That is basically what I was saying in my email that he had 6 addresses to use so I am confused why there even needs to be another solution. Making it a lot harder than what it has to be.
-----Original Message----- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 8:10 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Edward Sohn wrote: > > Perfect... > > very interesting, indeed. I have long wondered about this scenario, > and have wondered how companies are implementing their site-to-site > VPN's > over the internet. so you're saying (regarding your own roll > out), that > your ISP assigned you two address spaces and routed your /27 > towards > your perimeter router, right? in any case, your scenario > explains the > answer to that particular example...however, new questions > arise: > > (1) if i DIDN'T decide to set up a GRE over the internet, then what > other options do i have? would a simple NAT on the perimeter > routers > suffice? this would introduce dual-NAT, and i have heard that > dual-NATing is less-than-desired in production due to > performance > issues. Double NATing doesn't sound like a good idea and shouldn't be necessary. > > (2) if i wanted to use public addressing on the outsides of the PIX's, Public addressing on the outsides of the PIXes seems to be the recommended approach. > then would i have to have two address spaces, as described in your own > scenario? You can make your own two address spacees. Perhaps you realize that, but I'm wondering if maybe you haven't considered it? You can do whatever you want with the /29 the provider gave you. Unfortunately, it's not a very big address space, but it can still be subdivided into two networks, one for the outside interface on the router and one for the PIX(outside)----(inside)Router LAN. As an example, let's say the provider provided 55.55.55.0/29. You have the following addresses: First subnet: 55.55.55.1 (binary of last octet is 0000 0001) 55.55.55.2 (binary of last octet is 0000 0010) 55.55.55.3 (binary of last octet is 0000 0011) Second subnet: 55.55.55.4 (binary of last octet is 0000 0100) 55.55.55.5 (binary of last octet is 0000 0101) 55.55.55.6 (binary of last octet is 0000 0110) So do see that with a subnet mask of 255.255.255.252 (/30), you have two networks? Here's the addressing you can use: PIX(outside) = 55.55.55.1 (also used by PAT) Router (inside) = 55.55.55.2 Possible address for something else on that LAN = 55.55.55.3 Router (outside) = 55.55.55.6 Unfortunately, some addresses get wasted on that subnet. PIX's default route points to 55.55.55.2 Router's default route points to router at ISP. ISP points everything that matches 55.55.55.0/29 to you. If for some reason this wouldn't work in your particular scenario or I over-simplified to the point of not being helpful, I apologize! Hey, it's free consulting and you get what you pay for. :-) Keep us posted so we can all learn. Thanks. Priscilla > can anyone think of any other options on the > perimeter > router? like i said, bridging or unnumbered or something of the like? > > thanks, > > ed > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf > Of Mark W. Odette II > Sent: Monday, November 18, 2002 9:19 PM > To: [EMAIL PROTECTED] > Subject: RE: PIX site-to-site VPN question... [7:57648] > > > The only way that you could put private addresses on the OUTSIDE > interface of the PIX (Site A), and still successfully set up a Tunnel > to another PIX across the internet that is behind an edge router > of your > own control (Site B), is to build a GRE Tunnel between the Edge > Routers. > > EX: Public Addresses > PIX1(outside)----(e0)R1(e1)-----INTERNET----(e1)R2(e0)-----(outside)PIX2 > Pvt. Addresses G R E Tunnel Pvt. Addresses > > If you tried to set up NAT on the two Edge Routers to Static Translate > for the PIX Hosts on their outside interfaces, the Tunnel would > never > establish. Even though you would define the Crypto Peer as a > public > address, when the packet arrives at the far side, it would have > the > private address headers, and thus the tunnel would never come > up, and is > why you would need a GRE Tunnel between the two routers to use > private > addresses between the two PIXen end-points. > > > I have set up the scenario you speak of in production, but the ISP > assigned a /30 for the routers connecting to the ISP, AND they > assigned > /27's for the customer's own use. So, with this, I configured > the S0 > interfaces of each router as part of the /30's, and configured > the Fa0 > interfaces of the Routers and the Pix Outside interfaces as > hosts in the > /27 blocks that were assigned to each site, while creating a > PAT pool > and NAT statics for appropriate hosts behind the PIX. The > "Inside"/DMZ > side of the PIXen were configured with RFC1918 addresses. Site > to Site > VPN's were established using the Public IP addresses on the > "Outside" > interface of each PIX. > > HTH's > Mark > > -----Original Message----- > From: Edward Sohn [mailto:[EMAIL PROTECTED]] > Sent: Monday, November 18, 2002 10:13 PM > To: [EMAIL PROTECTED] > Subject: RE: PIX site-to-site VPN question... [7:57648] > > thanks for your help, elijah...however, i think are still missing the > full point of my question...i am looking for a complete > solution rather > than just 'what's possible' at different points in the network. > > i did mean to use a /29 in my example. i used that b/c if i was only > given one IP address from my ISP, and used it for the outside > interface > of the PIX (as you suggested), then how do i configure the > perimeter > router? what IP addresses does that use? > > let's go with this example to answer my question for now--with using > public addresses. just fyi, however, here is a diagram on CCO > which > uses private addressing on the outside interface of the PIX in > a VPN > solution (doesn't show the perimeter routers, though)... > > thanks, > > ed > > -----Original Message----- > From: Elijah Savage III [mailto:[EMAIL PROTECTED]] > Sent: Monday, November 18, 2002 8:13 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: PIX site-to-site VPN question... [7:57648] > > > You have to use the public ip addresses as I stated in my last email > private is non routeable on the net, though I have seen sprint > route > private by mistake from time to time :) > > But that is not what confused me, what is confusing me is your ip > addressing problem do you have one? A /29 is a 255.255.255.248 > subnet > mask which will give you 6 usable addresses. So I am not sure I > see a > problem unless you want to use private on the outside then yes > you have > a problem. > > -----Original Message----- > From: Edward Sohn [mailto:[EMAIL PROTECTED]] > Sent: Monday, November 18, 2002 10:50 PM > To: Elijah Savage III; [EMAIL PROTECTED] > Subject: RE: PIX site-to-site VPN question... [7:57648] > > > okay, i should have explained better...sorry > > let's break my point down to a digestable limit... > > at this point i want to know how to set up the site-to-site VPN tunnel > between the two PIX's, if i use private addressing on the > outside > interfaces of the PIX's. > > if both of the outside interfaces of the PIX's use 192.168.x.x > addresses, then what is the address i would use in the 'crypto map > peer' statement? if it's the 192.168.x.x address of the other PIX's > outside > interface, how does the PIX know how to get there? you follow? > > the perimeter router doesn't route private addresses, so how would it > know how to get to the other PIX? > > that's why i'm assuming that the public addressing has to include to > the PIX outside interfaces, but if this is so, how do you configure > the > perimeter router? > > thanks, > > ed > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf > Of Elijah Savage III > Sent: Monday, November 18, 2002 7:17 PM > To: [EMAIL PROTECTED] > Subject: RE: PIX site-to-site VPN question... [7:57648] > > > Oh yeah with the limited address space the correct term I meant to use > is PAT not to confuse anyone. The outside interface on the pix > has 1 > public and everyone gets NAT's to that one global address. > > -----Original Message----- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] > Sent: Monday, November 18, 2002 9:27 PM > To: [EMAIL PROTECTED] > Subject: RE: PIX site-to-site VPN question... [7:57648] > > > Brunner Joseph wrote: > > > > You should use private addressing behind the pix and use > static's from > > > the /29 to map to Servers, etc. behind the pix. > > > > Why would you ever want to put public ip's behind a pix ? > especially > > for a vpn ? Not cool. It makes it an easier target to spoof, > as > > apposed to RFC1918 addresses. > > I don't think he was suggesting using public IP addresses behind the > PIX. What addressing would you recommend for the LAN between > the outside > interface of the PIX and the router, per this part of his > drawing: > > PIX1(outside)----(e0)R1(e1)--------INTERNET > > > By the way, he really did show R1 having an Ethernet interface out to > the Internet. I don't think it was a typo. In the case that > came up last > week, this Ethernet than went to a wireless WAN of some sort. > > Could you take another look at the question and give us some advice? > This question came up last week too and the person never got a > good > answer. I would answer it myself but I'm PIX and VPN challenged > (but > learning! ;-) > > Priscilla > > > > > > Answering your original qwestion - > > > > "If I'm provided a /29 address by my ISP for PIX1's site, > then how > > does the PIX1's outside and R1's ethernet addresses get > provisioned > > (same question for PIX2's site)?" > > > > If you insist on using public's behind your pix, you get a > /29 for > > behind, and 2 /30's. One for Pix to RTR and one for RTR to > ISP EDGE. > > > > The routers also should NEVER use UNNUMBERED ! How do you > remote > > manage the router if the Ethernet line proto is down ? > Loopback ? You > > wont have a public IP if your ISP skimps on Addresses.. I > have seem > > some whack configs where s0/0 is unnumbered, and the only > routed block > > > is on e0/0. Its not worth saving the /30 for added > aggrevation. > > > > "Are they bridged or unnumbered in some way?" the routers > know nothing > > > of your Site to Site VPN. They just route.. nuff said on that. > > > > > > "How do the > > PIX's use private addresses as for their crypto peer > statements?" > > > > They can't. Not unless you use "outside" nat on the rtr's > something I > > don't think you can or want to do.. Just use Publics all > around for > > your crypto peer statements.. I dont think you can do it > anyother > > way.. one creative way to do it, maybe, run a > > > > GRE tunnel from router to router (say 10.0.1.0/24). Use 2 > more /24 > > private class C's for in between router and pix on each side. > > > > Just route everthing (which is also encrypted) thru the > tunnel. have > > "NO NAT" on your pixes for internal stuff to go out of router > on S0/0 > > (instead of "VPN" traffic which goes out TUNNEL0). this > should make > > your PIX's harder to attack, and if you want you can run nat > on the > > router for hosts, or have another nat proxy behind pix > (either way, > > pix wont do nat, with this "low-profile" config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57745&t=57648 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
