Setting up a VPN between a Cisco 827H and a PIX
Posted on 2003-04-01
I have a problem setting up a VPN between a Cisco 827H and a PIX.
Sorry for the long question but I think some details on the LAN/WAN setup might be useful.
Although I am OK on LAN and IP in general, setting up Cisco routers is a dark art to me :-)
Our customer has two LANs
Cisco Router (2600, I think)
+8 Static IP Addresses
the routers and pix have their own real ip addresses from the static address pool, plus there are 2 unused real addresses.
Cisco 827H (ADSL)
+ 1 Static IP Address
Between the two offices they have a private 256K circuit, which is managed by the two 2600 routers. They do not use (or wish to use DHCP) as they want to limit web access by workstation (by blocking port 80 trafic to certain workstations).
I have been involved in setting up the 827H which is working fine, in the sense they have shared internet access from all the PCs. Someone (a cisco engineer) has been in and setup the 2600 so all internet trafic is sent through the 827H. This means that all the PCs have their 'gateway' set as the 2600's address. The 2600 address routes 192.168.2.x traffic through the 256k connection and internet trafic is sent to 192.168.1.150 (the internal address of the 827H)
My only involvement has been the 827H, which we bought with the IPsec upgrade. That install OK as the VPN options are available on the web interface. I don't know if the is relevant, but when I ran the automatic configuration option for the ADSL side it set it to 'PPPoA' - Although, when it was setup, Internet access started working.
What I want to do is setup a VPN tunnel between the HQ PIX and the sub-office 827H. If I see a message 'VPN established' I will be happy :-) - how they use it is up to them. They want to use the Internet for the VPN as the 256K pipe is for other purposes.
On the 827H there are basically only 4 boxes:
Client or Network Extension Mode
From reading the documentation, I believe I want network extension mode, so they will 'see' the WAN as a single LAN, (no NAT or PAT).
I have tried many options but it always fails. I have been told that the PIX needs to be setup to as VPN server, which is really my question.
How should it be setup?
Should I use one of the spare ip addresses? (it has a real address on its outside interface)
Will the 2600s get in the way?
I anyone can help with this I would be very grateful - It appears I can't get any help from Cisco