idoru345
asked on
Cisco VPN 3000: Addressing and Topology Question
A client with around 30 users has switched DSL ISPs.
The previous ISP assigned them (as part of the service's package) a pool of public ip addresses -- one of which was used for their VPN 3000. Unfortunately, the cheesy new ISP does not support this, insisting upon only one address per customer.
This has deprived them of an additional address to use for accessing the VPN 3000.
I believe (and perhaps I'm mistaken here, hence the posting) that I can get around this by acquiring a router, assigning the VPN only an internally valid address and forwarding VPN traffic through the firewall (Pix 515) to the 3000.
I imagine it would look something like this:
[DSL] --> [ROUTER] --> [PIX 515] ---> [CATALYST /FASTHUBS] <--> VPN 3000
This looks right to me but I'm certain I'm missing something.
Any help figuring out how to access the 3000 (and where it should be placed) would be well rewarded -- and appreciated.
The previous ISP assigned them (as part of the service's package) a pool of public ip addresses -- one of which was used for their VPN 3000. Unfortunately, the cheesy new ISP does not support this, insisting upon only one address per customer.
This has deprived them of an additional address to use for accessing the VPN 3000.
I believe (and perhaps I'm mistaken here, hence the posting) that I can get around this by acquiring a router, assigning the VPN only an internally valid address and forwarding VPN traffic through the firewall (Pix 515) to the 3000.
I imagine it would look something like this:
[DSL] --> [ROUTER] --> [PIX 515] ---> [CATALYST /FASTHUBS] <--> VPN 3000
This looks right to me but I'm certain I'm missing something.
Any help figuring out how to access the 3000 (and where it should be placed) would be well rewarded -- and appreciated.
ASKER
Thanks What90.
Yes, the DSL modem terminates in the router.
Two related questions before closing this out and awarding points:
As you know, the VPN 3000's configuration interface allows you to set it up with public and private addresses. Since this company no longer has additional public addresses to assign the router (after switching DSL ISPs) I'm wondering whether I can leave the "Public" fields blank and only fill in the "Private" ones or should I give it the same "Private" (internal) address twice? Or some other combination I haven't thought of.
In other words, since I no longer have a true public address to assign the 3000's "Public" interface what's the best way to configure it to be only a device on the private network which accepts forwarded VPN traffic from a router?
And...
The client already has an un-used SOHO 91 in stock but I'm not sure this will serve the routing purpose since there are approx. 30 users and it's my understanding the SOHO, designed for no more than five users, might be a bottleneck -- even with switch managed traffic coming its way. Any recommendations (or is the SOHO a workable option)?
Yes, the DSL modem terminates in the router.
Two related questions before closing this out and awarding points:
As you know, the VPN 3000's configuration interface allows you to set it up with public and private addresses. Since this company no longer has additional public addresses to assign the router (after switching DSL ISPs) I'm wondering whether I can leave the "Public" fields blank and only fill in the "Private" ones or should I give it the same "Private" (internal) address twice? Or some other combination I haven't thought of.
In other words, since I no longer have a true public address to assign the 3000's "Public" interface what's the best way to configure it to be only a device on the private network which accepts forwarded VPN traffic from a router?
And...
The client already has an un-used SOHO 91 in stock but I'm not sure this will serve the routing purpose since there are approx. 30 users and it's my understanding the SOHO, designed for no more than five users, might be a bottleneck -- even with switch managed traffic coming its way. Any recommendations (or is the SOHO a workable option)?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No, the ISP didn't provide a router, just the DSL modem (they're truly sub-par).
So, if I'm understanding your diagram correctly, the ROUTER will have both the public, ISP assigned address as well as an internal address. It will use a port on the switch. The Pix and VPN 3000 will also plug into the switch -- each will have independent physical routes to the LAN.
Is that right?
So, if I'm understanding your diagram correctly, the ROUTER will have both the public, ISP assigned address as well as an internal address. It will use a port on the switch. The Pix and VPN 3000 will also plug into the switch -- each will have independent physical routes to the LAN.
Is that right?
Don't want to swap your isp to a better one do you? ;-)
Back to reality -your correct.
The internal router port and ther external ports of the PIx and 3000 will be on the 192.168.0.x network
You'd have to set up a rule for the VPN traffic to be directed to the 3000 on the router.
The default gateway for your LAN clients would be the firewall Pix 192.168.1.10 address
The 3000 is on bothe internal networks, by client should be able to use it as a gateway.
This might help for the PIX:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094767.shtml
Luck with the setup!
Back to reality -your correct.
The internal router port and ther external ports of the PIx and 3000 will be on the 192.168.0.x network
You'd have to set up a rule for the VPN traffic to be directed to the 3000 on the router.
The default gateway for your LAN clients would be the firewall Pix 192.168.1.10 address
The 3000 is on bothe internal networks, by client should be able to use it as a gateway.
This might help for the PIX:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094767.shtml
Luck with the setup!
ASKER
Thanks for all your help What 90!
Much appreciated.
Much appreciated.
What you have is fine - I'm taking that the DSL teminates on to the router -
Remember to allow traffic to the 3000 (but only VPN traffic) via the PIX (protocol 1753 and GRE 47)