Aaron,
Thanks for a very clear answer. There are no devices in front of the PIXs, and each site is a broadband cable connection with only 384K up and 1.5Mb down, so bandwidth could be an issue but I don't expect there to be a lot of traffic between sites. We are a non-profit, mostly running housing and other services for people with disabilities and rely mostly on state and federal funding, so as you can imagine these days our budget is extremely small. I don't believe we would be able to obtain any new equipment. I'll have to educate myself on "hairpinning" and see if that is something I want to do and can do on a PIX. We do sometimes qualify for very steep discounts on Cisco equipment (it's more like a donation with a 10% administrative fee), so it may be possible for me to replace the PIXs in 2009. Ralph Smith Gateway Community Industries 845-331-1261 x234 ________________________________ From: Aaron T. Rohyans [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 10:33 AM To: NT System Admin Issues Subject: RE: VPN and Routing Question RIP will not work across an IPSec VPN as it uses broadcast/multicast - you'd have to setup unicast neighbor statements (but now that I think about it, this may not be possible on the PIX). You'll have to use static routes to point each branch to the Hub when trying to reach other branches. You'll also need some special config on your Hub router/firewall to allow VPN "hairpinning" (VPN traffic entering the outside interface, looping, and exiting the same interface). This also assumes your Hub site has enough bandwidth provisioned to service all your branch sites accessing other remote sites through it. What kind of device sits in front of the PIXs at each location? What kind of connection is it at each site? Depending on your budget, number of branches, and your personal investment - you could look at DMVPN as an option. Dynamic Multipoint VPN essentially allows dynamic IPSec VPN tunnels to be built on the fly between branches - eliminating the need for traffic to traverse the hub (and thus comsume bandwidth). Not to mention other benefits, such as the ability to run routing protocols, reduce configuration on the hub/spoke, and (b/c DMVPN relies on GREoIPSec) the ability to send multicast/broadcast traffic across the tunnels. Aaron Rohyans IT Coordinator, IDC-USA [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 317.244.8307 (V) 317.244.4600 (F) ________________________________ From: Ralph Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2008 9:50 AM To: NT System Admin Issues Subject: VPN and Routing Question I have several branch offices connected to our main offices with site to site VPNs. Each location has a PIX 506E. This has worked great with never any problems. Now, however, I am getting some employees who work at more than one branch office, and they are requesting the ability to access files at their other offices no matter which one they are in. I could set up VPNs between the branch offices, but this could get quickly out of hand. If I turn on RIP on all the PIXs, will that work to enable communication between all the branch offices over the VPNs through the PIX at the main office? Ralph Smith Gateway Community Industries 845-331-1261 x234 Confidentiality Notice: ****************** This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email, delete and destroy all copies of the original message. Confidentiality Notice: ---------------------------------- This communication, including any attachments, may contain confidential information and is intended only for the individual or entity to whom it is addressed. Any review, dissemination, or copying of this communication by anyone other than the intended recipient is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email, delete and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
