Elijah Savage III wrote: > > Oh yeah with the limited address space the correct term I meant > to use > is PAT not to confuse anyone. The outside interface on the pix > has 1 > public and everyone gets NAT's to that one global address.
So, use public addressing on the PIX(outside)-router link. In the previous message you said he could use either, but it will make things easier if he uses public on that link and private on the -------(inside)PIX link, eh? Sorry, if I'm being dim-witted. :-) Priscilla > > -----Original Message----- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] > Sent: Monday, November 18, 2002 9:27 PM > To: [EMAIL PROTECTED] > Subject: RE: PIX site-to-site VPN question... [7:57648] > > > Brunner Joseph wrote: > > > > You should use private addressing behind the pix and use > static's from > > > the /29 to map to Servers, etc. behind the pix. > > > > Why would you ever want to put public ip's behind a pix ? > especially > > for a vpn ? Not cool. It makes it an easier target to spoof, > as > > apposed to RFC1918 addresses. > > I don't think he was suggesting using public IP addresses > behind the > PIX. What addressing would you recommend for the LAN between > the outside > interface of the PIX and the router, per this part of his > drawing: > > PIX1(outside)----(e0)R1(e1)--------INTERNET > > > By the way, he really did show R1 having an Ethernet interface > out to > the Internet. I don't think it was a typo. In the case that > came up last > week, this Ethernet than went to a wireless WAN of some sort. > > Could you take another look at the question and give us some > advice? > This question came up last week too and the person never got a > good > answer. I would answer it myself but I'm PIX and VPN challenged > (but > learning! ;-) > > Priscilla > > > > > > Answering your original qwestion - > > > > "If I'm provided a /29 address by my ISP for PIX1's site, > then how > > does the PIX1's outside and R1's ethernet addresses get > provisioned > > (same question for PIX2's site)?" > > > > If you insist on using public's behind your pix, you get a > /29 for > > behind, and 2 /30's. One for Pix to RTR and one for RTR to > ISP EDGE. > > > > The routers also should NEVER use UNNUMBERED ! How do you > remote > > manage the router if the Ethernet line proto is down ? > Loopback ? > > You wont have a public IP if your ISP skimps on Addresses.. I > > have seem some whack configs where s0/0 is unnumbered, and the > > only > > routed block is on e0/0. Its not worth saving the /30 for > added > > aggrevation. > > > > "Are they bridged or unnumbered in some way?" the routers > know nothing > > > of your Site to Site VPN. They just route.. nuff said on that. > > > > > > "How do the > > PIX's use private addresses as for their crypto peer > > statements?" > > > > They can't. Not unless you use "outside" nat on the rtr's > something I > > don't think you can or want to do.. Just use Publics all > around for > > your crypto peer statements.. I dont think you can do it > anyother > > way.. one creative way to do it, maybe, run a > > > > GRE tunnel from router to router (say 10.0.1.0/24). Use 2 > more /24 > > private class C's for in between router and pix on each side. > > > > Just route everthing (which is also encrypted) thru the > tunnel. > > have "NO NAT" on your pixes for internal stuff to go out of > > router on S0/0 (instead of "VPN" traffic which goes out > > TUNNEL0). this should make your PIX's harder to attack, and if > > you want you can run nat on the router for hosts, or have > > another nat proxy behind pix (either way, pix wont do nat, > with > > this "low-profile" config trick. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57664&t=57648 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
