Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Is VPN possible in this Setup

Posted on 2006-05-11
11
Medium Priority
?
256 Views
Last Modified: 2010-04-12
We currently have 2 Cisco 1721 routers at the head of our small network.  One owned by our ISP that we cannot touch and one which is ours.  We are looking to add VPN capabilities to our network in the simpliest and cheapest manner possible.  Our goal is to have 1 or 2 Site tunnels and Cisco VPN Client access.

We are considering the purchase of 2 Pix 501's to deploy the first tunnel with VPN Client access.

My preliminary questions are as follows:

1.  Is there a way to just Add the Pix 501 to our company network to provide just the VPN services.  I ask for a twofold reason.  One the existing 1721 has an incredibly long access list on it that I'd like to avoid having to replicate.  Secondly, we'd like to be able to use a simple Pix 501 rather than having to go up to the more expensive Pix 506 (2 Pix 501< Pix 506).

2. If its not possible what is the best route to take.

The initial question design I have in my head is somehow getting something like this to work:

                                        ISP 1721
                                             |
                                  -------------------
                                 |                      |
                            Our 1721            Pix 501
                                 |                      |
                                 -------------------
                                             |
                                      Our Network

Any help would be appreciated as well as links to any configuration examples.

0
Comment
Question by:djcapone
  • 6
  • 4
11 Comments
 
LVL 9

Expert Comment

by:jabiii
ID: 16661127
That could work yes.

But I would look at a juniper Netscreen, you could put it in transparent mode (l2) and put it infront of or behind your 1721 without changing any IP's. just assigning one to the netscreen. and they are competitevly priced with the 501's and with better stock performance.

something like
ISP <> 1721 <> Netscreen <> network

or you can do l3 or l2 like your solution above

Jim
0
 
LVL 6

Author Comment

by:djcapone
ID: 16661223
I'd prefer to stay all Cisco because one of the remote sites already has a Pix 501 in place.

How would the routing on the Pix 501 if run in parallel work?

Would the route command point inside or outside to the ISP router?
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16661312
well in your drawing above, the distant end, and client connections would be made to the pix IP not the router/network IP. there fore no routing changes would be needed externally.
only internally.

your network would have to have a route pointing to the pix to get to site a  network, and the pix willl handled the vpn traffic, which the other end also knows to send it to their VPN which iwll intern send it to the pix on your end.
ex:
site a network <> pix <> internet <> a) router <> your internal router <> network
                                                  <> b) pix <> your internal router <> network
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 6

Author Comment

by:djcapone
ID: 16662029
Wouldn't that cause all the access lists on the router to be bypassed thereby making the 1721 useless?
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16662167
Well, yes.

hmm. I don't know if the pix will support layer 2 mode. Or maybe you could set it up 1721 <>pix <> network, but then your 1721 would be bypassed still.
If you want your ACL's to still effect all traffic you would have to put the pix(vpn) outside the 1721 so it can be decrypted before it hit the 1721.
0
 
LVL 6

Author Comment

by:djcapone
ID: 16662276
This was the problem I having in coming up with the proper design.

If I put the pix outside of the 1721, how do I set up the interfaces to basically do the opposite of what they were designed to do and pass all traffic to the router?

Also taking off your thinking, I don't need the ACLs applied to the VPN traffic as it is going to be assumed that that is trusted traffic.  So I think a 1721 <> pix <> network may work I'm thinking about that now.

Another reason I was hoping to find a way to keep the router in the "loop" was that I do not believe that the Pix supports loopbacks.  There is 1 system that is inside the network that is protected by the ACLs on the routers that is accessed from both the outside and inside.  With the router in place, the use of the public ip inside still resolves correctly, however I think that will change if the Pix moves in the router's place as the gateway.

If I need to setup a DNS server inside the network to resolve that issue I will, but that is another one of the reasons I asked if there was another way.
0
 
LVL 9

Assisted Solution

by:jabiii
jabiii earned 1000 total points
ID: 16662336
well, you could set it up like this.
ISP< > 1721 <> private nonroutable <> pix <> trusted network.
of course you can switch the router/pix too

like isp 1.1.1.1 <> 1.1.1.2 router (or pix) 10.0.0.1 <> pix(or router) 10.0.0.2  / trusted ip <> trusted network
0
 
LVL 6

Author Comment

by:djcapone
ID: 16662386
I think a problem exists in the 1721 <> pix <>network idea is the routing of the public ip to the internal server as the Pix is going to introduce another gateway.

I'm now wondering if there is someway to get this accomplished with a setup like 1721<>switch<>public server
                                                                                                                                          <>pix<>network

Where the switch is an unmanaged switch just to keep the ip addressing correct and still have it behind the 1721.

If the setup is done like that or even in the 1721<>pix<>network case, would the Pix need to have a publically addressable IP or could something be forwarded to the pix in the router config to bypass that need.
0
 
LVL 6

Author Comment

by:djcapone
ID: 16662413
Was typing a response before your post, but when you refer to private non-routable, do you mean like I have it mentioned above where a switch is introduced in between to branch off the public server?
0
 
LVL 20

Accepted Solution

by:
calvinetter earned 1000 total points
ID: 16664766
Referring to your original diagram, having the PIX & 1721 side-by-side wouldn't really work.  A PIX is great, but it's not a router. And for the inside hosts to be reachable via VPN, their default gateway would need to be the PIX.
  The easiest thing would be to setup a VPN directly on the 1721, but I realize you don't want the headache of having to deal with long ACLs.  So, your best bet would be thus:     Internet <-> 1721 <-> PIX <-> LAN

- default gateway for all hosts is simply the PIX
- get a small subnet of public IPs from your ISP, set public IPs on: inside of 1721, outside of PIX
- allow *all* traffic thru the 1721 to your PIX's outside IP
- PIX could be both a client VPN endpoint, or could establish a site-to-site VPN with 1 or more remote sites (whether the remote device is another PIX or router)
- you definitely would want a public IP on the PIX outside interface, especially if using it for a VPN endpoint - doing "double NAT" creates an unnecessary nightmare, especially for setting up a VPN

>I think a problem exists in the 1721 <> pix <>network idea is the routing of the public ip to the internal server as the Pix is going to introduce another gateway.
   There's only 1 gateway in your layout quoted above: PIX is the default gateway for the internal LAN(s). This'll work just fine.  For example:
- WAN interface of router: 4.1.1.2
- LAN interface of router:  77.2.2.1 255.255.255.248
- WAN interface of PIX: 77.2.2.2 255.255.255.248
- Remainder of usable public IPs between PIX & router: 77.2.2.3 to 77.2.2.6
- 1721 simply allows all traffic thru it for 77.2.2.x subnet, since the PIX will filter traffic for you
- Here you can have at least 4 public IPs for use by servers
- PIX will handle security & NAT for your internal LAN
- PIX can still be your VPN device as described above

However, it's better to have public servers on a separate DMZ network & not on your internal LAN - that way, if/when they're compromised, they won't have full access to your sensitive internal LAN.  A "poor man's DMZ" could be setup with an IP scheme such as directly above (77.2.2.x between PIX & 1721), with a switch between, & your public servers would have a public IP directly assigned to their NICs.  But, of course in this case, you'd need to be sure your 1721 is properly firewalling your DMZ servers from external attacks. And once again, the PIX can easily be a VPN endpoint.
   Internet <-> 1721 <-> "DMZ switch" <-> PIX <-> LAN
                                             |
                                       public server A: 77.2.2.3
                                       public server B: 77.2.2.4, etc.
cheers
0
 
LVL 6

Author Comment

by:djcapone
ID: 16668166
Calvinetter,

The solution you describe is exactly what I figured that I'd be forced into doing, I was hoping to be able to avoid having to redo all the ACLs on the Pix.  If no further information is contributed to how to avoid redoing the access lists I will split the points between calvin and jabii.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month20 days, 17 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question