Solved

Encapsulating multicast traffic over an IPSEC tunnel in a specific topology

Posted on 2004-10-04
7
367 Views
Last Modified: 2013-11-16
Hello.  First time posting here.

Below is the topology of the relevant portion of my network:

PIX 506 --> Cisco 1721 --> Internet --> Cisco 1721 --> PIX 515

I'm trying to set up a VPN.  I've succefully established a VPN tunnel and can communicate in both directions.  However, I have a problem.  I need to pass multicast traffic through this tunnel and this is not possible via a PIX-to-PIX tunnel.  To allow this, I've been told I first need to encapsulate traffic with GRE (a function normally performed by routers).  The problem I have is in my topology:  my 1721 routers lay beyond my PIX firewalls, preventing me the ability to encaspulate the multicast traffic BEFORE it hits the PIX.  I've spoken briefly with two Cisco engineers.  One said it was impossible without a topology change and the other said he thought it was possible, but he couldn't offer advice beyond that.

Does anyone have advice on this?

Thanks!!!

0
Comment
Question by:meade470
  • 4
  • 3
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12217891
I know you don't want to hear it, but you may have to add another router on the inside of each pix and create GRE tunnels "through" the pixs.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800943fe.shtml

0
 
LVL 2

Author Comment

by:meade470
ID: 12236911
Thanks, lrmoore.  It seems you are correct, as two TAC engineers have confirmed the same.  Thanks for your input.

I have a question.  What would be the "protocol" on allocating points in this situation?  Do I give lrmoore full/partial?

Thanks!!!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12237504
Follow your gut on the disposition of this question. We can't just abandon it, and I did provide good information.
Perhaps accept with a "B" grade?
In case you don't know about the affects of the grades, we get Expert points awarded as multiples of the point value, based on grade. An A gets 4x point value, B is 3x, C is 2x point value. Most experts really frown on C as a failing grade. If I can provide more information for you to get that "A", I certainly will..

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Author Comment

by:meade470
ID: 12237890
Thanks, lrmoore!  I will award you the "A", but I do have another related question, if you don't mind.  :)

Why use perimeter routers in the first place?  What purpose do they serve in my particular environment?  Wouldn't it be possilble to surround the perimeter with PIXs?  (I've seen this config in samples.)  My perimeter routers have extremely basic configs; all they really do is specify an IP on an ethernet port, a Frame/DLCI config on a serial port, and point the way to the internet via a static route.   Does the Frame/DLCI config require a router?  Can it not be set on a PIX?  Or does it have something to do with the limited number of physical port on the PIX?  (I have a 515, btw.)

Thanks a bunch for your help, and high praise for your CCIE pass!  I'm a lowly CCNA :)

   
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12238290
You've answered your own question, you just don't realize it.
Perimeter routers serve two purposes 1) LAN/WAN gateway - frame-relay to Ethernet routing between different physical media type.  2) can act as a screening access router to filter out specific traffic before it ever hits the firewall. Less work for the firewall, better performance. Also part of any good "defense in depth" strategy...

>Does the Frame/DLCI config require a router?  Can it not be set on a PIX?
No, the PIX, nor most any other firewall, has any capacity to connect directly to WAN interface types.
Yes, you need a router just for that function. Unless your WAN terminates at your premises with an Ethernet handoff, you need the router. DSL/cable modems are two that are usually provided by the ISP and hand you and ethernet feed. In this case you don't need the extra layer of a router.
Almost any other media type - T1, T3, OC-3, high-speed serial, etc. will require a router.

HTH!   CCNP can't be too far ahead for you, right?
0
 
LVL 2

Author Comment

by:meade470
ID: 12239097
Cool!  Thanks a ton.  I really appreciate your time and valuable insight.  

Just minutes ago I discovered a workaround for this mulitcasting problem:  We can set up our mainframe application that requires multicast (user authentication only) to go to "directed host."  Better, more secure, and capable of VPN in current network top.

CCNP training will begin in late 2005.  In school I'm studying Microsoft, Checkpoint, and general network security.  (Our IT staff requires the wearing of many hats.)

See you around ;)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12239135
Best of luck to you!

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ACL Logging Optimization 7 42
Viber-Only Restriction 6 45
cisco sg 200 trunking 4 26
CCNA lab 6 37
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question