Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Encapsulating multicast traffic over an IPSEC tunnel in a specific topology

Posted on 2004-10-04
7
Medium Priority
?
389 Views
Last Modified: 2013-11-16
Hello.  First time posting here.

Below is the topology of the relevant portion of my network:

PIX 506 --> Cisco 1721 --> Internet --> Cisco 1721 --> PIX 515

I'm trying to set up a VPN.  I've succefully established a VPN tunnel and can communicate in both directions.  However, I have a problem.  I need to pass multicast traffic through this tunnel and this is not possible via a PIX-to-PIX tunnel.  To allow this, I've been told I first need to encapsulate traffic with GRE (a function normally performed by routers).  The problem I have is in my topology:  my 1721 routers lay beyond my PIX firewalls, preventing me the ability to encaspulate the multicast traffic BEFORE it hits the PIX.  I've spoken briefly with two Cisco engineers.  One said it was impossible without a topology change and the other said he thought it was possible, but he couldn't offer advice beyond that.

Does anyone have advice on this?

Thanks!!!

0
Comment
Question by:meade470
  • 4
  • 3
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12217891
I know you don't want to hear it, but you may have to add another router on the inside of each pix and create GRE tunnels "through" the pixs.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800943fe.shtml

0
 
LVL 2

Author Comment

by:meade470
ID: 12236911
Thanks, lrmoore.  It seems you are correct, as two TAC engineers have confirmed the same.  Thanks for your input.

I have a question.  What would be the "protocol" on allocating points in this situation?  Do I give lrmoore full/partial?

Thanks!!!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12237504
Follow your gut on the disposition of this question. We can't just abandon it, and I did provide good information.
Perhaps accept with a "B" grade?
In case you don't know about the affects of the grades, we get Expert points awarded as multiples of the point value, based on grade. An A gets 4x point value, B is 3x, C is 2x point value. Most experts really frown on C as a failing grade. If I can provide more information for you to get that "A", I certainly will..

0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 2

Author Comment

by:meade470
ID: 12237890
Thanks, lrmoore!  I will award you the "A", but I do have another related question, if you don't mind.  :)

Why use perimeter routers in the first place?  What purpose do they serve in my particular environment?  Wouldn't it be possilble to surround the perimeter with PIXs?  (I've seen this config in samples.)  My perimeter routers have extremely basic configs; all they really do is specify an IP on an ethernet port, a Frame/DLCI config on a serial port, and point the way to the internet via a static route.   Does the Frame/DLCI config require a router?  Can it not be set on a PIX?  Or does it have something to do with the limited number of physical port on the PIX?  (I have a 515, btw.)

Thanks a bunch for your help, and high praise for your CCIE pass!  I'm a lowly CCNA :)

   
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12238290
You've answered your own question, you just don't realize it.
Perimeter routers serve two purposes 1) LAN/WAN gateway - frame-relay to Ethernet routing between different physical media type.  2) can act as a screening access router to filter out specific traffic before it ever hits the firewall. Less work for the firewall, better performance. Also part of any good "defense in depth" strategy...

>Does the Frame/DLCI config require a router?  Can it not be set on a PIX?
No, the PIX, nor most any other firewall, has any capacity to connect directly to WAN interface types.
Yes, you need a router just for that function. Unless your WAN terminates at your premises with an Ethernet handoff, you need the router. DSL/cable modems are two that are usually provided by the ISP and hand you and ethernet feed. In this case you don't need the extra layer of a router.
Almost any other media type - T1, T3, OC-3, high-speed serial, etc. will require a router.

HTH!   CCNP can't be too far ahead for you, right?
0
 
LVL 2

Author Comment

by:meade470
ID: 12239097
Cool!  Thanks a ton.  I really appreciate your time and valuable insight.  

Just minutes ago I discovered a workaround for this mulitcasting problem:  We can set up our mainframe application that requires multicast (user authentication only) to go to "directed host."  Better, more secure, and capable of VPN in current network top.

CCNP training will begin in late 2005.  In school I'm studying Microsoft, Checkpoint, and general network security.  (Our IT staff requires the wearing of many hats.)

See you around ;)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12239135
Best of luck to you!

0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month20 days, 19 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question