In-Line... Perfect...
very interesting, indeed. I have long wondered about this scenario, and have wondered how companies are implementing their site-to-site VPN's over the internet. so you're saying (regarding your own roll out), that your ISP assigned you two address spaces and routed your /27 towards your perimeter router, right? in any case, your scenario explains the answer to that particular example...however, new questions arise: (1) if i DIDN'T decide to set up a GRE over the internet, then what other options do i have? would a simple NAT on the perimeter routers suffice? this would introduce dual-NAT, and i have heard that dual-NATing is less-than-desired in production due to performance issues. No. The pix does not work like most VPN/IPSEC/NAT Devices. You have to have routable addresses on the pix outside. (maybe some CCIE SECURITY will chime in). Its helps for "surf the web" bit in addition to your VPN, you have public ip on the OUTSIDE of the pix (prevent the edge routers from DOING NAT, which they should not have to here). Based on your original post, I was assuming you were talking about going the public internet for you Site-to-Site VPN ? well that is about the only reason I could see doing all this for. (2) if i wanted to use public addressing on the outsides of the PIX's, then would i have to have two address spaces, as described in your own scenario? can anyone think of any other options on the perimeter router? like i said, bridging or unnumbered or something of the like? You will not run bridging first of all. (unless you want both pixes at both sites to be on 1 "lan"). This probably won't work. Unless your NOT providing Internet access, (seperate) at both sites. It will work if you want one site ONLY to be the "internet gateway site" or something, for a central point of security, whatever. It will also cause you to have the same public block at both sites. Not going to happen, with any carriers I have seen. One block, One T-1, One Location. Also forget the unnumbered. Bad Operational mistake, invented by lazy ISP's to conserve a /30. Does not provide any security, locks your out of the router for basic troubleshooting if your eth INT has no lineproto. You should do this (per 2 year experience with PIX VPN) SITE A PUBLIC INET SITE B PIX A(PUBLIC IP)(RTRA)(PUBLIC IP)(PUBLIC IP)(RTRB)(PUBLIC IP)PIX B Your crypto peer statements reflect the Opposite Pix's Public IP. (make sure you "isakmp enable outside" etc... Your Internet access at either site, will come from a global overload (pat) statement for the pixes, on the Interface or another IP in your routed block. FYI don't try the GRE tunnel trick.. had someproblems with fragmentation of IPSEC packets, speed issues, etc... also your edge routers will have to run NAT to get those private tunneled outside IP's to the NET for surf access. thanks, ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57680&t=57648 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
