May I also ask why you want to use private?

-----Original Message-----
From: Edward Sohn [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 10:50 PM
To: Elijah Savage III; [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


okay, i should have explained better...sorry

let's break my point down to a digestable limit...

at this point i want to know how to set up the site-to-site VPN tunnel
between the two PIX's, if i use private addressing on the outside
interfaces of the PIX's.  

if both of the outside interfaces of the PIX's use 192.168.x.x
addresses, then what is the address i would use in the 'crypto map peer'
statement?  if it's the 192.168.x.x address of the other PIX's outside
interface, how does the PIX know how to get there?  you follow?

the perimeter router doesn't route private addresses, so how would it
know how to get to the other PIX?

that's why i'm assuming that the public addressing has to include to the
PIX outside interfaces, but if this is so, how do you configure the
perimeter router?

thanks,

ed

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Elijah Savage III
Sent: Monday, November 18, 2002 7:17 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


Oh yeah with the limited address space the correct term I meant to use
is PAT not to confuse anyone. The outside interface on the pix has 1
public and everyone gets NAT's to that one global address.

-----Original Message-----
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Monday, November 18, 2002 9:27 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX site-to-site VPN question... [7:57648]


Brunner Joseph wrote:
> 
> You should use private addressing behind the pix and use static's from

> the /29 to map to Servers, etc. behind the pix.
> 
> Why would you ever want to put public ip's behind a pix ? especially 
> for a vpn ? Not cool. It makes it an easier target to spoof, as 
> apposed to RFC1918 addresses.

I don't think he was suggesting using public IP addresses behind the
PIX. What addressing would you recommend for the LAN between the outside
interface of the PIX and the router, per this part of his drawing:

PIX1(outside)----(e0)R1(e1)--------INTERNET


By the way, he really did show R1 having an Ethernet interface out to
the Internet. I don't think it was a typo. In the case that came up last
week, this Ethernet than went to a wireless WAN of some sort.

Could you take another look at the question and give us some advice?
This question came up last week too and the person never got a good
answer. I would answer it myself but I'm PIX and VPN challenged (but
learning! ;-)

Priscilla


> 
> Answering your original qwestion -
> 
> "If I'm provided a /29 address by my ISP for PIX1's site, then how 
> does the PIX1's outside and R1's ethernet addresses get provisioned 
> (same question for PIX2's site)?"
> 
> If you insist on using public's behind your pix, you get a /29 for 
> behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE.
> 
> The routers also should NEVER use UNNUMBERED !  How do you remote 
> manage the router if the Ethernet line proto is down ? Loopback ? You 
> wont have a public IP if your ISP skimps on Addresses.. I have seem 
> some whack configs where s0/0 is unnumbered, and the only
> routed block is on e0/0. Its not worth saving the /30 for added
> aggrevation.
> 
> "Are they bridged or unnumbered in some way?" the routers know nothing

> of your Site to Site VPN. They just route.. nuff said on that.
> 
> 
> "How do the
> PIX's use private addresses as for their crypto peer statements?"
> 
> They can't. Not unless you use "outside" nat on the rtr's something I 
> don't think you can or want to do.. Just use Publics all around for 
> your crypto peer statements.. I dont think you can do it anyother 
> way.. one creative way to do it, maybe, run a
> 
> GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 
> private class C's for in between router and pix on each side.
> 
> Just route everthing (which is also encrypted) thru the tunnel. have
> "NO NAT" on your pixes for internal stuff to go out of router on S0/0 
> (instead of "VPN" traffic which goes out TUNNEL0). this should make 
> your PIX's harder to attack, and if you want you can run nat on the 
> router for hosts, or have another nat proxy behind pix (either way, 
> pix wont do nat, with this "low-profile" config trick.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57669&t=57648
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to