Solved

Pix to Pix VPN setup question

Posted on 2004-08-12
6
1,429 Views
Last Modified: 2010-04-11
I am about to start working on a VPN project for my company that will require connectivity to remote sites for access to mapped drives, Exchange and web to the Corporate site.  We have a 515E at the Corp and I am planning on putting 501s at each location.  What is required as far as IP addresses to make this work?  I will get a static IP and  DSL circuit for each site to get them up and talking to the web.  As far as VPN goes, I'm new to it so bare with me.  Do I need additonal IPs, one for Corp site and one for remote site for the tunnel??    I know the PDM will probably make the VPN setup easy enough since it has a wizard to guide me through.  
0
Comment
Question by:rick_me27
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 27

Accepted Solution

by:
pseudocyber earned 50 total points
ID: 11784347
You only need 1 IP per site, unless you want to publish apps to the web - like a web server - and even then you could do that with PAT.  What you're talking about is called Branch Office Connections - are you going to require everyone through the tunnel or will you allow "split tunnelling" where users can go internet out normally, but back to the HQ would go through the tunnel?

I would recommend using 3DES or AES encryption.  I haven't used PIX's for VPNs, but I manage our VPN here on Nortel Contivities and we have 2 Branch Office Connections (BOC) up.

HTH
0
 
LVL 2

Expert Comment

by:rmharwood
ID: 11784355
Hi,

Here's some initial comments, I hope they help.

I'm assuming that you're using private addressing behind your firewall. Each of your private networks will need to have different addresses so that you can route from one to another over the VPN tunnel. Also, the firewall is told which traffic to encrypt and tunnel based upon source and destination networks.

I believe that the IP addresses of the external interfaces of the firewalls are used for the tunnels themselves.

Let me know if you need any further information.
0
 

Author Comment

by:rick_me27
ID: 11784397
I would like to allow everyone (5-7 users) for each remote office to have access to browse web and Corp network at the same time.  So basically all I need is one static address for the remote site and I'll configure DHCP with a private range behind the 501 and I can configure the tunnel at the Corp office to use the extrernal IP of the Pix for the source VPN address?  Then I can allow the private range from the 501 back to Corp via ACL correct?
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 
LVL 2

Expert Comment

by:rmharwood
ID: 11784525
Yes, that sounds about right.

If you want to access the Internet at your remote offices as well, you may need a second address to act as your PAT address. Not sure if you can use the PIX's external interface address as the PAT address?
0
 
LVL 36

Assisted Solution

by:grblades
grblades earned 50 total points
ID: 11785906
Yes you can use the PIX's external IP address as the PAT address using this command :-
global (outside) 1 interface

Here are a few usefull links on configuring the PIX.
PIX configuration examples - http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
PIX configuration basics - http://www.netcraftsmen.net/welcher/papers/pix01.html
PIX ssh configuration - http://www.tech-recipes.com/modules.php?name=Recipes&rx_id=215
My Pages:-
PIX as multi user VPN server - http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
PIX as a home DSL firewall - http://www.gbnetwork.co.uk/networking/ciscopixhomedsl.html
0
 

Author Comment

by:rick_me27
ID: 11787228
thanks for the info.  I think i can handle it without any problems.  I'll set one up to my house as a test and see how it works out.
0

Featured Post

Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question