Several points to make on this.
1) How are you using 192.168.x.x/28 on your Serial0/0 on your external
interface (should this not be your only valid IP?, and why a /28 on a Serial
unless you are using Frame). I am now assuming to change this to something
such like:
interface Serial 0/0
ip address live/30
2) If you are using NAT on the Router, then you may not VPN to the PIX,
making the Router the only possible VPN End-point. Obtain VPN license for
your router platform, or plan to redesign slightly.
3) If you ARE using 192.168.x.x/28 on your Serial, even your router is not
accessible from the public internet, making it entirely impossible for you
to
VPN.
4) You will have problems passing VPN traffic through the PIX, without
completely opening it up anyways.
May I suggest a possible redesign of the network?
--
I never totally understood the use of what I like to call "Double-NAT",
especially when only a wire exists between 2 devices. This adds processing
and memory overhead onto the router that is not neccessary, especially in
today's world. May I suggest using LIVE IP's up to the PIX box... or better
yet, obtaining a WAN interface identical to your S0/0 on the router, and
placing it directly in the PIX... this will free up the router for lab uses
. You then simply NAT once on the PIX, and to add VPN, you can simply
load in the VPN module into the PIXOS.
Solution 2:
Use Live IP's on the segment between the router and PIX, add a switch or
better yet, a hub between the two, and add a VPN Appliance, such as a Nortel
Networks Contivity, or if you like to stay an "All Cisco" shop, a VPN
Concentrator 3002. This will accomplish many things:
VPN troubleshooting will not cause downtime on the PIX
Router processing/memory demands lowered, it is merely routing now
Throuphput increased due to packets only going through 1 translation
VPN is direct into internal network
VPN is the only task for the box chosen
Currently where I work, we have traditionally been using a Nortel Contivity
1500 as a hub of 18 branch-office VPNs using smaller Contivity units for
Branch-to-Branch, and also as the single corporate VPN endpoint for
user-to-HQ tunnels. In the 3 years it was in service, it was downed twice,
once for a move, and once due to replacing the UPS with an APC 16KVa. Both
times were of no fault of the equipment.
Recently, we have replaced everything with Cisco product (6509, 7200VXR,
VPN3002, 2xPIX, 3600, 2600). Catalyst reboots are about every 2 weeks, 7200
came with a faulty Sup blade, VPN 3000 has been rebooted twice in the last
month because of hickups so it will not allow any more connections.. so far
no problems with the x600 routers, or the PIX firewalls, that were not
programming errors. All in less than 2 months. It will be happy-days to
see
it all go away in 2 years when the lease expires. I will just be happy when
they finally unplug the Contivity 1500 in 2 weeks, and give it to us for our
lab LAN.
Note: With the arrival of all the Cisco gear, I was released from my
responsibilities to help maintain the network, and now only run a lab
network
based on the old equipment (HP & Nortel L2 switches, Nortel Passport L3
switches, Cisco 1600, 2500, 2600 routers, Compaq ML350 servers running Unix,
Win2k, and soon WinXP).
I wish you luck in finding the solution that works for you. Do not fear
approaching management saying that a slight redesign is required to offer
the
VPN solution. The money they will save by employees working from home, and
the increased productivity from those same employees, will more than pay for
any new equipment, or time required to add the technology in a very short
period of time.
--
Regards,
Trevor J Corness, CCNA CCDA JNCIS NNCSS MCSE MCP+I
Systems Engineer, Data Services
Radian Communication Services Corporation
http://www.radiancorp.com
On September 26, 2001 03:26 am, Ramesh c wrote:
> Hey Guys,
>
> My setup as follows
>
> Internet ------ Router -------- PIX ------ Internal network
>
> We are using a 192.168.x.x network and using NAT to change to valid ip
> address.So when I need to setup VPN should I use the 192.168.x.x or the
> Valid Ip address?
>
> My internet router config
>
> interface FastEthernet0/0
> ip address 192.168.y.x 255.255.255.252
> ip nat inside
>
> interface Serial0/0
> ip address 192.168.x.x 255.255.255.240
>
> More which is advisable..
> 1)VPN to router or VPN to PIX ?
>
> Pls explain in detail...
>
>
>
> Make a difference, help support the relief efforts in the U.S.
> http://clubs.lycos.com/live/events/september11.asp
> Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=21718&t=21120
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
