jon_harris
asked on
Setting up a VPN between a Cisco 827H and a PIX
I have a problem setting up a VPN between a Cisco 827H and a PIX.
Sorry for the long question but I think some details on the LAN/WAN setup might be useful.
Although I am OK on LAN and IP in general, setting up Cisco routers is a dark art to me :-)
Our customer has two LANs
HQ
192.168.2.x
Cisco Router (2600, I think)
ADSL Router
Cisco PIX
+8 Static IP Addresses
the routers and pix have their own real ip addresses from the static address pool, plus there are 2 unused real addresses.
Sub-office
192.168.1.x
Cisco 2600
Cisco 827H (ADSL)
+ 1 Static IP Address
Between the two offices they have a private 256K circuit, which is managed by the two 2600 routers. They do not use (or wish to use DHCP) as they want to limit web access by workstation (by blocking port 80 trafic to certain workstations).
I have been involved in setting up the 827H which is working fine, in the sense they have shared internet access from all the PCs. Someone (a cisco engineer) has been in and setup the 2600 so all internet trafic is sent through the 827H. This means that all the PCs have their 'gateway' set as the 2600's address. The 2600 address routes 192.168.2.x traffic through the 256k connection and internet trafic is sent to 192.168.1.150 (the internal address of the 827H)
My only involvement has been the 827H, which we bought with the IPsec upgrade. That install OK as the VPN options are available on the web interface. I don't know if the is relevant, but when I ran the automatic configuration option for the ADSL side it set it to 'PPPoA' - Although, when it was setup, Internet access started working.
What I want to do is setup a VPN tunnel between the HQ PIX and the sub-office 827H. If I see a message 'VPN established' I will be happy :-) - how they use it is up to them. They want to use the Internet for the VPN as the 256K pipe is for other purposes.
On the 827H there are basically only 4 boxes:
Client or Network Extension Mode
IP Address
Group-Name
Password
From reading the documentation, I believe I want network extension mode, so they will 'see' the WAN as a single LAN, (no NAT or PAT).
I have tried many options but it always fails. I have been told that the PIX needs to be setup to as VPN server, which is really my question.
How should it be setup?
Should I use one of the spare ip addresses? (it has a real address on its outside interface)
Will the 2600s get in the way?
I anyone can help with this I would be very grateful - It appears I can't get any help from Cisco
Sorry for the long question but I think some details on the LAN/WAN setup might be useful.
Although I am OK on LAN and IP in general, setting up Cisco routers is a dark art to me :-)
Our customer has two LANs
HQ
192.168.2.x
Cisco Router (2600, I think)
ADSL Router
Cisco PIX
+8 Static IP Addresses
the routers and pix have their own real ip addresses from the static address pool, plus there are 2 unused real addresses.
Sub-office
192.168.1.x
Cisco 2600
Cisco 827H (ADSL)
+ 1 Static IP Address
Between the two offices they have a private 256K circuit, which is managed by the two 2600 routers. They do not use (or wish to use DHCP) as they want to limit web access by workstation (by blocking port 80 trafic to certain workstations).
I have been involved in setting up the 827H which is working fine, in the sense they have shared internet access from all the PCs. Someone (a cisco engineer) has been in and setup the 2600 so all internet trafic is sent through the 827H. This means that all the PCs have their 'gateway' set as the 2600's address. The 2600 address routes 192.168.2.x traffic through the 256k connection and internet trafic is sent to 192.168.1.150 (the internal address of the 827H)
My only involvement has been the 827H, which we bought with the IPsec upgrade. That install OK as the VPN options are available on the web interface. I don't know if the is relevant, but when I ran the automatic configuration option for the ADSL side it set it to 'PPPoA' - Although, when it was setup, Internet access started working.
What I want to do is setup a VPN tunnel between the HQ PIX and the sub-office 827H. If I see a message 'VPN established' I will be happy :-) - how they use it is up to them. They want to use the Internet for the VPN as the 256K pipe is for other purposes.
On the 827H there are basically only 4 boxes:
Client or Network Extension Mode
IP Address
Group-Name
Password
From reading the documentation, I believe I want network extension mode, so they will 'see' the WAN as a single LAN, (no NAT or PAT).
I have tried many options but it always fails. I have been told that the PIX needs to be setup to as VPN server, which is really my question.
How should it be setup?
Should I use one of the spare ip addresses? (it has a real address on its outside interface)
Will the 2600s get in the way?
I anyone can help with this I would be very grateful - It appears I can't get any help from Cisco
jon_harris - Did you solve this, as I am trying to set up a simalar VPN myself and would appreciate a little advice if you have any
-Stuart
-Stuart
How did you go with this one as I am in the same boat
donwilsonuk,
I think you'll get a much better response if you post a new question of your own. This question seems to have been abandonded by jon_harris...
Be as detailed as you can with your own Q and we'll help you work it out.
Thanks!
I think you'll get a much better response if you post a new question of your own. This question seems to have been abandonded by jon_harris...
Be as detailed as you can with your own Q and we'll help you work it out.
Thanks!
ASKER
Hi I am still around.
The simple answer is, No I haven't got it working and I am not sure what to do next.
The PIX has a very comprehensive GUI and appears reasonably easy to setup. The 827H does seem to have anything apart from a four box dialog.
The firewall capabilitities on the PIX are really nice to setup, but the 827H has no setup for the Firewall, just an 'on' or 'off'!
The 827H is being marketed as a easy to setup and manage branch office router, it seems the only way to get it configured is to
telnet into it and do everything from the command line, the two things don't add up.
My client wants to block some workstation IP addresses from using the web. This is a pretty standard requirement, the 827 GUI has no
way of doing anything - we paid for the Software feature pack to enable it do this.
I do not know of any other firewall that can't be setup to block port 80 on a particular LAN ip address in
more than about 30 seconds. For me the 827H was a complete waste of money. I wish I specified a low cost ADSL router and another
easy to setup firewall.
Whatever we tried, the 872H states that the VPN setup has failed. I have tried following some Cisco documentation but no luck. Every time I try to
set it up it loses the ability to route intenet trafic.
What I wanted was a clear do-this-do-that instructions for the PIX and then the 827H
I am completely stuck.I don't even know if 'easyVPN' (on the 827H) the same VPN as on the PIX
The only solution I can come up with is to abandon the vpn on the 827, just using it as a router and get another PIX for the branch office.
Sorry to rant but cumulatively I have probably spent two days on this and I am no nearere a solution. I was recommended this setup
by the Cisco guys we bought if from and every one tells us it can be done, as soon as I ask some questions the meter starts running
and they won't help us.
Jon Harris
The simple answer is, No I haven't got it working and I am not sure what to do next.
The PIX has a very comprehensive GUI and appears reasonably easy to setup. The 827H does seem to have anything apart from a four box dialog.
The firewall capabilitities on the PIX are really nice to setup, but the 827H has no setup for the Firewall, just an 'on' or 'off'!
The 827H is being marketed as a easy to setup and manage branch office router, it seems the only way to get it configured is to
telnet into it and do everything from the command line, the two things don't add up.
My client wants to block some workstation IP addresses from using the web. This is a pretty standard requirement, the 827 GUI has no
way of doing anything - we paid for the Software feature pack to enable it do this.
I do not know of any other firewall that can't be setup to block port 80 on a particular LAN ip address in
more than about 30 seconds. For me the 827H was a complete waste of money. I wish I specified a low cost ADSL router and another
easy to setup firewall.
Whatever we tried, the 872H states that the VPN setup has failed. I have tried following some Cisco documentation but no luck. Every time I try to
set it up it loses the ability to route intenet trafic.
What I wanted was a clear do-this-do-that instructions for the PIX and then the 827H
I am completely stuck.I don't even know if 'easyVPN' (on the 827H) the same VPN as on the PIX
The only solution I can come up with is to abandon the vpn on the 827, just using it as a router and get another PIX for the branch office.
Sorry to rant but cumulatively I have probably spent two days on this and I am no nearere a solution. I was recommended this setup
by the Cisco guys we bought if from and every one tells us it can be done, as soon as I ask some questions the meter starts running
and they won't help us.
Jon Harris
You are going to have to get your hands dirty here Jon_Harris, the GUI just isn't going to do everything you want. You best unpack that nice blue cable from the cisco packing and start up a terminal client.
As for the config for the VPN I posted up something simalar recently and a very nice man posted a sample config:
https://www.experts-exchange.com/questions/20668470/Cisco-827.html
I have issues with my ACL's somewhere, but the tunnels are created and teh VPN to some extent works
As for the config for the VPN I posted up something simalar recently and a very nice man posted a sample config:
https://www.experts-exchange.com/questions/20668470/Cisco-827.html
I have issues with my ACL's somewhere, but the tunnels are created and teh VPN to some extent works
ASKER
Hi fz2hqs
Many thanks for your response.
I have had a look at your thread will give that config a go.
I did n't mind setting up the vpn throught telnet, its just that I don't really know what I am doing. My understanding of VPN doesn't extend
much past the concept of an encrypted ip tunnel. Also I didn't want to want to break what was already working.
Also, what does to 'some extent' mean? :-)
Jon
Many thanks for your response.
I have had a look at your thread will give that config a go.
I did n't mind setting up the vpn throught telnet, its just that I don't really know what I am doing. My understanding of VPN doesn't extend
much past the concept of an encrypted ip tunnel. Also I didn't want to want to break what was already working.
Also, what does to 'some extent' mean? :-)
Jon
My tunnel is there I can see it from my PIX, however I have left somethign on the 827 that looks to be blocking traffic (the 827 is 115 miles away with no computer literate persoin near it!)
Keep us updated
Keep us updated
jon, what version OS on the PIX? Highly suggest upgrading to new 6.3(1) and PDM 3.01 GUI. The VPN wizard makes this a snap on the PIX end.
ASKER
All I currently know is that it is a '506'. I am waiting for my client to get back to me on which IOS its running.
However, Its about 6 months old and it would have been the current release at that time.
Presumably, 6.3(1) is fairly new, so its unlikely they do have that version. I suspect that it is not a free upgrade either :(
Jon
However, Its about 6 months old and it would have been the current release at that time.
Presumably, 6.3(1) is fairly new, so its unlikely they do have that version. I suspect that it is not a free upgrade either :(
Jon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
jon_harris:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
RECOMMENDATION: Points awarded to: lrmoore
http://www.cisco.com/warp/public/110/39.html