Link to home
Start Free TrialLog in
Avatar of danej256
danej256

asked on

Cisco 2620XM VPN capabilities thru T1 keeping frame relay setup

We have a cisco 2620xm router installed in our corporate office.  In this office we have a t1 for our internet that is going through the cisco.  We also have a few remote sites that are connected via frame relay.  The frame relay works great but im looking for a cheaper solution.  We have a new office in the works and i want to put a cable modem in the office and somehow get some hardware that can VPN to my cisco.  Can anyone provide me with what i need to accomplish this?  If there is a solution it will save me at least $300/month on interent service by going this route.  I will need to know what to purchase both for my corporate office to add on to my 2620 and my remote office in order to hold the connection.  Thank you for your time!
Avatar of Les Moore
Les Moore
Flag of United States of America image

There are several options for you.
You could replace your frame-relay with MPLS offering from your provider. Much more flexible and very cost effective.
Alternatively, you could use low-end Cisco routers (800 series) and Multipoint VPN and drop your frame altogether. With DMVPN it doesn't matter what you have at remotes - DSL, cable, T1.
Alternatively, do you have a firewall? If yes, it should be capable of VPN's. If not, I would suggest getting a Cisco ASA5510 which can be a VPN endpoint and you can put very low-end Linksys routers at remote sites (like RV0x2 series or WRVxx series). This would give you yet another even lower-cost alternative (except for the investment in the ASA box) that you could use as backup coms to remote sites, or possibly even primary links to remote sites.
Also, you *could* update your 2620 with the IPSEC feature set and create site-site VPN tunnels directly on the router and not even have to buy the ASA..
If you worry about security at all, I'd go with the ASA
If you need SLA's or guaranteed connectivity you need to look at MPLS instead of VPN's over the Internet.

Avatar of danej256
danej256

ASKER

what do i need to purchase to allow my 2620 to have IPSEC feature set?
You need the IP PLUS IPSEC 3DES feature set
If you have the firewall feature set now, you probably already have IPSEC.
Can you post result of "show ver" where the actual boot file name is
  c2600-is-mz.12xx.xxx.bin
          ^^ Whatever is in place of "is" will tell us what feature set you have
 IP Plus IPSEC = ik9s
 IP only = i
 IP Plus - is
 Etc....
Tabor_Main#show ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IO3-M), Version 12.2(24b), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Fri 23-Jul-04 21:35 by pwade
Image text-base: 0x8000808C, data-base: 0x80A6D160

ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)

Tabor_Main uptime is 1 week, 3 days, 23 hours, 29 minutes
System returned to ROM by power-on
System image file is "flash:c2600-io3-mz.122-24b.bin"

cisco 2620XM (MPC860P) processor (revision 0x100) with 28672K/4096K bytes of memory.
Processor board ID JAD07090BMB (1492618591)
M860 processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x3922

Tabor_Main#
>flash:c2600-io3-mz.122-24b.bin

You have the firewall/IDS feature set, no IPSEC
You need c2600-ik9o3s-mz.122-34a.bin
This IOS set requires 48Mb DRAM and you only have 32
You need a DRAM upgrade plus the feature set license. Price these out with your Cisco reseller and you'll be able to buy a PIX firewall for the same price.
List price for IOS software = $1700  
List price for 32M memory upgrade = $950
List price for PIX506e firewall = $1395  <== this is what I would do.....
List price for ASA5510 appliance = $4495

I would take all the firewall responsibilities off the router and have the PIX do all the firewall and IPSEC VPN processing.
So all i need to purchase is the PIX506e firewall and i can put it behind the cisco 2620xm? Will my frame relay sites will still be able to router correctly or do i need to do a lot of additinal config?  Thank you so far for all the great help!
Yes, you can do just put the PIX behind the 2620xm

Internet -t1-> 2620xm --> PIX506e--->Frame Router -t1->remote(s)
                                                               \
                                                             Remote(s)

The PIX comes with the encryption, comes with VPN client software, comes with everything you  need. The PDM Gui has a neat VPN wizard that walks you through step-by-step for both site-site vpns and client use.
Not a lot of additional configurations, but some probably on both the 2620xm and the frame-relay router (please don't tell me they're one and the same)
PIX VPN is fully compatible with low-end routers like the Linksys. I have a Linksys WRV54G with a site-site vpn to a PIX 506e and it has been rock-solid for a couple of years now.


ok i am confused on the 2620xm and the frame router being different.  We have one connection coming into the cisco 2620xm t1 wic card and thats it, controls the frame and everything (sorry to tell you they are one).  does this screw me?  or am i just confused on the lingo.. thanks!
You have a T1 for internet coming into this 2620xm router - OK
This is the one and only T1 connected to this router?

>We also have a few remote sites that are connected via frame relay.
You have multiple sites on frame-relay connections. Assuming that you have a separate T1 for the frame-relay sites, I would also assume that you have a 2nd router for this. If both T1's connect to the same router, then we definately have other issues to consider. Back to upgrading the 2620 and no PIX.
well, yes this is the case, only one t1....  back to plan B or C or E i dunno...
Can you post your current router config? Only mask part of the public IP. If there's anything that should'nt be posted, I can edit it.
I've never seen a single T1 support both Internet and remotes via frame-relay pvc's.
The DMVPN might still be an easy option, but you'll still need the IPSEC software for the 2620

thanks for helping me with this, wish i could give you more than 500 points, i may post a second question worth another 500 to help configure after i figure out what i need to purchase...

                        Cisco 2620XM 12.2(12C) c2600-Io3-M


User Access Verification

Password:
Tabor_Main>en
Password:
Tabor_Main#show run
Building configuration...

Current configuration : 5584 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log datetime msec localtime
service password-encryption
!
hostname Tabor_Main
!
logging buffered 4096 debugging
enable password 7 6565466546564654665
!
ip subnet-zero
no ip source-route
ip cef
!
!
no ip domain-lookup
ip host residence 192.168.101.14
ip host hartman 192.168.101.18
ip host CB 192.168.101.10
ip host internet 180.180.67.61
ip host OmahaMain 192.168.101.6
!
ip inspect dns-timeout 30
ip inspect name Firewall ftp
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall h323
ip audit notify log
ip audit po max-events 100
!
!
!
interface FastEthernet0/0
 ip address 192.168.5.2 255.255.255.0
 ip nat inside
 load-interval 30
 duplex auto
 speed auto
!
interface Serial0/0
 description Frame Relay T1 41/YBGS/**************
 no ip address
 encapsulation frame-relay
 load-interval 30
!
interface Serial0/0.17 point-to-point
 description To HOH in CB
 ip nat inside
!
interface Serial0/0.18 point-to-point
 description To Qwest Internet Services
 ip address 180.180.67.62 255.255.255.252
 ip access-group 101 in
 ip nat outside
 ip inspect Firewall in
 ip inspect Firewall out
 no cdp enable
 frame-relay interface-dlci 18 IETF
!
interface Serial0/0.21 point-to-point
 description To Tabor RES
 ip address 192.168.101.13 255.255.255.252
 ip nat inside
 frame-relay interface-dlci 21 IETF
!
interface Serial0/0.22 point-to-point
 description To OAPC in NE
 ip address 192.168.101.17 255.255.255.252
 ip nat inside
 frame-relay interface-dlci 22
!
interface Serial0/0.23 point-to-point
 description YBGS-*************
 ip address 192.168.101.9 255.255.255.252
 ip nat inside
 frame-relay interface-dlci 23 IETF
!
interface Serial0/0.24 point-to-point
 description "Ckt for tech office"
 ip address 192.168.101.5 255.255.255.252
 ip nat inside
 frame-relay interface-dlci 24
!
ip nat pool NATPOOL 180.180.69.193 180.180.69.193 netmask 255.255.255.192
ip nat inside source route-map NATMAP pool NATPOOL overload
ip nat inside source static 192.168.5.25 180.180.69.200
ip nat inside source static 192.168.5.26 180.180.69.201
ip nat inside source static 192.168.5.27 180.180.69.202
ip nat inside source static 192.168.5.28 180.180.69.203
ip nat inside source static 192.168.5.29 180.180.69.204
ip nat inside source static 192.168.5.30 180.180.69.205
ip nat inside source static 192.168.5.100 180.180.69.199
ip nat inside source static 192.168.6.25 180.180.69.206
ip nat inside source static 192.168.7.77 180.180.69.207
ip nat inside source static 192.168.3.3 180.180.69.208
ip classless
ip route 0.0.0.0 0.0.0.0 180.180.67.61
ip route 192.168.3.0 255.255.255.0 192.168.101.18
ip route 192.168.6.0 255.255.255.0 192.168.101.6
ip route 192.168.7.0 255.255.255.0 192.168.101.10
ip route 192.168.10.0 255.255.255.0 192.168.101.14
no ip http server
!
access-list 1 permit 200.225.133.227 log
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 2 deny   192.168.5.100
access-list 2 deny   192.168.7.77
access-list 2 deny   192.168.3.3
access-list 2 deny   192.168.5.29
access-list 2 deny   192.168.5.28
access-list 2 deny   192.168.5.30
access-list 2 deny   192.168.5.25
access-list 2 deny   192.168.5.27
access-list 2 deny   192.168.5.26
access-list 2 deny   192.168.6.25
access-list 2 permit 192.168.5.0 0.0.0.255
access-list 2 permit 192.168.6.0 0.0.0.255
access-list 2 permit 192.168.7.0 0.0.0.255
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 101 deny   icmp any any redirect
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 224.0.0.0 31.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.0.0.0 0.255.255.255 any
access-list 101 deny   ip 192.0.0.0 0.255.255.255 any
access-list 101 deny   ip 180.180.69.192 0.0.0.63 any
access-list 101 permit tcp any host 180.180.69.199 eq 22
access-list 101 permit ip any host 180.180.69.200
access-list 101 permit ip any host 180.180.69.201
access-list 101 permit ip any host 180.180.69.202
access-list 101 permit ip any host 180.180.69.203
access-list 101 permit ip any host 180.180.69.204
access-list 101 permit ip any host 180.180.69.205
access-list 101 permit ip any host 180.180.69.206
access-list 101 permit tcp any host 180.180.69.207 eq 5631
access-list 101 permit udp any host 180.180.69.207 eq 5632
access-list 101 permit tcp any host 180.180.69.208 eq smtp
access-list 101 permit tcp any host 180.180.69.208 eq www
access-list 101 permit tcp any host 180.180.69.208 eq 443
access-list 101 permit tcp any host 180.180.69.208 eq 444
access-list 101 permit tcp any host 180.180.69.208 eq 4125
access-list 101 permit tcp any host 180.180.69.208 eq 1723
access-list 101 permit tcp any host 180.180.69.208 eq 3389
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any echo-reply
route-map NATMAP permit 10
 match ip address 2
!
snmp-server contact me me me
snmp-server chassis-id JMX0709L8GB
snmp-server enable traps tty
banner motd ^C
                        Cisco 2620XM 12.2(12C) c2600-Io3-M
^C
!
line con 0
 password 7 7897987977979
 speed 115200
line aux 0
line vty 0 4
 password 7 687697687697697
 login
!
end

Tabor_Main#
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
how much ram should i get to be on the safe side?

and i need to download c2600-ik9o3s-mz.122-34a.bin ?

thanks



You have 2 RAM slots, one has 32M in it now. To be on the safe side, just get another 32M for total of 64M
Yes, download and install that IOS file.
I'll have to take that back.
Default memory on 2620XM = 32M
MAX memory = 48M
All you can do is add a 16M SIMM
i have a broken 1721 router at the office that has 16m ram does this work?
Neither. The XM is different
The ebay is flash fs, not dram
Here's one
http://www.ciscomemoryupgrades.com/16flmeforci22.html


ok i ordered the link you sent and now trying to get a hold of the *.bin file.... thanks!
Here's a link to a configuration example that might get you started once you get the IPSEC
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml

so i can go ahead and plan out for my remote site, what equipment do i need to purchase for the remote site?
I recommend a Linksys RV042 or WRV54G if you want wireless
Else a Cisco PIX501
How many users?
3 desktop pcs and 2 network printers is it...
Linksys RV082 has 8 x 10/100 interfaces and VPN capability.
i think you gave me the wrong link and i didn't even bother looking before i ordered.  The link you send was for FLASH ram and i got it today and installed, but now i have 32mb memory FLASH (max is 48).  I believe what you said is to order SDRAM for the machine (256mb max) so im going to order the 64mb approved for $109.99
http://www.ciscomemoryupgrades.com/64sdmeforci24.html

is this correct?  thanks!
D'OH! You're right, I didn't pay attention. Yes, you need SDRAM