1. Home
  2. Cisco Systems
  3. 3 PIX VPN questions - FUN FUN FUN

3 PIX VPN questions - FUN FUN FUN

Hope these aren't stupid questions, but here goes, some background first: I have a PIX 515 6.3(5) at head office; remote sites are 1720's or

1750's running a flavor of 12.1 (due to memory shortage, cannot upgrade) connected via site to site VPNs to this PIX. I have 3 questions that I can't seem to sort out. Please help me if you know the answers:

  1. Can I use BGP with the 1700s over this VPN to my network of routers that are on the internal network? Are there any caveats in this situation? My Internal routers are connected via Frame/Wireless/dedicated lines to a 3640 on the internal network, and are already successfully running BGP?

  2. How can I route traffic from one remote VPN site to another remote VPN site. I have added the appropriate subnets to the crypto ACL on each router, and added entries to the NAT 0 ACL, but still can't route between VPN subnets. Any idea what else is needed? The VPN remote sites can all successfully route to the other internal(non VPN) WAN sites.

  1. Currently I have to bounce these VPN remote site users off an internal proxy in order to allow them to browse the internet. This is a problem for me as squid is not passing the credentials to our Websense server, preventing me from tracking usage of individuals, as they all appear to be the same user to Websense. Is there a PIX rule where traffic can't go back out the same interface it came in on? I seem to remember something like this, but can't find the info again. Is there a workaround to this situation? Something I'm missing?

thanks tical

Reply to
frishack
Loading thread data ...
1) Yes 1700 support IBGP and EBGP. Depending on IOS vers im sure... 2) The way I would do it is.. Have my remote sites dial into my network internally. Then have all traffic pass through an internal router, which does all your routing between sites. Then have one gateway out, going to your squid server, then your pix, then finally a border router, or your isp.

So your network topology would look in this order.

Internet(ISP) | Border Router or Pix | Pix | Squid (Proxy) | Internal Router | | | VPN VPN VPN Remote Site Remote Site Remote Site Cisco 1700 Cisco 1700 Cisco 1700

3) This would change when I changed my network topology to how I stated before.

I doubt I helped ya that much but hopefully inspired some idea's for you.

Reply to
Cliff

Yes, in PIX 6.3(5), traffic cannot go out the same logical interface it came in on.

The PIX 515 supports logical interfaces in 6.3(5). A logical interface is an 802.1Q VLAN that is associated with an IP address range. And of course the PIX 515 supports multiple physical interfaces.

The PIX 515 supports PIX 7.0 and PIX 7.1. PIX 7.0 has a number of configuration changes relative to 6.x; one of them allows you to route traffic back through the same interface provided that a VPN is involved.

Reply to
Walter Roberson

Thanks for you your answer Walter. I have decided to buy a couple of ASA 5510's which include PIX level 7 code. We also have need of the concentrator functionality built in to this device.

Reply to
frishack

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.