Question, Which would be easier, setup static routes in the PIX and router behind the PIX or setup GRE tunnel and use eigrp to establish routes and just insert the DO NOT NAT on the pix?
Simple windows networking, other apps are unknown.
The only gain, is that as more network spring up on the one side, the remote site would know about it immediately although someone would have to allow it in the pix. I guess my question was a broad one. What is the common practice.
There is common practice and there are best practices, which in this case are not the same:
Common practice is to just use static routes. This recognizes that the IPsec tunnels on the firewalls are all static definitions so there is no way around the need to "visit" each site when adding coverage of new networks (it doesn't help to have the routers auto-learn new LANs if the firewalls are black holes).
When dynamic routing would be useful (multiple tunnels connecting sites), common practice is to set up a GRE tunnel between the routers and configure it to pretend to have a 1500 byte MTU. This is a recently introduced IOS feature. Prior common practice was to set up a GRE tunnel between the routers and manually configure those Windows boxes which couldn't correctly dynamically determine the MTU to apply a reduced MTU to all packets even if local.
Best practice is to determine the driving requirements and provide a solution which optimizes that aspect of implementation:
1 - Fake 1500 MTU with GRE feature, which means broken applications can run without touching the desktop, but defeats the purpose of max MTU discovery and reduces efficiency of WAN communications.
2 - Classical GRE tunnel with every desktop hard-coded to 1250 byte MTU (or similar, worst case low value). No thinking required, but does require strict desktop configuration control.
3 - Static routing eliminates the MTU reduction of a GRE, but then requires keeping all routes up to date. On the other hand, the VPN setups on the firewalls are all static configurations anyway, so unless there are alternate routes available, there is no real benefit to implementing a routing protocol.
4 - Use BGP routing over the IPsec tunnels to provide dynamic routing capability without GRE tunnels. This approach has three primary drawbacks: upgrades to routers to provide support for BGP, multiple firewalls required at each site requiring redundant IPsec, and the lack of example configs on CCO means the network designer must actually understand networking, IPsec and BGP.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.