Posted on 2003-03-31
Allright Here Goes .... I'm going to reward nicely for this question.
I have several sites that I would like to collect monitoring(updown)/performance stats from, and I have a VPN connection into each site.
Here are the requirements of any solution(s) recommended:
1. It must be easy to add a new site.
2. It must be able to have full IP connectivity between sites.
3. It must present a PIX-PIX full time (always on) connection between the two networks.
4. It must be secure so that one site would not have access to another (i.e. NOT fully meshed).
5. It must be secure so that any site would not have access to unauthorized servers in my network.
6. It must NOT require re-configuring IP address space at any of the remote sites.
7. There will be several sites who have overlapping internal address spaces.
My first thought is that I will have to have a PIX 501 at each site....
My internal hardware would be setup like the following:
SNMP AGENT----->PIX 501--->INTERNET--->VPN CONCENTRATOR--->DMZ---> PIX 515--->MY INTERNAL LAN
SNMP POLLING STATION
1. So the SNMP agent would send traps and answer SNMP queries to the polling station.
2. The PIX 501 would be configured for a site to site VPN connection with the VPN concentrator.
3. The VPN concentrator would have to use address translation so that the following would happen...
a. Existing remote site is 192.168.1.0
b. Last remote site we connected to our network was: 10.1.1.0
c. I need a way to refer to 192.168.1.0 as 10.1.2.0, and so on and so forth.
So then with each remote site I connect to mine, WITHOUT re-configuring the IP structure of their internal network I can refer to them as the next sequential internal subnet that I have available and not worry about their own internal structure. However I would still like to be able to get to ALL of their IP addresses without doing something like creating STATIC 1-1 NAT mappings.
Is this possible?
Is it easy to setup new sites?
Is there anything that I should be aware of?
Does SNMP embed source addresses in their packets that would confuse a monitoring station?