Pix 515 with two ADSL Routers

Posted on 2005-05-13
Medium Priority
Last Modified: 2013-11-16
I have a VPN working perfectly with a central office PIX 515, and five remote offices PIX 501. I also have several Cisco VPN Software Mobile Clients. There is one ADSL router in each office.

Now, i want to add another ADSL Router in the Central office in order to separate VPN traffic and Internet traffic from the central office. So , what i need is all the VPN traffic through Router A, and the rest through Router B.

I was thinking of setting in the PIX 515 static routes to the 5 remote offices private ip range through one of the routers (Router A),  and the default gateway through Router B.

Will this be enough? Do i need static routes to the public IP's of every remote offices?

What about the Mobile Clients? Will it work if i add static routes to the IP pools assigned to them? Anything else needed?

I forgot to mention that if i have this VPN working just fine, is 75% thanks to Esperts Exchange (ok, 25% thanks to me :).

Question by:llandajuela

Expert Comment

ID: 13995059

Sounds like a good plan. Check out this link. http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080089909.html#wp10289

You need static routes to the subnets behind the 501's, the routers will know which public IP address to send the packets to in order to get to the appropriate LAN. Make sense? Mobile clients?
I don;t see the relevence of that question. They plug in, wherever, get an IP and the routers and firewalls do their thing. Nothing else to do there.


LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 14002324
> Do i need static routes to the public IP's of every remote offices?
Yes, you need static routes for both the remote lan and for the public IP of each and every office to point to router A

 route outside <LAN subnet remote1> <ip router A>
 route outside <public ip of remote1> <ip router A>
 route outside <public ip of remote2> <ip router A>
 route outside <LAN subnet remote2> <ip router A>
 route outside <ip router B>

>What about the Mobile Clients? Will it work if i add static routes to the IP pools assigned to them? Anything else needed?
Ah, this is the challenge. Unless you know the home IP public IP address and create a static route entry for each remote user, then they will continue to use the current Router B because that's the default.

Big question - are you getting both router A and router B public IP's in the same subnet? You can only assign a single public IP to the PIX outside interface, so all three will have to be in the same IP subnet.

If you wait long enough, the new PIX 7.0 lets you create GRE tunnels to the remotes and then you can use dynamic routing within the GRE tunnels. It's available for the 515 today, but not for the little 506 or 501's.. 7.1 "lite" is just around the corner...


Expert Comment

ID: 14016086
A network map would help. I'm wondering what offices have servers, and how the connections at the central office to the Internet are.

> 7.1 "lite" is just around the corner...
Good to know - thanks.


Author Comment

ID: 14016383
Thank you guys for your answers !

Let's see, to lrmoore, as usual your answers are very useful. Im afraid i will not be able to have a list of the public IPs used by the mobile clients, they move around a lot. It's ok, their traffic is not that important, ill be happy if i can separate at least the remote offices' traffic.

About the public IP's of Router A and B, no they're not in the same subnet. But Both routers are performing NAT (well, what Cisco calls PAT). So private IP's of Routers A and B, and the outside interface of the PIX are on the same subnet (private range).

To matthew

No servers are in the remote offices, just two servers in the central one.

Remote office 1       Remote Office 2    .....

Internal LAN             ....
  PIX 501
  Router ADSL
  |            |
  |               |
  |                   |
  |                       |
  Router A      Router B
        |               |
        |               |
           PIX 515
           Internal LAN

       Central Office


Expert Comment

ID: 14021506
Ok.  Just

 route outside <ip router B>

should do the trick; the VPN config should take care of continuing to route everything else through router A.

Proviso: are any servers at teh central office accessed OTHER than over the VPN?  I'm assuming not.

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question