You should use private addressing behind the pix and use static's from the
/29 to map to Servers, etc. behind the pix.

Why would you ever want to put public ip's behind a pix ? especially for a
vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918
addresses.

Answering your original qwestion - 

"If I'm provided a /29 address by my ISP for PIX1's site, then how does the
PIX1's outside and R1's ethernet addresses get provisioned (same question
for PIX2's site)?"

If you insist on using public's behind your pix, you get a /29 for behind,
and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE.

The routers also should NEVER use UNNUMBERED !  How do you remote manage the
router if the Ethernet line proto is down ? Loopback ?
You wont have a public IP if your ISP skimps on Addresses.. I have seem some
whack configs where s0/0 is unnumbered, and the only
routed block is on e0/0. Its not worth saving the /30 for added
aggrevation.

"Are they bridged or unnumbered in some way?" the routers know nothing of
your Site to Site VPN. They just route.. nuff said on that.


"How do the 
PIX's use private addresses as for their crypto peer statements?"

They can't. Not unless you use "outside" nat on the rtr's something I don't
think you can or want to do.. Just use Publics all around for your crypto
peer statements.. I dont think you can do it anyother way.. one creative way
to do it, maybe, run a

GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private
class C's for in between router and pix on each side.

Just route everthing (which is also encrypted) thru the tunnel. 
have "NO NAT" on your pixes for internal stuff to go out of router on S0/0
(instead of "VPN" traffic which goes out TUNNEL0). this should make your
PIX's harder to attack, and if you want you can run nat on the router for
hosts, or have another nat proxy behind pix (either way, pix wont do nat,
with this "low-profile" config trick.



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57654&t=57648
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to