Edward Sohn wrote: > > Perfect... > > very interesting, indeed. I have long wondered about this > scenario, and > have wondered how companies are implementing their site-to-site > VPN's > over the internet. so you're saying (regarding your own roll > out), that > your ISP assigned you two address spaces and routed your /27 > towards > your perimeter router, right? in any case, your scenario > explains the > answer to that particular example...however, new questions > arise: > > (1) if i DIDN'T decide to set up a GRE over the internet, then > what > other options do i have? would a simple NAT on the perimeter > routers > suffice? this would introduce dual-NAT, and i have heard that > dual-NATing is less-than-desired in production due to > performance > issues.
Double NATing doesn't sound like a good idea and shouldn't be necessary. > > (2) if i wanted to use public addressing on the outsides of the > PIX's, Public addressing on the outsides of the PIXes seems to be the recommended approach. > then would i have to have two address spaces, as described in > your own scenario? You can make your own two address spacees. Perhaps you realize that, but I'm wondering if maybe you haven't considered it? You can do whatever you want with the /29 the provider gave you. Unfortunately, it's not a very big address space, but it can still be subdivided into two networks, one for the outside interface on the router and one for the PIX(outside)----(inside)Router LAN. As an example, let's say the provider provided 55.55.55.0/29. You have the following addresses: First subnet: 55.55.55.1 (binary of last octet is 0000 0001) 55.55.55.2 (binary of last octet is 0000 0010) 55.55.55.3 (binary of last octet is 0000 0011) Second subnet: 55.55.55.4 (binary of last octet is 0000 0100) 55.55.55.5 (binary of last octet is 0000 0101) 55.55.55.6 (binary of last octet is 0000 0110) So do see that with a subnet mask of 255.255.255.252 (/30), you have two networks? Here's the addressing you can use: PIX(outside) = 55.55.55.1 (also used by PAT) Router (inside) = 55.55.55.2 Possible address for something else on that LAN = 55.55.55.3 Router (outside) = 55.55.55.6 Unfortunately, some addresses get wasted on that subnet. PIX's default route points to 55.55.55.2 Router's default route points to router at ISP. ISP points everything that matches 55.55.55.0/29 to you. If for some reason this wouldn't work in your particular scenario or I over-simplified to the point of not being helpful, I apologize! Hey, it's free consulting and you get what you pay for. :-) Keep us posted so we can all learn. Thanks. Priscilla > can anyone think of any other options on the > perimeter > router? like i said, bridging or unnumbered or something of > the like? > > thanks, > > ed > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of > Mark W. Odette II > Sent: Monday, November 18, 2002 9:19 PM > To: [EMAIL PROTECTED] > Subject: RE: PIX site-to-site VPN question... [7:57648] > > > The only way that you could put private addresses on the OUTSIDE > interface of the PIX (Site A), and still successfully set up a > Tunnel to > another PIX across the internet that is behind an edge router > of your > own control (Site B), is to build a GRE Tunnel between the Edge > Routers. > > EX: Public Addresses > PIX1(outside)----(e0)R1(e1)-----INTERNET----(e1)R2(e0)-----(outside)PIX2 > Pvt. Addresses G R E Tunnel Pvt. Addresses > > If you tried to set up NAT on the two Edge Routers to Static > Translate > for the PIX Hosts on their outside interfaces, the Tunnel would > never > establish. Even though you would define the Crypto Peer as a > public > address, when the packet arrives at the far side, it would have > the > private address headers, and thus the tunnel would never come > up, and is > why you would need a GRE Tunnel between the two routers to use > private > addresses between the two PIXen end-points. > > > I have set up the scenario you speak of in production, but the > ISP > assigned a /30 for the routers connecting to the ISP, AND they > assigned > /27's for the customer's own use. So, with this, I configured > the S0 > interfaces of each router as part of the /30's, and configured > the Fa0 > interfaces of the Routers and the Pix Outside interfaces as > hosts in the > /27 blocks that were assigned to each site, while creating a > PAT pool > and NAT statics for appropriate hosts behind the PIX. The > "Inside"/DMZ > side of the PIXen were configured with RFC1918 addresses. Site > to Site > VPN's were established using the Public IP addresses on the > "Outside" > interface of each PIX. > > HTH's > Mark > > -----Original Message----- > From: Edward Sohn [mailto:[EMAIL PROTECTED]] > Sent: Monday, November 18, 2002 10:13 PM > To: [EMAIL PROTECTED] > Subject: RE: PIX site-to-site VPN question... [7:57648] > > thanks for your help, elijah...however, i think are still > missing the > full point of my question...i am looking for a complete > solution rather > than just 'what's possible' at different points in the network. > > i did mean to use a /29 in my example. i used that b/c if i > was only > given one IP address from my ISP, and used it for the outside > interface > of the PIX (as you suggested), then how do i configure the > perimeter > router? what IP addresses does that use? > > let's go with this example to answer my question for now--with > using > public addresses. just fyi, however, here is a diagram on CCO > which > uses private addressing on the outside interface of the PIX in > a VPN > solution (doesn't show the perimeter routers, though)... > > thanks, > > ed > > -----Original Message----- > From: Elijah Savage III [mailto:[EMAIL PROTECTED]] > Sent: Monday, November 18, 2002 8:13 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: PIX site-to-site VPN question... [7:57648] > > > You have to use the public ip addresses as I stated in my last > email > private is non routeable on the net, though I have seen sprint > route > private by mistake from time to time :) > > But that is not what confused me, what is confusing me is your > ip > addressing problem do you have one? A /29 is a 255.255.255.248 > subnet > mask which will give you 6 usable addresses. So I am not sure I > see a > problem unless you want to use private on the outside then yes > you have > a problem. > > -----Original Message----- > From: Edward Sohn [mailto:[EMAIL PROTECTED]] > Sent: Monday, November 18, 2002 10:50 PM > To: Elijah Savage III; [EMAIL PROTECTED] > Subject: RE: PIX site-to-site VPN question... [7:57648] > > > okay, i should have explained better...sorry > > let's break my point down to a digestable limit... > > at this point i want to know how to set up the site-to-site VPN > tunnel > between the two PIX's, if i use private addressing on the > outside > interfaces of the PIX's. > > if both of the outside interfaces of the PIX's use 192.168.x.x > addresses, then what is the address i would use in the 'crypto > map peer' > statement? if it's the 192.168.x.x address of the other PIX's > outside > interface, how does the PIX know how to get there? you follow? > > the perimeter router doesn't route private addresses, so how > would it > know how to get to the other PIX? > > that's why i'm assuming that the public addressing has to > include to the > PIX outside interfaces, but if this is so, how do you configure > the > perimeter router? > > thanks, > > ed > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On > Behalf Of > Elijah Savage III > Sent: Monday, November 18, 2002 7:17 PM > To: [EMAIL PROTECTED] > Subject: RE: PIX site-to-site VPN question... [7:57648] > > > Oh yeah with the limited address space the correct term I meant > to use > is PAT not to confuse anyone. The outside interface on the pix > has 1 > public and everyone gets NAT's to that one global address. > > -----Original Message----- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] > Sent: Monday, November 18, 2002 9:27 PM > To: [EMAIL PROTECTED] > Subject: RE: PIX site-to-site VPN question... [7:57648] > > > Brunner Joseph wrote: > > > > You should use private addressing behind the pix and use > static's from > > > the /29 to map to Servers, etc. behind the pix. > > > > Why would you ever want to put public ip's behind a pix ? > especially > > for a vpn ? Not cool. It makes it an easier target to spoof, > as > > apposed to RFC1918 addresses. > > I don't think he was suggesting using public IP addresses > behind the > PIX. What addressing would you recommend for the LAN between > the outside > interface of the PIX and the router, per this part of his > drawing: > > PIX1(outside)----(e0)R1(e1)--------INTERNET > > > By the way, he really did show R1 having an Ethernet interface > out to > the Internet. I don't think it was a typo. In the case that > came up last > week, this Ethernet than went to a wireless WAN of some sort. > > Could you take another look at the question and give us some > advice? > This question came up last week too and the person never got a > good > answer. I would answer it myself but I'm PIX and VPN challenged > (but > learning! ;-) > > Priscilla > > > > > > Answering your original qwestion - > > > > "If I'm provided a /29 address by my ISP for PIX1's site, > then how > > does the PIX1's outside and R1's ethernet addresses get > provisioned > > (same question for PIX2's site)?" > > > > If you insist on using public's behind your pix, you get a > /29 for > > behind, and 2 /30's. One for Pix to RTR and one for RTR to > ISP EDGE. > > > > The routers also should NEVER use UNNUMBERED ! How do you > remote > > manage the router if the Ethernet line proto is down ? > Loopback ? You > > wont have a public IP if your ISP skimps on Addresses.. I > have seem > > some whack configs where s0/0 is unnumbered, and the only > routed block > > > is on e0/0. Its not worth saving the /30 for added > aggrevation. > > > > "Are they bridged or unnumbered in some way?" the routers > know nothing > > > of your Site to Site VPN. They just route.. nuff said on that. > > > > > > "How do the > > PIX's use private addresses as for their crypto peer > statements?" > > > > They can't. Not unless you use "outside" nat on the rtr's > something I > > don't think you can or want to do.. Just use Publics all > around for > > your crypto peer statements.. I dont think you can do it > anyother > > way.. one creative way to do it, maybe, run a > > > > GRE tunnel from router to router (say 10.0.1.0/24). Use 2 > more /24 > > private class C's for in between router and pix on each side. > > > > Just route everthing (which is also encrypted) thru the > tunnel. have > > "NO NAT" on your pixes for internal stuff to go out of router > on S0/0 > > (instead of "VPN" traffic which goes out TUNNEL0). this > should make > > your PIX's harder to attack, and if you want you can run nat > on the > > router for hosts, or have another nat proxy behind pix > (either way, > > pix wont do nat, with this "low-profile" config trick. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57743&t=57648 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
