• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 445
  • Last Modified:

Cisco VPN 3000: Addressing and Topology Question

A client with around 30 users has switched DSL ISPs.

The previous ISP assigned them (as part of the service's package) a pool of public ip addresses -- one of which was used for their VPN 3000.  Unfortunately, the cheesy new ISP does not support this, insisting upon only one address per customer.

This has deprived them of an additional address to use for accessing the VPN 3000.  

I believe (and perhaps I'm mistaken here, hence the posting) that I can get around this by acquiring a router, assigning the VPN only an internally valid address and forwarding VPN traffic through the firewall (Pix 515) to the 3000.

I imagine it would look something like this:

[DSL] --> [ROUTER] --> [PIX 515] ---> [CATALYST /FASTHUBS] <--> VPN 3000

This looks right to me but I'm certain I'm missing something.

Any help figuring out how to access the 3000 (and where it should be placed) would be well rewarded -- and appreciated.
0
idoru345
Asked:
idoru345
  • 3
  • 3
1 Solution
 
What90Commented:
Hi idoru345,


What you have is fine - I'm taking that the DSL teminates on to the router -

Remember to allow traffic to the 3000 (but only VPN traffic) via the PIX (protocol 1753 and GRE 47)


0
 
idoru345Author Commented:
Thanks What90.


Yes, the DSL modem terminates in the router.

Two related questions before closing this out and awarding points:


As you know, the VPN 3000's configuration interface allows you to set it up with  public and private addresses.  Since this company no longer has additional public addresses to assign the router (after switching DSL ISPs) I'm wondering whether I can leave the "Public" fields blank and only fill in the "Private" ones or should I give it the same "Private" (internal) address twice? Or some other combination I haven't thought of.

In other words, since I no longer have a true public address to assign the 3000's "Public" interface what's the best way to configure it to be only a device on the private network which accepts forwarded VPN traffic from a router?

And...


The client already has an un-used  SOHO 91 in stock but I'm not sure this will serve the routing purpose since there are approx. 30 users and it's my understanding the SOHO, designed for no more than five users, might be a bottleneck -- even with switch managed traffic coming its way.  Any recommendations (or is the SOHO a workable option)?
0
 
What90Commented:
Thinking about it, what about this:

[DSL] --> public ip [ROUTER] 192.168.0.2 -->Small hub/switch--> 192.168.0.10[PIX 515] 192.168.1.10 --- LAN
                                                                                         <--> 192.168.0.100 [VPN 3000]192.168.1.100--- LAN

Creates a DMZ area and will allow both devices to do their jobs without further rules on the PIX.

Not sure about the SOHO 91 - did the ISP not give you a router with the set up? If not might be better to nip out and a router/4port switch. Netgear/linksys/dlink/etc all do good boxes which are vpn compliant and fairly cheap.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
idoru345Author Commented:
No, the ISP didn't provide a router, just the DSL modem (they're truly sub-par).

So, if I'm understanding your diagram correctly, the ROUTER will have both the public, ISP assigned address as well as an internal address.  It will use a port on the switch.  The Pix and VPN 3000 will also plug into the switch -- each will have independent physical routes to the LAN.

Is that right?
0
 
What90Commented:
Don't want to swap your isp to a better one do you? ;-)

Back to reality -your correct.  

The internal router port and ther external ports of the PIx and 3000 will be on the 192.168.0.x network
You'd have to set up a rule for the VPN traffic to be directed to the 3000 on the router.

The default gateway for your LAN clients would be the firewall Pix 192.168.1.10  address
The 3000 is on bothe internal networks, by client should be able to use it as a gateway.


This might help for the PIX:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094767.shtml

Luck with the setup!
0
 
idoru345Author Commented:
Thanks for all your help What 90!

Much appreciated.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now