium Priority
?
210 Views
Last Modified: 2011-09-20
Allright Here Goes ....  I'm going to reward nicely for this question.

I have several sites that I would like to collect monitoring(updown)/performance stats from, and I have a VPN connection into each site.

Here are the requirements of any solution(s) recommended:

1.  It must be easy to add a new site.
2.  It must be able to have full IP connectivity between sites.
3.  It must present a PIX-PIX full time (always on) connection between the two networks.
4.  It must be secure so that one site would not have access to another (i.e. NOT fully meshed).
5.  It must be secure so that any site would not have access to unauthorized servers in my network.
6.  It must NOT require re-configuring IP address space at any of the remote sites.
7.  There will be several sites who have overlapping internal address spaces.

My first thought is that I will have to have a PIX 501 at each site....

My internal hardware would be setup like the following:

SNMP AGENT----->PIX 501--->INTERNET--->VPN CONCENTRATOR--->DMZ---> PIX 515--->MY INTERNAL LAN
                                                            |
                                                            |
                                                            |
                                                            |
                                                   SNMP POLLING STATION


1.  So the SNMP agent would send traps and answer SNMP queries to the polling station.
2.  The PIX 501 would be configured for a site to site VPN connection with the VPN concentrator.
3.  The VPN concentrator would have to use address translation so that the following would happen...

    a.  Existing remote site is 192.168.1.0
    b.  Last remote site we connected to our network was: 10.1.1.0
    c.  I need a way to refer to 192.168.1.0 as 10.1.2.0, and so on and so forth.

So then with each remote site I connect to mine, WITHOUT re-configuring the IP structure of their internal network I can refer to them as the next sequential internal subnet that I have available and not worry about their own internal structure.  However I would still like to be able to get to ALL of their IP addresses without doing something like creating STATIC 1-1 NAT mappings.  

Is this possible?
Is it easy to setup new sites?
Is there anything that I should be aware of?
Does SNMP embed source addresses in their packets that would confuse a monitoring station?  

Thanks
John Woods






0
Comment
Question by:andgroup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 

Author Comment

by:andgroup
ID: 8241572
THe post didn't come out quite like I wanted it to... the polling station would be located inside of the DMZ.

Thanks
John Woods
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 8241818
Interesting challenge. #6 and #7 are the tough ones.

This document might help:
http://www.cisco.com/warp/public/707/vpn_pix_private.html

Perhaps you might consider using VPN 3002 at each remote site in place of the PIX and use a scenario like this:
http://www.cisco.com/warp/public/471/config_vpn_3k_site.html
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8442666
G'day, andgroup
It has been 31 days since you posted this question.
Do you still need help? Have you received enough information?
Can you close out this question?
Ways to close questions: http://www.apollois.com/EE/Help/Closing_Questions.htm
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8725690
andgroup,
No comment has been added lately (44 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: Award points to lrmoore

Please leave any comments here within 7 days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Thanks,

lrmoore
EE Cleanup Volunteer
---------------------
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers,
please post comments here where a Moderator will see it.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question