Let say, I am a online backup service. I have by then an ftp server farm. In order to get the files in a secure way through the internet, my servers are behind a PIX and I need to use an IPSEC VPN to link the sites.
Let say I have 3 customers. Those customers are insisting the fact they wanna have a dedicated SDSL line on my location.
In front of my PIX, I have a router which I own. On this router, the routers of my 3 customers. Note, those routers are on 3 different ISP backbones.
What are the involved technologies to make sure a packet supposed to reach 195.238.4.17 (a VPN peer of my customer) will go through the Belgacom's link and not through AT&T.
Also. On the diagram, I've mentionned my infrastructure is on the COLT backbone. Well, I am not sure I need an ISP there. I can be my own ISP for this cross-over cable? Do I have to get in contact with an ISP to register a subnet?
You have 3 different outside interfaces on the router. If necessary, add static routes on the router pointing each remote destination out the correct interface. I say "if necessary" because if your router is configured as shown in your diagram, your router will very likely add the routes automatically as "connected" routes.
You can use a private IP address range between your router and your PIX. Before getting rid of your COLT link, though, you need to figure out what you want to have happen with packets from inside that are destined to somewhere other than your 3 customers. I'm sure your customers don't want you to surf the web over your VPN connection to them ;-) You probably need a public IP connection (such as the COLT one) in addition to your dedicated links to your customers.
You do not need to register a subnet with your ISP, and you only need one public IP address for your router (or none if you never need to talk to the outside world).
What you -do- need to do, is some fancy NAT on the router. Each packet coming in through one of the decidated SDSL interfaces should have its destination IP modified to the outside IP address of the PIX (on the public or private subnet shared between the router and the PIX.) The source address of the incoming packets can be left alone. The PIX will receive the packet, decapsulate it, pass it inward; when the inside replies, the PIX will examine the {now} destination IP [e.g., 10.10.10.x], determine the proper VPN tunnel to use by searching in the crypto maps for that source/destination combination, encapsulate the packet with the appropriate "peer", and punt the packet out towards the router. The router will then have to NAT the IP address of the PIX that is in the packet source, transforming it into the appropriate public IP address as known to that destination peer. If you set up the ingoing NAT the right way, then the router will see this operation as a normal de-NAT and will know how to do it without specific configuration. Note: you might find that you need to use "policy based NAT" in order to be allowed to configure multiple destination IPs (the public peer IPs known to your customers) to a single IP address (the outside IP of the PIX.)
Notice that this configuration process is essentially independant of the PIX -- nothing at all different needs to be configured on the PIX to support it. The PIX remains ignorant of the path to each of the clients. This is not a dynamic routing configuration as far as the PIX is concerned. It isn't even a dynamic routing configuration as far as the router is concerned...
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.