Geroge,
Interesting perspective. However, depending upon the VPN protocol you
are using it may or may not provide a connectivity solution. Since we
are talking about the PIX firewall, we must be talking about IPSec. I
don't see IPSec as a connectivity solution, it is a security solution.
There are many ways to provide security, the most obvious is encryption.
Another method for providing security would be to hide the real ip addresses
of my Intranet. By using the private address range (RFC 1918) on my
Intranet and translating outgoing packets to an Internet routable address,
I almost guarantee that no one can send a packet directly to any
of the computers on my intranet without going through my firewall or VPN.
VPNs can solve many problems, but connectivity is not always one of them.
There are certain VPN protocols such as PPTP, L2F, L2TP that can give you
a connectivity solution. If you want to run a routing protocol through a
VPN, specifically IPSec, then you do need to setup a GRE tunnel. The way
I see it GRE tunnels are a connectivity solution, because it allows you to
transport protocols that are not routable across an IP only backbone. Keep
in mind that GRE tunnels are not a security solution, which is why you might
encrypt a GRE tunnel with IPSec.
If you don't care about hiding your address space from the rest of the world
and thus want a solution that doesn't require two distinct address spaces,
why focus on a PIX firewall, especially since it's primary goal is to hide
your address space. Instead, why not just terminate an IPSec tunnel between
two VPN accelerated routers? (They don't need to be accelerated, but
depending upon the projected bandwidth utilization they might need to be).
There are many routers that can be used to fit any number of requirements.
It all just depends upon that famous quote "what problem are we trying to
solve".
As my father always said.."the right tool for the right job" :-)
So, where was I? Oh..right...Austin...here is the link you are looking for:
http://www.cisco.com/warp/public/110/38.html
HTH,
AQ
At 11:40 AM 1/2/01, gwakin wrote:
>I feel led to tell you that, unless IOS or PIX software has been enhanced
>since last I
>dealt with this issue, you will need to ensure that you're running
>different IP schemas
>on each PIX, and preferably non-translated schemas at that. Also, if
>you're planning to
>run a routing protocol such as OSPF across the VPN link, you will need to
>look at
>setting up a GRE tunnel to accomplish that purpose. Needless to say,
>Cisco needs to do
>a better job of due diligence on this VPN solution.
>
>GWA
>
>Austin wrote:
>
> > I am looking for sample configs on PIX to PIX VPNs.
> >
> > _________________________________
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>_________________________________
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
**************************************************
Adam Quiggle
Senior Network Engineer
MCI Worldcom/NOC/BP Amoco
[EMAIL PROTECTED]
**************************************************
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
