• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 460
  • Last Modified:

Encapsulating multicast traffic over an IPSEC tunnel in a specific topology

Hello.  First time posting here.

Below is the topology of the relevant portion of my network:

PIX 506 --> Cisco 1721 --> Internet --> Cisco 1721 --> PIX 515

I'm trying to set up a VPN.  I've succefully established a VPN tunnel and can communicate in both directions.  However, I have a problem.  I need to pass multicast traffic through this tunnel and this is not possible via a PIX-to-PIX tunnel.  To allow this, I've been told I first need to encapsulate traffic with GRE (a function normally performed by routers).  The problem I have is in my topology:  my 1721 routers lay beyond my PIX firewalls, preventing me the ability to encaspulate the multicast traffic BEFORE it hits the PIX.  I've spoken briefly with two Cisco engineers.  One said it was impossible without a topology change and the other said he thought it was possible, but he couldn't offer advice beyond that.

Does anyone have advice on this?

Thanks!!!

0
meade470
Asked:
meade470
  • 4
  • 3
1 Solution
 
lrmooreCommented:
I know you don't want to hear it, but you may have to add another router on the inside of each pix and create GRE tunnels "through" the pixs.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800943fe.shtml

0
 
meade470Author Commented:
Thanks, lrmoore.  It seems you are correct, as two TAC engineers have confirmed the same.  Thanks for your input.

I have a question.  What would be the "protocol" on allocating points in this situation?  Do I give lrmoore full/partial?

Thanks!!!
0
 
lrmooreCommented:
Follow your gut on the disposition of this question. We can't just abandon it, and I did provide good information.
Perhaps accept with a "B" grade?
In case you don't know about the affects of the grades, we get Expert points awarded as multiples of the point value, based on grade. An A gets 4x point value, B is 3x, C is 2x point value. Most experts really frown on C as a failing grade. If I can provide more information for you to get that "A", I certainly will..

0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
meade470Author Commented:
Thanks, lrmoore!  I will award you the "A", but I do have another related question, if you don't mind.  :)

Why use perimeter routers in the first place?  What purpose do they serve in my particular environment?  Wouldn't it be possilble to surround the perimeter with PIXs?  (I've seen this config in samples.)  My perimeter routers have extremely basic configs; all they really do is specify an IP on an ethernet port, a Frame/DLCI config on a serial port, and point the way to the internet via a static route.   Does the Frame/DLCI config require a router?  Can it not be set on a PIX?  Or does it have something to do with the limited number of physical port on the PIX?  (I have a 515, btw.)

Thanks a bunch for your help, and high praise for your CCIE pass!  I'm a lowly CCNA :)

   
0
 
lrmooreCommented:
You've answered your own question, you just don't realize it.
Perimeter routers serve two purposes 1) LAN/WAN gateway - frame-relay to Ethernet routing between different physical media type.  2) can act as a screening access router to filter out specific traffic before it ever hits the firewall. Less work for the firewall, better performance. Also part of any good "defense in depth" strategy...

>Does the Frame/DLCI config require a router?  Can it not be set on a PIX?
No, the PIX, nor most any other firewall, has any capacity to connect directly to WAN interface types.
Yes, you need a router just for that function. Unless your WAN terminates at your premises with an Ethernet handoff, you need the router. DSL/cable modems are two that are usually provided by the ISP and hand you and ethernet feed. In this case you don't need the extra layer of a router.
Almost any other media type - T1, T3, OC-3, high-speed serial, etc. will require a router.

HTH!   CCNP can't be too far ahead for you, right?
0
 
meade470Author Commented:
Cool!  Thanks a ton.  I really appreciate your time and valuable insight.  

Just minutes ago I discovered a workaround for this mulitcasting problem:  We can set up our mainframe application that requires multicast (user authentication only) to go to "directed host."  Better, more secure, and capable of VPN in current network top.

CCNP training will begin in late 2005.  In school I'm studying Microsoft, Checkpoint, and general network security.  (Our IT staff requires the wearing of many hats.)

See you around ;)
0
 
lrmooreCommented:
Best of luck to you!

0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now