A little background: ============== I've got an Internet T1 line feeding a 2600 as my border / choke router to the outside world, and a pair of Linux-based firewall machines between the 2600 and my primary internal RFC 1918-numbered network. The ethernet side off the 2600 is my "DMZ" where I attach web servers, web proxy/firewall/bastion_combo servers for my internal websurfers, smtp gateways, those two Linux iptables-based firewall machines, etc. We do not allow general NAT thru these firewalls, only isolated machines on our insides can access specific addressed hosts on the outside, and specific addresses hosts from the outside can get forward-masq'ed thru to specific internal machines on our insides (e.g. pcAnywhere hosts for remote support, etc). In short, full routabilty between my internal RFC1918 networks and the outside world is deliberately non-existant.
This has proven to be a pretty good security model over the years with the limited budget I have to work with, and we still get essential Internet access (email, proxied web and file xfers, some limited NAT'ed and forward-masq'ed hosts, etc) to keep most users happy.
I've got four other smaller & different internal networks, all RFC1918-numbered as well, and routed to each other and also to that main internal network with a C3640 full of 10/100 modules in the middle. It's purely an "internal" router only. I've got inbound and outbound access-lists on pretty much each interface on the 3640 to enforce who can get to what within my internal networks -- necessary for internal security reasons.
Needless to say, performance thru the 3640 just doesn't cut it anymore with today's bandwidth hog apps, so we've bought a 3845 (Adv IP Svcs IOS) and filled it with new 10/100 modules to go in place of the old
3640. So far so good... the 3845 can smoke the 3640 with ease and the internal router thruput bottlenecks are now all but disappeared. (would like to have full gigabit routing wirespeed on a bunch of interfaces, but no funding to buy a "big boys" BFR9000 or whatever router and must settle for the 3845 as the most we can afford)The need for VPN: =============== Up until now, we've had no real means of allowing any VPN connections from the outside world to come into our inner networks, but the new
3845 seems to have considerable VPN support built-in. Problem is... I really don't want to expose an interface on the 3845 directly to the raw untamed Internet.How could I best accomplish allowing incoming VPN connections to be handled by my 3845 residing in the midst of a bunch of internal networks without making it too vulnerable to the wild untamed lawless Internet hooligans out there? My 2600 choke/border router has the acl from hell on all inbound traffic. My Linux firewall boxes have rather limited VPN-masq-ing capability (i.e., only a single GRE tunnel at a time for Windows PPTP), etc. Mostly we'd be wanting to support employees at home to connect in via software-based VPN client on a Windows PC over their cablemodem or DSL Internet services.
Can my 2600 be made to allow or forward just enough GRE and/or IPSec VPN traffic from an explicitly enumerated list of outside addresses to an interface on the 3845 (if I connect one 10/100 interface to the "DMZ" behind the 2600?
I've also got an old PIX 501 lying around unused, since configuring it was such a PITA and the Linux boxes proved more easy for me to make the specific firewalls to do what I needed, plus my boss refused to buy SmartNet for the PIX and it has an ancient version of software in it that has some security holes in it.... so it sits in the scrap pile.
Help! I'm pretty green at VPNs and would greatly appreciate it if anyone could point me to some config guides and examples that might cover what I'd like to accomplish here.