Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco VPN 3000: Addressing and Topology Question

Posted on 2004-03-29
6
Medium Priority
?
375 Views
Last Modified: 2010-04-12
A client with around 30 users has switched DSL ISPs.

The previous ISP assigned them (as part of the service's package) a pool of public ip addresses -- one of which was used for their VPN 3000.  Unfortunately, the cheesy new ISP does not support this, insisting upon only one address per customer.

This has deprived them of an additional address to use for accessing the VPN 3000.  

I believe (and perhaps I'm mistaken here, hence the posting) that I can get around this by acquiring a router, assigning the VPN only an internally valid address and forwarding VPN traffic through the firewall (Pix 515) to the 3000.

I imagine it would look something like this:

[DSL] --> [ROUTER] --> [PIX 515] ---> [CATALYST /FASTHUBS] <--> VPN 3000

This looks right to me but I'm certain I'm missing something.

Any help figuring out how to access the 3000 (and where it should be placed) would be well rewarded -- and appreciated.
0
Comment
Question by:idoru345
  • 3
  • 3
6 Comments
 
LVL 20

Expert Comment

by:What90
ID: 10710288
Hi idoru345,


What you have is fine - I'm taking that the DSL teminates on to the router -

Remember to allow traffic to the 3000 (but only VPN traffic) via the PIX (protocol 1753 and GRE 47)


0
 

Author Comment

by:idoru345
ID: 10712503
Thanks What90.


Yes, the DSL modem terminates in the router.

Two related questions before closing this out and awarding points:


As you know, the VPN 3000's configuration interface allows you to set it up with  public and private addresses.  Since this company no longer has additional public addresses to assign the router (after switching DSL ISPs) I'm wondering whether I can leave the "Public" fields blank and only fill in the "Private" ones or should I give it the same "Private" (internal) address twice? Or some other combination I haven't thought of.

In other words, since I no longer have a true public address to assign the 3000's "Public" interface what's the best way to configure it to be only a device on the private network which accepts forwarded VPN traffic from a router?

And...


The client already has an un-used  SOHO 91 in stock but I'm not sure this will serve the routing purpose since there are approx. 30 users and it's my understanding the SOHO, designed for no more than five users, might be a bottleneck -- even with switch managed traffic coming its way.  Any recommendations (or is the SOHO a workable option)?
0
 
LVL 20

Accepted Solution

by:
What90 earned 2000 total points
ID: 10712908
Thinking about it, what about this:

[DSL] --> public ip [ROUTER] 192.168.0.2 -->Small hub/switch--> 192.168.0.10[PIX 515] 192.168.1.10 --- LAN
                                                                                         <--> 192.168.0.100 [VPN 3000]192.168.1.100--- LAN

Creates a DMZ area and will allow both devices to do their jobs without further rules on the PIX.

Not sure about the SOHO 91 - did the ISP not give you a router with the set up? If not might be better to nip out and a router/4port switch. Netgear/linksys/dlink/etc all do good boxes which are vpn compliant and fairly cheap.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:idoru345
ID: 10713904
No, the ISP didn't provide a router, just the DSL modem (they're truly sub-par).

So, if I'm understanding your diagram correctly, the ROUTER will have both the public, ISP assigned address as well as an internal address.  It will use a port on the switch.  The Pix and VPN 3000 will also plug into the switch -- each will have independent physical routes to the LAN.

Is that right?
0
 
LVL 20

Expert Comment

by:What90
ID: 10719196
Don't want to swap your isp to a better one do you? ;-)

Back to reality -your correct.  

The internal router port and ther external ports of the PIx and 3000 will be on the 192.168.0.x network
You'd have to set up a rule for the VPN traffic to be directed to the 3000 on the router.

The default gateway for your LAN clients would be the firewall Pix 192.168.1.10  address
The 3000 is on bothe internal networks, by client should be able to use it as a gateway.


This might help for the PIX:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094767.shtml

Luck with the setup!
0
 

Author Comment

by:idoru345
ID: 10725417
Thanks for all your help What 90!

Much appreciated.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month12 days, 20 hours left to enroll

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question