Routing behind the PIX to multiple destinations

Question, Which would be easier, setup static routes in the PIX and router behind the PIX or setup GRE tunnel and use eigrp to establish routes and just insert the DO NOT NAT on the pix?

PC | PIX1 ( | | PIX2 ( | Router ( |

+---------------+-------------+----- Router Router Router ( ( ( | | | PC PC PC
Reply to
Loading thread data ...

Sorry, to add. There is a router behind PIX1

Reply to

| RouterA

A few critical questions which can/will change the "correct" answer...

Is this a VPN with a net-to-net IPSec tunnel between the two PIX?

How much do the two LAN's trust one-another?

Is/are the application(s) being supported sensitive to MTU reduction?

What do you expect to gain by using dynamic routing in this scenario?

Reply to
Vincent C Jones

Yes, the VPN is net to net between two PIX's.

Same company so they trust another.

Simple windows networking, other apps are unknown.

The only gain, is that as more network spring up on the one side, the remote site would know about it immediately although someone would have to allow it in the pix. I guess my question was a broad one. What is the common practice.

Reply to

There is common practice and there are best practices, which in this case are not the same:

Common practice is to just use static routes. This recognizes that the IPsec tunnels on the firewalls are all static definitions so there is no way around the need to "visit" each site when adding coverage of new networks (it doesn't help to have the routers auto-learn new LANs if the firewalls are black holes).

When dynamic routing would be useful (multiple tunnels connecting sites), common practice is to set up a GRE tunnel between the routers and configure it to pretend to have a 1500 byte MTU. This is a recently introduced IOS feature. Prior common practice was to set up a GRE tunnel between the routers and manually configure those Windows boxes which couldn't correctly dynamically determine the MTU to apply a reduced MTU to all packets even if local.

Best practice is to determine the driving requirements and provide a solution which optimizes that aspect of implementation:

1 - Fake 1500 MTU with GRE feature, which means broken applications can run without touching the desktop, but defeats the purpose of max MTU discovery and reduces efficiency of WAN communications. 2 - Classical GRE tunnel with every desktop hard-coded to 1250 byte MTU (or similar, worst case low value). No thinking required, but does require strict desktop configuration control. 3 - Static routing eliminates the MTU reduction of a GRE, but then requires keeping all routes up to date. On the other hand, the VPN setups on the firewalls are all static configurations anyway, so unless there are alternate routes available, there is no real benefit to implementing a routing protocol. 4 - Use BGP routing over the IPsec tunnels to provide dynamic routing capability without GRE tunnels. This approach has three primary drawbacks: upgrades to routers to provide support for BGP, multiple firewalls required at each site requiring redundant IPsec, and the lack of example configs on CCO means the network designer must actually understand networking, IPsec and BGP.

As always, your mileage may vary.

Reply to
Vincent C Jones Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.