RE: PIX site-to-site VPN question... [7:57648]
Edward Sohn wrote: Perfect... very interesting, indeed. I have long wondered about this scenario, and have wondered how companies are implementing their site-to-site VPN's over the internet. so you're saying (regarding your own roll out), that your ISP assigned you two address spaces and routed your /27 towards your perimeter router, right? in any case, your scenario explains the answer to that particular example...however, new questions arise: (1) if i DIDN'T decide to set up a GRE over the internet, then what other options do i have? would a simple NAT on the perimeter routers suffice? this would introduce dual-NAT, and i have heard that dual-NATing is less-than-desired in production due to performance issues. Double NATing doesn't sound like a good idea and shouldn't be necessary. (2) if i wanted to use public addressing on the outsides of the PIX's, Public addressing on the outsides of the PIXes seems to be the recommended approach. then would i have to have two address spaces, as described in your own scenario? You can make your own two address spacees. Perhaps you realize that, but I'm wondering if maybe you haven't considered it? You can do whatever you want with the /29 the provider gave you. Unfortunately, it's not a very big address space, but it can still be subdivided into two networks, one for the outside interface on the router and one for the PIX(outside)(inside)Router LAN. As an example, let's say the provider provided 55.55.55.0/29. You have the following addresses: First subnet: 55.55.55.1 (binary of last octet is 0001) 55.55.55.2 (binary of last octet is 0010) 55.55.55.3 (binary of last octet is 0011) Second subnet: 55.55.55.4 (binary of last octet is 0100) 55.55.55.5 (binary of last octet is 0101) 55.55.55.6 (binary of last octet is 0110) So do see that with a subnet mask of 255.255.255.252 (/30), you have two networks? Here's the addressing you can use: PIX(outside) = 55.55.55.1 (also used by PAT) Router (inside) = 55.55.55.2 Possible address for something else on that LAN = 55.55.55.3 Router (outside) = 55.55.55.6 Unfortunately, some addresses get wasted on that subnet. PIX's default route points to 55.55.55.2 Router's default route points to router at ISP. ISP points everything that matches 55.55.55.0/29 to you. If for some reason this wouldn't work in your particular scenario or I over-simplified to the point of not being helpful, I apologize! Hey, it's free consulting and you get what you pay for. :-) Keep us posted so we can all learn. Thanks. Priscilla can anyone think of any other options on the perimeter router? like i said, bridging or unnumbered or something of the like? thanks, ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark W. Odette II Sent: Monday, November 18, 2002 9:19 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] The only way that you could put private addresses on the OUTSIDE interface of the PIX (Site A), and still successfully set up a Tunnel to another PIX across the internet that is behind an edge router of your own control (Site B), is to build a GRE Tunnel between the Edge Routers. EX: Public Addresses PIX1(outside)(e0)R1(e1)-INTERNET(e1)R2(e0)-(outside)PIX2 Pvt. Addresses G R E Tunnel Pvt. Addresses If you tried to set up NAT on the two Edge Routers to Static Translate for the PIX Hosts on their outside interfaces, the Tunnel would never establish. Even though you would define the Crypto Peer as a public address, when the packet arrives at the far side, it would have the private address headers, and thus the tunnel would never come up, and is why you would need a GRE Tunnel between the two routers to use private addresses between the two PIXen end-points. I have set up the scenario you speak of in production, but the ISP assigned a /30 for the routers connecting to the ISP, AND they assigned /27's for the customer's own use. So, with this, I configured the S0 interfaces of each router as part of the /30's, and configured the Fa0 interfaces of the Routers and the Pix Outside interfaces as hosts in the /27 blocks that were assigned to each site, while creating a PAT pool and NAT statics for appropriate hosts behind the PIX. The Inside/DMZ side of the PIXen were configured with RFC1918 addresses. Site to Site VPN's were established using the Public IP addresses on the Outside interface of each PIX. HTH's Mark -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:13 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] thanks for your help, elijah...however, i think are still missing the full point of my question...i am looking for a complete
RE: PIX site-to-site VPN question... [7:57648]
That is basically what I was saying in my email that he had 6 addresses to use so I am confused why there even needs to be another solution. Making it a lot harder than what it has to be. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 8:10 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Edward Sohn wrote: Perfect... very interesting, indeed. I have long wondered about this scenario, and have wondered how companies are implementing their site-to-site VPN's over the internet. so you're saying (regarding your own roll out), that your ISP assigned you two address spaces and routed your /27 towards your perimeter router, right? in any case, your scenario explains the answer to that particular example...however, new questions arise: (1) if i DIDN'T decide to set up a GRE over the internet, then what other options do i have? would a simple NAT on the perimeter routers suffice? this would introduce dual-NAT, and i have heard that dual-NATing is less-than-desired in production due to performance issues. Double NATing doesn't sound like a good idea and shouldn't be necessary. (2) if i wanted to use public addressing on the outsides of the PIX's, Public addressing on the outsides of the PIXes seems to be the recommended approach. then would i have to have two address spaces, as described in your own scenario? You can make your own two address spacees. Perhaps you realize that, but I'm wondering if maybe you haven't considered it? You can do whatever you want with the /29 the provider gave you. Unfortunately, it's not a very big address space, but it can still be subdivided into two networks, one for the outside interface on the router and one for the PIX(outside)(inside)Router LAN. As an example, let's say the provider provided 55.55.55.0/29. You have the following addresses: First subnet: 55.55.55.1 (binary of last octet is 0001) 55.55.55.2 (binary of last octet is 0010) 55.55.55.3 (binary of last octet is 0011) Second subnet: 55.55.55.4 (binary of last octet is 0100) 55.55.55.5 (binary of last octet is 0101) 55.55.55.6 (binary of last octet is 0110) So do see that with a subnet mask of 255.255.255.252 (/30), you have two networks? Here's the addressing you can use: PIX(outside) = 55.55.55.1 (also used by PAT) Router (inside) = 55.55.55.2 Possible address for something else on that LAN = 55.55.55.3 Router (outside) = 55.55.55.6 Unfortunately, some addresses get wasted on that subnet. PIX's default route points to 55.55.55.2 Router's default route points to router at ISP. ISP points everything that matches 55.55.55.0/29 to you. If for some reason this wouldn't work in your particular scenario or I over-simplified to the point of not being helpful, I apologize! Hey, it's free consulting and you get what you pay for. :-) Keep us posted so we can all learn. Thanks. Priscilla can anyone think of any other options on the perimeter router? like i said, bridging or unnumbered or something of the like? thanks, ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark W. Odette II Sent: Monday, November 18, 2002 9:19 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] The only way that you could put private addresses on the OUTSIDE interface of the PIX (Site A), and still successfully set up a Tunnel to another PIX across the internet that is behind an edge router of your own control (Site B), is to build a GRE Tunnel between the Edge Routers. EX: Public Addresses PIX1(outside)(e0)R1(e1)-INTERNET(e1)R2(e0)-(outside)PIX2 Pvt. Addresses G R E Tunnel Pvt. Addresses If you tried to set up NAT on the two Edge Routers to Static Translate for the PIX Hosts on their outside interfaces, the Tunnel would never establish. Even though you would define the Crypto Peer as a public address, when the packet arrives at the far side, it would have the private address headers, and thus the tunnel would never come up, and is why you would need a GRE Tunnel between the two routers to use private addresses between the two PIXen end-points. I have set up the scenario you speak of in production, but the ISP assigned a /30 for the routers connecting to the ISP, AND they assigned /27's for the customer's own use. So, with this, I configured the S0 interfaces of each router as part of the /30's, and configured the Fa0 interfaces of the Routers and the Pix Outside interfaces as hosts in the /27 blocks that were assigned to each site, while creating a PAT pool and NAT statics for appropriate hosts behind the PIX. The Inside/DMZ side of the PIXen were configured with RFC1918 addresses. Site to Site VPN's were established using the Public IP addresses
RE: PIX site-to-site VPN question... [7:57648]
Elijah Savage III wrote: That is basically what I was saying in my email that he had 6 addresses to use so I am confused why there even needs to be another solution. You didn't say how he would use the 6 addresses. I thought it needed spelling out. Making it a lot harder than what it has to be. It's not hard, which may be your point. It's very simple if what I'm suggesting actually works. But maybe there are some gotchas I don't know about. The point that was missing in our discussion before was that there are multiple networks using the public addresses. I don't think anyone understood why he was aking about bridging. He will need bridging if he doesn't subdivide his address space. I simply told him how to subdivide it. I didn't mean to step on your toes or imply your answers were wrong. Priscilla -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 8:10 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Edward Sohn wrote: Perfect... very interesting, indeed. I have long wondered about this scenario, and have wondered how companies are implementing their site-to-site VPN's over the internet. so you're saying (regarding your own roll out), that your ISP assigned you two address spaces and routed your /27 towards your perimeter router, right? in any case, your scenario explains the answer to that particular example...however, new questions arise: (1) if i DIDN'T decide to set up a GRE over the internet, then what other options do i have? would a simple NAT on the perimeter routers suffice? this would introduce dual-NAT, and i have heard that dual-NATing is less-than-desired in production due to performance issues. Double NATing doesn't sound like a good idea and shouldn't be necessary. (2) if i wanted to use public addressing on the outsides of the PIX's, Public addressing on the outsides of the PIXes seems to be the recommended approach. then would i have to have two address spaces, as described in your own scenario? You can make your own two address spacees. Perhaps you realize that, but I'm wondering if maybe you haven't considered it? You can do whatever you want with the /29 the provider gave you. Unfortunately, it's not a very big address space, but it can still be subdivided into two networks, one for the outside interface on the router and one for the PIX(outside)(inside)Router LAN. As an example, let's say the provider provided 55.55.55.0/29. You have the following addresses: First subnet: 55.55.55.1 (binary of last octet is 0001) 55.55.55.2 (binary of last octet is 0010) 55.55.55.3 (binary of last octet is 0011) Second subnet: 55.55.55.4 (binary of last octet is 0100) 55.55.55.5 (binary of last octet is 0101) 55.55.55.6 (binary of last octet is 0110) So do see that with a subnet mask of 255.255.255.252 (/30), you have two networks? Here's the addressing you can use: PIX(outside) = 55.55.55.1 (also used by PAT) Router (inside) = 55.55.55.2 Possible address for something else on that LAN = 55.55.55.3 Router (outside) = 55.55.55.6 Unfortunately, some addresses get wasted on that subnet. PIX's default route points to 55.55.55.2 Router's default route points to router at ISP. ISP points everything that matches 55.55.55.0/29 to you. If for some reason this wouldn't work in your particular scenario or I over-simplified to the point of not being helpful, I apologize! Hey, it's free consulting and you get what you pay for. :-) Keep us posted so we can all learn. Thanks. Priscilla can anyone think of any other options on the perimeter router? like i said, bridging or unnumbered or something of the like? thanks, ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark W. Odette II Sent: Monday, November 18, 2002 9:19 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] The only way that you could put private addresses on the OUTSIDE interface of the PIX (Site A), and still successfully set up a Tunnel to another PIX across the internet that is behind an edge router of your own control (Site B), is to build a GRE Tunnel between the Edge Routers. EX: Public Addresses PIX1(outside)(e0)R1(e1)-INTERNET(e1)R2(e0)-(outside)PIX2 Pvt. Addresses G R E Tunnel Pvt. Addresses If you tried to set up NAT on the two Edge Routers to Static Translate for the PIX Hosts on their outside interfaces, the Tunnel would never establish. Even though you would define the Crypto Peer as a public address, when the packet arrives at the far side, it would have the private address headers, and thus the tunnel would
RE: PIX site-to-site VPN question... [7:57648]
You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto peer statements? They can't. Not unless you use outside nat on the rtr's something I don't think you can or want to do.. Just use Publics all around for your crypto peer statements.. I dont think you can do it anyother way.. one creative way to do it, maybe, run a GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private class C's for in between router and pix on each side. Just route everthing (which is also encrypted) thru the tunnel. have NO NAT on your pixes for internal stuff to go out of router on S0/0 (instead of VPN traffic which goes out TUNNEL0). this should make your PIX's harder to attack, and if you want you can run nat on the router for hosts, or have another nat proxy behind pix (either way, pix wont do nat, with this low-profile config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57654t=57648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX site-to-site VPN question... [7:57648]
Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. I don't think he was suggesting using public IP addresses behind the PIX. What addressing would you recommend for the LAN between the outside interface of the PIX and the router, per this part of his drawing: PIX1(outside)(e0)R1(e1)INTERNET By the way, he really did show R1 having an Ethernet interface out to the Internet. I don't think it was a typo. In the case that came up last week, this Ethernet than went to a wireless WAN of some sort. Could you take another look at the question and give us some advice? This question came up last week too and the person never got a good answer. I would answer it myself but I'm PIX and VPN challenged (but learning! ;-) Priscilla Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto peer statements? They can't. Not unless you use outside nat on the rtr's something I don't think you can or want to do.. Just use Publics all around for your crypto peer statements.. I dont think you can do it anyother way.. one creative way to do it, maybe, run a GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private class C's for in between router and pix on each side. Just route everthing (which is also encrypted) thru the tunnel. have NO NAT on your pixes for internal stuff to go out of router on S0/0 (instead of VPN traffic which goes out TUNNEL0). this should make your PIX's harder to attack, and if you want you can run nat on the router for hosts, or have another nat proxy behind pix (either way, pix wont do nat, with this low-profile config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57656t=57648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX site-to-site VPN question... [7:57648]
Well I am a little confused by the question call me stupid :) But he can use public or private on that link if he uses private just nat on the pix. VPN to VPN will still work with nat in place. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 9:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. I don't think he was suggesting using public IP addresses behind the PIX. What addressing would you recommend for the LAN between the outside interface of the PIX and the router, per this part of his drawing: PIX1(outside)(e0)R1(e1)INTERNET By the way, he really did show R1 having an Ethernet interface out to the Internet. I don't think it was a typo. In the case that came up last week, this Ethernet than went to a wireless WAN of some sort. Could you take another look at the question and give us some advice? This question came up last week too and the person never got a good answer. I would answer it myself but I'm PIX and VPN challenged (but learning! ;-) Priscilla Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto peer statements? They can't. Not unless you use outside nat on the rtr's something I don't think you can or want to do.. Just use Publics all around for your crypto peer statements.. I dont think you can do it anyother way.. one creative way to do it, maybe, run a GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private class C's for in between router and pix on each side. Just route everthing (which is also encrypted) thru the tunnel. have NO NAT on your pixes for internal stuff to go out of router on S0/0 (instead of VPN traffic which goes out TUNNEL0). this should make your PIX's harder to attack, and if you want you can run nat on the router for hosts, or have another nat proxy behind pix (either way, pix wont do nat, with this low-profile config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57662t=57648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX site-to-site VPN question... [7:57648]
Oh yeah with the limited address space the correct term I meant to use is PAT not to confuse anyone. The outside interface on the pix has 1 public and everyone gets NAT's to that one global address. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 9:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. I don't think he was suggesting using public IP addresses behind the PIX. What addressing would you recommend for the LAN between the outside interface of the PIX and the router, per this part of his drawing: PIX1(outside)(e0)R1(e1)INTERNET By the way, he really did show R1 having an Ethernet interface out to the Internet. I don't think it was a typo. In the case that came up last week, this Ethernet than went to a wireless WAN of some sort. Could you take another look at the question and give us some advice? This question came up last week too and the person never got a good answer. I would answer it myself but I'm PIX and VPN challenged (but learning! ;-) Priscilla Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto peer statements? They can't. Not unless you use outside nat on the rtr's something I don't think you can or want to do.. Just use Publics all around for your crypto peer statements.. I dont think you can do it anyother way.. one creative way to do it, maybe, run a GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private class C's for in between router and pix on each side. Just route everthing (which is also encrypted) thru the tunnel. have NO NAT on your pixes for internal stuff to go out of router on S0/0 (instead of VPN traffic which goes out TUNNEL0). this should make your PIX's harder to attack, and if you want you can run nat on the router for hosts, or have another nat proxy behind pix (either way, pix wont do nat, with this low-profile config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57663t=57648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX site-to-site VPN question... [7:57648]
Elijah Savage III wrote: Oh yeah with the limited address space the correct term I meant to use is PAT not to confuse anyone. The outside interface on the pix has 1 public and everyone gets NAT's to that one global address. So, use public addressing on the PIX(outside)-router link. In the previous message you said he could use either, but it will make things easier if he uses public on that link and private on the ---(inside)PIX link, eh? Sorry, if I'm being dim-witted. :-) Priscilla -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 9:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. I don't think he was suggesting using public IP addresses behind the PIX. What addressing would you recommend for the LAN between the outside interface of the PIX and the router, per this part of his drawing: PIX1(outside)(e0)R1(e1)INTERNET By the way, he really did show R1 having an Ethernet interface out to the Internet. I don't think it was a typo. In the case that came up last week, this Ethernet than went to a wireless WAN of some sort. Could you take another look at the question and give us some advice? This question came up last week too and the person never got a good answer. I would answer it myself but I'm PIX and VPN challenged (but learning! ;-) Priscilla Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto peer statements? They can't. Not unless you use outside nat on the rtr's something I don't think you can or want to do.. Just use Publics all around for your crypto peer statements.. I dont think you can do it anyother way.. one creative way to do it, maybe, run a GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private class C's for in between router and pix on each side. Just route everthing (which is also encrypted) thru the tunnel. have NO NAT on your pixes for internal stuff to go out of router on S0/0 (instead of VPN traffic which goes out TUNNEL0). this should make your PIX's harder to attack, and if you want you can run nat on the router for hosts, or have another nat proxy behind pix (either way, pix wont do nat, with this low-profile config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57664t=57648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX site-to-site VPN question... [7:57648]
Yes, He should use public on the outside link and then private on the inside the setup would be much easier that way. NAT or PAT on a pix is so easy. And I had a slight brain fart he can't use private on the outside. The reason being because of the peer addressing that has to go on the pix for the vpn tunnel. So of course if he used private there is no way site A can talk to site B across the internet. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Elijah Savage III wrote: Oh yeah with the limited address space the correct term I meant to use is PAT not to confuse anyone. The outside interface on the pix has 1 public and everyone gets NAT's to that one global address. So, use public addressing on the PIX(outside)-router link. In the previous message you said he could use either, but it will make things easier if he uses public on that link and private on the ---(inside)PIX link, eh? Sorry, if I'm being dim-witted. :-) Priscilla -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 9:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. I don't think he was suggesting using public IP addresses behind the PIX. What addressing would you recommend for the LAN between the outside interface of the PIX and the router, per this part of his drawing: PIX1(outside)(e0)R1(e1)INTERNET By the way, he really did show R1 having an Ethernet interface out to the Internet. I don't think it was a typo. In the case that came up last week, this Ethernet than went to a wireless WAN of some sort. Could you take another look at the question and give us some advice? This question came up last week too and the person never got a good answer. I would answer it myself but I'm PIX and VPN challenged (but learning! ;-) Priscilla Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto peer statements? They can't. Not unless you use outside nat on the rtr's something I don't think you can or want to do.. Just use Publics all around for your crypto peer statements.. I dont think you can do it anyother way.. one creative way to do it, maybe, run a GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private class C's for in between router and pix on each side. Just route everthing (which is also encrypted) thru the tunnel. have NO NAT on your pixes for internal stuff to go out of router on S0/0 (instead of VPN traffic which goes out TUNNEL0). this should make your PIX's harder to attack, and if you want you can run nat on the router for hosts, or have another nat proxy behind pix (either way, pix wont do nat, with this low-profile config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57665t=57648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX site-to-site VPN question... [7:57648]
okay, i should have explained better...sorry let's break my point down to a digestable limit... at this point i want to know how to set up the site-to-site VPN tunnel between the two PIX's, if i use private addressing on the outside interfaces of the PIX's. if both of the outside interfaces of the PIX's use 192.168.x.x addresses, then what is the address i would use in the 'crypto map peer' statement? if it's the 192.168.x.x address of the other PIX's outside interface, how does the PIX know how to get there? you follow? the perimeter router doesn't route private addresses, so how would it know how to get to the other PIX? that's why i'm assuming that the public addressing has to include to the PIX outside interfaces, but if this is so, how do you configure the perimeter router? thanks, ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Elijah Savage III Sent: Monday, November 18, 2002 7:17 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Oh yeah with the limited address space the correct term I meant to use is PAT not to confuse anyone. The outside interface on the pix has 1 public and everyone gets NAT's to that one global address. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 9:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. I don't think he was suggesting using public IP addresses behind the PIX. What addressing would you recommend for the LAN between the outside interface of the PIX and the router, per this part of his drawing: PIX1(outside)(e0)R1(e1)INTERNET By the way, he really did show R1 having an Ethernet interface out to the Internet. I don't think it was a typo. In the case that came up last week, this Ethernet than went to a wireless WAN of some sort. Could you take another look at the question and give us some advice? This question came up last week too and the person never got a good answer. I would answer it myself but I'm PIX and VPN challenged (but learning! ;-) Priscilla Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto peer statements? They can't. Not unless you use outside nat on the rtr's something I don't think you can or want to do.. Just use Publics all around for your crypto peer statements.. I dont think you can do it anyother way.. one creative way to do it, maybe, run a GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private class C's for in between router and pix on each side. Just route everthing (which is also encrypted) thru the tunnel. have NO NAT on your pixes for internal stuff to go out of router on S0/0 (instead of VPN traffic which goes out TUNNEL0). this should make your PIX's harder to attack, and if you want you can run nat on the router for hosts, or have another nat proxy behind pix (either way, pix wont do nat, with this low-profile config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57666t=57648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX site-to-site VPN question... [7:57648]
You have to use the public ip addresses as I stated in my last email private is non routeable on the net, though I have seen sprint route private by mistake from time to time :) But that is not what confused me, what is confusing me is your ip addressing problem do you have one? A /29 is a 255.255.255.248 subnet mask which will give you 6 usable addresses. So I am not sure I see a problem unless you want to use private on the outside then yes you have a problem. -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:50 PM To: Elijah Savage III; [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] okay, i should have explained better...sorry let's break my point down to a digestable limit... at this point i want to know how to set up the site-to-site VPN tunnel between the two PIX's, if i use private addressing on the outside interfaces of the PIX's. if both of the outside interfaces of the PIX's use 192.168.x.x addresses, then what is the address i would use in the 'crypto map peer' statement? if it's the 192.168.x.x address of the other PIX's outside interface, how does the PIX know how to get there? you follow? the perimeter router doesn't route private addresses, so how would it know how to get to the other PIX? that's why i'm assuming that the public addressing has to include to the PIX outside interfaces, but if this is so, how do you configure the perimeter router? thanks, ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Elijah Savage III Sent: Monday, November 18, 2002 7:17 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Oh yeah with the limited address space the correct term I meant to use is PAT not to confuse anyone. The outside interface on the pix has 1 public and everyone gets NAT's to that one global address. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 9:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. I don't think he was suggesting using public IP addresses behind the PIX. What addressing would you recommend for the LAN between the outside interface of the PIX and the router, per this part of his drawing: PIX1(outside)(e0)R1(e1)INTERNET By the way, he really did show R1 having an Ethernet interface out to the Internet. I don't think it was a typo. In the case that came up last week, this Ethernet than went to a wireless WAN of some sort. Could you take another look at the question and give us some advice? This question came up last week too and the person never got a good answer. I would answer it myself but I'm PIX and VPN challenged (but learning! ;-) Priscilla Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto peer statements? They can't. Not unless you use outside nat on the rtr's something I don't think you can or want to do.. Just use Publics all around for your crypto peer statements.. I dont think you can do it anyother way.. one creative way to do it, maybe, run a GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private class C's for in between router and pix on each side. Just route everthing (which is also encrypted) thru the tunnel. have NO NAT on your pixes for internal stuff to go out of router on S0/0 (instead of VPN traffic which goes out TUNNEL0). this should make your PIX's harder to attack, and if you want you can run nat on the router for hosts, or have another nat proxy behind pix (either way, pix wont do nat, with this low-profile config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57668t=57648 -- FAQ, list
RE: PIX site-to-site VPN question... [7:57648]
May I also ask why you want to use private? -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:50 PM To: Elijah Savage III; [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] okay, i should have explained better...sorry let's break my point down to a digestable limit... at this point i want to know how to set up the site-to-site VPN tunnel between the two PIX's, if i use private addressing on the outside interfaces of the PIX's. if both of the outside interfaces of the PIX's use 192.168.x.x addresses, then what is the address i would use in the 'crypto map peer' statement? if it's the 192.168.x.x address of the other PIX's outside interface, how does the PIX know how to get there? you follow? the perimeter router doesn't route private addresses, so how would it know how to get to the other PIX? that's why i'm assuming that the public addressing has to include to the PIX outside interfaces, but if this is so, how do you configure the perimeter router? thanks, ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Elijah Savage III Sent: Monday, November 18, 2002 7:17 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Oh yeah with the limited address space the correct term I meant to use is PAT not to confuse anyone. The outside interface on the pix has 1 public and everyone gets NAT's to that one global address. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 9:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. I don't think he was suggesting using public IP addresses behind the PIX. What addressing would you recommend for the LAN between the outside interface of the PIX and the router, per this part of his drawing: PIX1(outside)(e0)R1(e1)INTERNET By the way, he really did show R1 having an Ethernet interface out to the Internet. I don't think it was a typo. In the case that came up last week, this Ethernet than went to a wireless WAN of some sort. Could you take another look at the question and give us some advice? This question came up last week too and the person never got a good answer. I would answer it myself but I'm PIX and VPN challenged (but learning! ;-) Priscilla Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto peer statements? They can't. Not unless you use outside nat on the rtr's something I don't think you can or want to do.. Just use Publics all around for your crypto peer statements.. I dont think you can do it anyother way.. one creative way to do it, maybe, run a GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private class C's for in between router and pix on each side. Just route everthing (which is also encrypted) thru the tunnel. have NO NAT on your pixes for internal stuff to go out of router on S0/0 (instead of VPN traffic which goes out TUNNEL0). this should make your PIX's harder to attack, and if you want you can run nat on the router for hosts, or have another nat proxy behind pix (either way, pix wont do nat, with this low-profile config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57669t=57648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX site-to-site VPN question... [7:57648]
thanks for your help, elijah...however, i think are still missing the full point of my question...i am looking for a complete solution rather than just 'what's possible' at different points in the network. i did mean to use a /29 in my example. i used that b/c if i was only given one IP address from my ISP, and used it for the outside interface of the PIX (as you suggested), then how do i configure the perimeter router? what IP addresses does that use? let's go with this example to answer my question for now--with using public addresses. just fyi, however, here is a diagram on CCO which uses private addressing on the outside interface of the PIX in a VPN solution (doesn't show the perimeter routers, though)... thanks, ed -Original Message- From: Elijah Savage III [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 8:13 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] You have to use the public ip addresses as I stated in my last email private is non routeable on the net, though I have seen sprint route private by mistake from time to time :) But that is not what confused me, what is confusing me is your ip addressing problem do you have one? A /29 is a 255.255.255.248 subnet mask which will give you 6 usable addresses. So I am not sure I see a problem unless you want to use private on the outside then yes you have a problem. -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:50 PM To: Elijah Savage III; [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] okay, i should have explained better...sorry let's break my point down to a digestable limit... at this point i want to know how to set up the site-to-site VPN tunnel between the two PIX's, if i use private addressing on the outside interfaces of the PIX's. if both of the outside interfaces of the PIX's use 192.168.x.x addresses, then what is the address i would use in the 'crypto map peer' statement? if it's the 192.168.x.x address of the other PIX's outside interface, how does the PIX know how to get there? you follow? the perimeter router doesn't route private addresses, so how would it know how to get to the other PIX? that's why i'm assuming that the public addressing has to include to the PIX outside interfaces, but if this is so, how do you configure the perimeter router? thanks, ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Elijah Savage III Sent: Monday, November 18, 2002 7:17 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Oh yeah with the limited address space the correct term I meant to use is PAT not to confuse anyone. The outside interface on the pix has 1 public and everyone gets NAT's to that one global address. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 9:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. I don't think he was suggesting using public IP addresses behind the PIX. What addressing would you recommend for the LAN between the outside interface of the PIX and the router, per this part of his drawing: PIX1(outside)(e0)R1(e1)INTERNET By the way, he really did show R1 having an Ethernet interface out to the Internet. I don't think it was a typo. In the case that came up last week, this Ethernet than went to a wireless WAN of some sort. Could you take another look at the question and give us some advice? This question came up last week too and the person never got a good answer. I would answer it myself but I'm PIX and VPN challenged (but learning! ;-) Priscilla Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto
RE: PIX site-to-site VPN question... [7:57648]
excellent...now we're getting somewhere. that's what i thought...but if this is the case, then how does the PIX establish the actual peering with the other PIX? again, my crypto map peer _address_ example...what IP address do you use here if using private addresses? and if it's simply the private address of the other PIX, then how do the perimeter routers route this private addressing over the public internet? thanks again, ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Elijah Savage III Sent: Monday, November 18, 2002 7:38 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Yes, He should use public on the outside link and then private on the inside the setup would be much easier that way. NAT or PAT on a pix is so easy. And I had a slight brain fart he can't use private on the outside. The reason being because of the peer addressing that has to go on the pix for the vpn tunnel. So of course if he used private there is no way site A can talk to site B across the internet. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Elijah Savage III wrote: Oh yeah with the limited address space the correct term I meant to use is PAT not to confuse anyone. The outside interface on the pix has 1 public and everyone gets NAT's to that one global address. So, use public addressing on the PIX(outside)-router link. In the previous message you said he could use either, but it will make things easier if he uses public on that link and private on the ---(inside)PIX link, eh? Sorry, if I'm being dim-witted. :-) Priscilla -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 9:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map to Servers, etc. behind the pix. Why would you ever want to put public ip's behind a pix ? especially for a vpn ? Not cool. It makes it an easier target to spoof, as apposed to RFC1918 addresses. I don't think he was suggesting using public IP addresses behind the PIX. What addressing would you recommend for the LAN between the outside interface of the PIX and the router, per this part of his drawing: PIX1(outside)(e0)R1(e1)INTERNET By the way, he really did show R1 having an Ethernet interface out to the Internet. I don't think it was a typo. In the case that came up last week, this Ethernet than went to a wireless WAN of some sort. Could you take another look at the question and give us some advice? This question came up last week too and the person never got a good answer. I would answer it myself but I'm PIX and VPN challenged (but learning! ;-) Priscilla Answering your original qwestion - If I'm provided a /29 address by my ISP for PIX1's site, then how does the PIX1's outside and R1's ethernet addresses get provisioned (same question for PIX2's site)? If you insist on using public's behind your pix, you get a /29 for behind, and 2 /30's. One for Pix to RTR and one for RTR to ISP EDGE. The routers also should NEVER use UNNUMBERED ! How do you remote manage the router if the Ethernet line proto is down ? Loopback ? You wont have a public IP if your ISP skimps on Addresses.. I have seem some whack configs where s0/0 is unnumbered, and the only routed block is on e0/0. Its not worth saving the /30 for added aggrevation. Are they bridged or unnumbered in some way? the routers know nothing of your Site to Site VPN. They just route.. nuff said on that. How do the PIX's use private addresses as for their crypto peer statements? They can't. Not unless you use outside nat on the rtr's something I don't think you can or want to do.. Just use Publics all around for your crypto peer statements.. I dont think you can do it anyother way.. one creative way to do it, maybe, run a GRE tunnel from router to router (say 10.0.1.0/24). Use 2 more /24 private class C's for in between router and pix on each side. Just route everthing (which is also encrypted) thru the tunnel. have NO NAT on your pixes for internal stuff to go out of router on S0/0 (instead of VPN traffic which goes out TUNNEL0). this should make your PIX's harder to attack, and if you want you can run nat on the router for hosts, or have another nat proxy behind pix (either way, pix wont do nat, with this low-profile config trick. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57671t=57648 -- FAQ, list archives, and subscription info: http
RE: PIX site-to-site VPN question... [7:57648]
The only way that you could put private addresses on the OUTSIDE interface of the PIX (Site A), and still successfully set up a Tunnel to another PIX across the internet that is behind an edge router of your own control (Site B), is to build a GRE Tunnel between the Edge Routers. EX: Public Addresses PIX1(outside)(e0)R1(e1)-INTERNET(e1)R2(e0)-(outside)PIX2 Pvt. Addresses G R E Tunnel Pvt. Addresses If you tried to set up NAT on the two Edge Routers to Static Translate for the PIX Hosts on their outside interfaces, the Tunnel would never establish. Even though you would define the Crypto Peer as a public address, when the packet arrives at the far side, it would have the private address headers, and thus the tunnel would never come up, and is why you would need a GRE Tunnel between the two routers to use private addresses between the two PIXen end-points. I have set up the scenario you speak of in production, but the ISP assigned a /30 for the routers connecting to the ISP, AND they assigned /27's for the customer's own use. So, with this, I configured the S0 interfaces of each router as part of the /30's, and configured the Fa0 interfaces of the Routers and the Pix Outside interfaces as hosts in the /27 blocks that were assigned to each site, while creating a PAT pool and NAT statics for appropriate hosts behind the PIX. The Inside/DMZ side of the PIXen were configured with RFC1918 addresses. Site to Site VPN's were established using the Public IP addresses on the Outside interface of each PIX. HTH's Mark -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:13 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] thanks for your help, elijah...however, i think are still missing the full point of my question...i am looking for a complete solution rather than just 'what's possible' at different points in the network. i did mean to use a /29 in my example. i used that b/c if i was only given one IP address from my ISP, and used it for the outside interface of the PIX (as you suggested), then how do i configure the perimeter router? what IP addresses does that use? let's go with this example to answer my question for now--with using public addresses. just fyi, however, here is a diagram on CCO which uses private addressing on the outside interface of the PIX in a VPN solution (doesn't show the perimeter routers, though)... thanks, ed -Original Message- From: Elijah Savage III [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 8:13 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] You have to use the public ip addresses as I stated in my last email private is non routeable on the net, though I have seen sprint route private by mistake from time to time :) But that is not what confused me, what is confusing me is your ip addressing problem do you have one? A /29 is a 255.255.255.248 subnet mask which will give you 6 usable addresses. So I am not sure I see a problem unless you want to use private on the outside then yes you have a problem. -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:50 PM To: Elijah Savage III; [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] okay, i should have explained better...sorry let's break my point down to a digestable limit... at this point i want to know how to set up the site-to-site VPN tunnel between the two PIX's, if i use private addressing on the outside interfaces of the PIX's. if both of the outside interfaces of the PIX's use 192.168.x.x addresses, then what is the address i would use in the 'crypto map peer' statement? if it's the 192.168.x.x address of the other PIX's outside interface, how does the PIX know how to get there? you follow? the perimeter router doesn't route private addresses, so how would it know how to get to the other PIX? that's why i'm assuming that the public addressing has to include to the PIX outside interfaces, but if this is so, how do you configure the perimeter router? thanks, ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Elijah Savage III Sent: Monday, November 18, 2002 7:17 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Oh yeah with the limited address space the correct term I meant to use is PAT not to confuse anyone. The outside interface on the pix has 1 public and everyone gets NAT's to that one global address. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 9:27 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] Brunner Joseph wrote: You should use private addressing behind the pix and use static's from the /29 to map
RE: PIX site-to-site VPN question... [7:57648]
Perfect... very interesting, indeed. I have long wondered about this scenario, and have wondered how companies are implementing their site-to-site VPN's over the internet. so you're saying (regarding your own roll out), that your ISP assigned you two address spaces and routed your /27 towards your perimeter router, right? in any case, your scenario explains the answer to that particular example...however, new questions arise: (1) if i DIDN'T decide to set up a GRE over the internet, then what other options do i have? would a simple NAT on the perimeter routers suffice? this would introduce dual-NAT, and i have heard that dual-NATing is less-than-desired in production due to performance issues. (2) if i wanted to use public addressing on the outsides of the PIX's, then would i have to have two address spaces, as described in your own scenario? can anyone think of any other options on the perimeter router? like i said, bridging or unnumbered or something of the like? thanks, ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark W. Odette II Sent: Monday, November 18, 2002 9:19 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] The only way that you could put private addresses on the OUTSIDE interface of the PIX (Site A), and still successfully set up a Tunnel to another PIX across the internet that is behind an edge router of your own control (Site B), is to build a GRE Tunnel between the Edge Routers. EX: Public Addresses PIX1(outside)(e0)R1(e1)-INTERNET(e1)R2(e0)-(outside)PIX2 Pvt. Addresses G R E Tunnel Pvt. Addresses If you tried to set up NAT on the two Edge Routers to Static Translate for the PIX Hosts on their outside interfaces, the Tunnel would never establish. Even though you would define the Crypto Peer as a public address, when the packet arrives at the far side, it would have the private address headers, and thus the tunnel would never come up, and is why you would need a GRE Tunnel between the two routers to use private addresses between the two PIXen end-points. I have set up the scenario you speak of in production, but the ISP assigned a /30 for the routers connecting to the ISP, AND they assigned /27's for the customer's own use. So, with this, I configured the S0 interfaces of each router as part of the /30's, and configured the Fa0 interfaces of the Routers and the Pix Outside interfaces as hosts in the /27 blocks that were assigned to each site, while creating a PAT pool and NAT statics for appropriate hosts behind the PIX. The Inside/DMZ side of the PIXen were configured with RFC1918 addresses. Site to Site VPN's were established using the Public IP addresses on the Outside interface of each PIX. HTH's Mark -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:13 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] thanks for your help, elijah...however, i think are still missing the full point of my question...i am looking for a complete solution rather than just 'what's possible' at different points in the network. i did mean to use a /29 in my example. i used that b/c if i was only given one IP address from my ISP, and used it for the outside interface of the PIX (as you suggested), then how do i configure the perimeter router? what IP addresses does that use? let's go with this example to answer my question for now--with using public addresses. just fyi, however, here is a diagram on CCO which uses private addressing on the outside interface of the PIX in a VPN solution (doesn't show the perimeter routers, though)... thanks, ed -Original Message- From: Elijah Savage III [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 8:13 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] You have to use the public ip addresses as I stated in my last email private is non routeable on the net, though I have seen sprint route private by mistake from time to time :) But that is not what confused me, what is confusing me is your ip addressing problem do you have one? A /29 is a 255.255.255.248 subnet mask which will give you 6 usable addresses. So I am not sure I see a problem unless you want to use private on the outside then yes you have a problem. -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:50 PM To: Elijah Savage III; [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] okay, i should have explained better...sorry let's break my point down to a digestable limit... at this point i want to know how to set up the site-to-site VPN tunnel between the two PIX's, if i use private addressing on the outside interfaces of the PIX's. if both of the outside interfaces of the PIX's use 192.168.x.x
RE: PIX site-to-site VPN question... [7:57648]
In-Line... Perfect... very interesting, indeed. I have long wondered about this scenario, and have wondered how companies are implementing their site-to-site VPN's over the internet. so you're saying (regarding your own roll out), that your ISP assigned you two address spaces and routed your /27 towards your perimeter router, right? in any case, your scenario explains the answer to that particular example...however, new questions arise: (1) if i DIDN'T decide to set up a GRE over the internet, then what other options do i have? would a simple NAT on the perimeter routers suffice? this would introduce dual-NAT, and i have heard that dual-NATing is less-than-desired in production due to performance issues. No. The pix does not work like most VPN/IPSEC/NAT Devices. You have to have routable addresses on the pix outside. (maybe some CCIE SECURITY will chime in). Its helps for surf the web bit in addition to your VPN, you have public ip on the OUTSIDE of the pix (prevent the edge routers from DOING NAT, which they should not have to here). Based on your original post, I was assuming you were talking about going the public internet for you Site-to-Site VPN ? well that is about the only reason I could see doing all this for. (2) if i wanted to use public addressing on the outsides of the PIX's, then would i have to have two address spaces, as described in your own scenario? can anyone think of any other options on the perimeter router? like i said, bridging or unnumbered or something of the like? You will not run bridging first of all. (unless you want both pixes at both sites to be on 1 lan). This probably won't work. Unless your NOT providing Internet access, (seperate) at both sites. It will work if you want one site ONLY to be the internet gateway site or something, for a central point of security, whatever. It will also cause you to have the same public block at both sites. Not going to happen, with any carriers I have seen. One block, One T-1, One Location. Also forget the unnumbered. Bad Operational mistake, invented by lazy ISP's to conserve a /30. Does not provide any security, locks your out of the router for basic troubleshooting if your eth INT has no lineproto. You should do this (per 2 year experience with PIX VPN) SITE A PUBLIC INET SITE B PIX A(PUBLIC IP)(RTRA)(PUBLIC IP)(PUBLIC IP)(RTRB)(PUBLIC IP)PIX B Your crypto peer statements reflect the Opposite Pix's Public IP. (make sure you isakmp enable outside etc... Your Internet access at either site, will come from a global overload (pat) statement for the pixes, on the Interface or another IP in your routed block. FYI don't try the GRE tunnel trick.. had someproblems with fragmentation of IPSEC packets, speed issues, etc... also your edge routers will have to run NAT to get those private tunneled outside IP's to the NET for surf access. thanks, ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57680t=57648 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX site-to-site VPN question... [7:57648]
I think you might be wrong. I never had to do this outside of the lab on two VPN routers and 2 pixes in between doing NAT but you should be able to establish an ESP in tunnel mode between two devices using private addresses with NAT happening somewhere in between. Remember, ESP only cares about the payload, not the header. Therefore as long as the payload is intact - this is valid. Of course, both VPN devices would have to know each other by NATed or in your case public IP addresses. I can show you the config, if you like Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark W. Odette II Sent: Tuesday, November 19, 2002 12:19 AM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] The only way that you could put private addresses on the OUTSIDE interface of the PIX (Site A), and still successfully set up a Tunnel to another PIX across the internet that is behind an edge router of your own control (Site B), is to build a GRE Tunnel between the Edge Routers. EX: Public Addresses PIX1(outside)(e0)R1(e1)-INTERNET(e1)R2(e0)-(outside)PIX2 Pvt. Addresses G R E Tunnel Pvt. Addresses If you tried to set up NAT on the two Edge Routers to Static Translate for the PIX Hosts on their outside interfaces, the Tunnel would never establish. Even though you would define the Crypto Peer as a public address, when the packet arrives at the far side, it would have the private address headers, and thus the tunnel would never come up, and is why you would need a GRE Tunnel between the two routers to use private addresses between the two PIXen end-points. I have set up the scenario you speak of in production, but the ISP assigned a /30 for the routers connecting to the ISP, AND they assigned /27's for the customer's own use. So, with this, I configured the S0 interfaces of each router as part of the /30's, and configured the Fa0 interfaces of the Routers and the Pix Outside interfaces as hosts in the /27 blocks that were assigned to each site, while creating a PAT pool and NAT statics for appropriate hosts behind the PIX. The Inside/DMZ side of the PIXen were configured with RFC1918 addresses. Site to Site VPN's were established using the Public IP addresses on the Outside interface of each PIX. HTH's Mark -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:13 PM To: [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] thanks for your help, elijah...however, i think are still missing the full point of my question...i am looking for a complete solution rather than just 'what's possible' at different points in the network. i did mean to use a /29 in my example. i used that b/c if i was only given one IP address from my ISP, and used it for the outside interface of the PIX (as you suggested), then how do i configure the perimeter router? what IP addresses does that use? let's go with this example to answer my question for now--with using public addresses. just fyi, however, here is a diagram on CCO which uses private addressing on the outside interface of the PIX in a VPN solution (doesn't show the perimeter routers, though)... thanks, ed -Original Message- From: Elijah Savage III [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 8:13 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] You have to use the public ip addresses as I stated in my last email private is non routeable on the net, though I have seen sprint route private by mistake from time to time :) But that is not what confused me, what is confusing me is your ip addressing problem do you have one? A /29 is a 255.255.255.248 subnet mask which will give you 6 usable addresses. So I am not sure I see a problem unless you want to use private on the outside then yes you have a problem. -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 10:50 PM To: Elijah Savage III; [EMAIL PROTECTED] Subject: RE: PIX site-to-site VPN question... [7:57648] okay, i should have explained better...sorry let's break my point down to a digestable limit... at this point i want to know how to set up the site-to-site VPN tunnel between the two PIX's, if i use private addressing on the outside interfaces of the PIX's. if both of the outside interfaces of the PIX's use 192.168.x.x addresses, then what is the address i would use in the 'crypto map peer' statement? if it's the 192.168.x.x address of the other PIX's outside interface, how does the PIX know how to get there? you follow? the perimeter router doesn't route private addresses, so how would it know how to get to the other PIX? that's why i'm assuming that the public addressing has to include to the PIX outside interfaces, but if this is so, how do you configure