Solved

Cisco VPN 3000: Addressing and Topology Question

Posted on 2004-03-29
6
358 Views
Last Modified: 2010-04-12
A client with around 30 users has switched DSL ISPs.

The previous ISP assigned them (as part of the service's package) a pool of public ip addresses -- one of which was used for their VPN 3000.  Unfortunately, the cheesy new ISP does not support this, insisting upon only one address per customer.

This has deprived them of an additional address to use for accessing the VPN 3000.  

I believe (and perhaps I'm mistaken here, hence the posting) that I can get around this by acquiring a router, assigning the VPN only an internally valid address and forwarding VPN traffic through the firewall (Pix 515) to the 3000.

I imagine it would look something like this:

[DSL] --> [ROUTER] --> [PIX 515] ---> [CATALYST /FASTHUBS] <--> VPN 3000

This looks right to me but I'm certain I'm missing something.

Any help figuring out how to access the 3000 (and where it should be placed) would be well rewarded -- and appreciated.
0
Comment
Question by:idoru345
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 20

Expert Comment

by:What90
ID: 10710288
Hi idoru345,


What you have is fine - I'm taking that the DSL teminates on to the router -

Remember to allow traffic to the 3000 (but only VPN traffic) via the PIX (protocol 1753 and GRE 47)


0
 

Author Comment

by:idoru345
ID: 10712503
Thanks What90.


Yes, the DSL modem terminates in the router.

Two related questions before closing this out and awarding points:


As you know, the VPN 3000's configuration interface allows you to set it up with  public and private addresses.  Since this company no longer has additional public addresses to assign the router (after switching DSL ISPs) I'm wondering whether I can leave the "Public" fields blank and only fill in the "Private" ones or should I give it the same "Private" (internal) address twice? Or some other combination I haven't thought of.

In other words, since I no longer have a true public address to assign the 3000's "Public" interface what's the best way to configure it to be only a device on the private network which accepts forwarded VPN traffic from a router?

And...


The client already has an un-used  SOHO 91 in stock but I'm not sure this will serve the routing purpose since there are approx. 30 users and it's my understanding the SOHO, designed for no more than five users, might be a bottleneck -- even with switch managed traffic coming its way.  Any recommendations (or is the SOHO a workable option)?
0
 
LVL 20

Accepted Solution

by:
What90 earned 500 total points
ID: 10712908
Thinking about it, what about this:

[DSL] --> public ip [ROUTER] 192.168.0.2 -->Small hub/switch--> 192.168.0.10[PIX 515] 192.168.1.10 --- LAN
                                                                                         <--> 192.168.0.100 [VPN 3000]192.168.1.100--- LAN

Creates a DMZ area and will allow both devices to do their jobs without further rules on the PIX.

Not sure about the SOHO 91 - did the ISP not give you a router with the set up? If not might be better to nip out and a router/4port switch. Netgear/linksys/dlink/etc all do good boxes which are vpn compliant and fairly cheap.
0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:idoru345
ID: 10713904
No, the ISP didn't provide a router, just the DSL modem (they're truly sub-par).

So, if I'm understanding your diagram correctly, the ROUTER will have both the public, ISP assigned address as well as an internal address.  It will use a port on the switch.  The Pix and VPN 3000 will also plug into the switch -- each will have independent physical routes to the LAN.

Is that right?
0
 
LVL 20

Expert Comment

by:What90
ID: 10719196
Don't want to swap your isp to a better one do you? ;-)

Back to reality -your correct.  

The internal router port and ther external ports of the PIx and 3000 will be on the 192.168.0.x network
You'd have to set up a rule for the VPN traffic to be directed to the 3000 on the router.

The default gateway for your LAN clients would be the firewall Pix 192.168.1.10  address
The 3000 is on bothe internal networks, by client should be able to use it as a gateway.


This might help for the PIX:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094767.shtml

Luck with the setup!
0
 

Author Comment

by:idoru345
ID: 10725417
Thanks for all your help What 90!

Much appreciated.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question