vlan and vpn config question
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||||||||
|
Posted by on January 12, 2006, 10:04 am
Please log in for more thread options I currently have a pix 515e with vpn groups. we are seeing rapid growth in the vpn use and i need to be able to make the local pool of ip addresses larger. to do this, i want to make an entire vlan only used for the vpn group pool of ip addys. I have a question or two about this. my pix is connected to my core switch, a 4507R. currently the port that connects resides on vlan 321, and the pool of addresses is also in vlan 321. is it possible to have a port in more than vlan as i assume is needed to have connectivity from the vpn client if given another vlan address other than the ones on vlan 321. or am i totally over thinking this? Also, this vpn solution seems to be getting more complex and harder to manage. should i be thinking of purchasing a vpn concentrator to solve these issues? TIA, R | ||||||||||||||||||||||
|
Posted by Walter Roberson on January 12, 2006, 4:22 pm
Please log in for more thread options :growth in the vpn use and i need to be able to make the local pool of :ip addresses larger. to do this, i want to make an entire vlan only :used for the vpn group pool of ip addys. I have a question or two :about this. my pix is connected to my core switch, a 4507R. currently :the port that connects resides on vlan 321, and the pool of addresses :is also in vlan 321. is it possible to have a port in more than vlan :as i assume is needed to have connectivity from the vpn client if given :another vlan address other than the ones on vlan 321. or am i totally :over thinking this? You're totally over-thinking this ;-) VPN pool addresses are allocated to clients by the security endpoint (i.e., PIX in this case). The clients continue to use their own addresses internally (e.g., for their local LAN), but when sending to the security endpoint, the VPN client software uses the machine's public IP on the outer wrapping of the packets, and uses the security- endpoint- allocated IP on the interior "encapsulated" packet. When the encapsulating packet gets through the public network to the security endpoint, the security endpoint unwraps it, and submits the unwrapped packet (now with the allocated IP as its source) for routing towards the interior. For proper routing to take place, the VPN pool addresses should not be part of any subnet that is used on the "inside" of the firewall, or else the routing processes on the interior might fail to return reply packets to the security gateway for passing on to the VPN client. In this configuration, there are no interior systems that generate packets with the vpn pool range as their source: any packet that has a source in that range must have come through the VPN and must be destined for an interior host. Similarily, any packet that has a destination in that range must be a reply that an interior host has generated and which is destined for the security gateway for passing on to the VPN client. Any packet that is destined for an interior host needs to be directed into the VLAN that is appropriate for that interior host -- and that isn't going to depend upon the source IP. Any packet that is coming back from an interior host towards the security gateway needs to come through interior host's VLAN until it gets directed to the VLAN that leads to the security gateway -- and again, that isn't going to depend upon the destination IP, since you will be using the general "outbound traffic" VLAN to talk to the security gateway. In our configuration, we did end up putting the PIX traffic into VLANs, but for different reasons. In our topology, based upon the locations of our devices relative to the demarcation point, we ended up putting the raw exterior traffic into a port on a switch that -also- carried private interior traffic. We seperated out the two using VLANs -- using a *port* based VLAN to transport the raw exterior traffic to a port-based VLAN port on a different switch, which connected to the PIX exterior. A VLAN, yes, but one that was agnostic to the IP addresses involved. We also have IP-based VLANs, but none of those are based upon the IPs that are allocated for the VPN clients, since we do not source traffic with those IPs internally. | ||||||||||||||||||||||
|
Posted by on January 12, 2006, 6:21 pm
Please log in for more thread options I appreciate your reply.
i can usually understand what the deal is, but i am totally confused! lol was there a conclusion to this? | ||||||||||||||||||||||
|
Posted by Walter Roberson on January 13, 2006, 2:33 am
Please log in for more thread options The conclusion was "You don't need a VLAN for the VPN pool IPs because you don't have any of them living inside your network." As far as the your network is considered, the IPs in the VPN pool are "outside" addresses, just like the IP for google.com. If you have allocated your VPN pool IPs from your public IP space, you are wasting public IP space ;-) and also you would likely have routing problems if you did that. | ||||||||||||||||||||||
| Similar Threads | Posted |
| vlan and vpn config question | January 12, 2006, 10:04 am |
| VLAN and Wireless config question | October 13, 2005, 2:07 pm |
| Port Channel config Question with Private-vlan | August 15, 2008, 1:47 am |
| 2924 Switch: VLAN config not in config.text | May 22, 2007, 5:23 am |
| CISCO 2950 vlan config problem | August 18, 2005, 9:01 am |
| PIX 501 Config question | October 18, 2006, 10:48 pm |
| initial config of 3560, set config, cant ping~~nv_done: unable to open "flash:/C:\new\config.new | February 5, 2008, 11:39 pm |
| 11503 Config Question | December 9, 2005, 11:48 am |
| QoS config IP Precedence Value Question | November 20, 2006, 4:36 pm |
| Hardware config question | December 21, 2006, 6:05 am |
| Cisco 857 config question. | September 27, 2007, 9:46 pm |
| CF Flash IOS/Config. question | July 25, 2008, 4:14 pm |
| Config question etherchannel and ASA | August 4, 2008, 9:27 am |
| PIX 515 Remote Access Config Question | March 6, 2006, 6:08 pm |
| Config Question - VPN on 3600 Series | August 4, 2008, 1:32 pm |
>lol was there a conclusion to this?