Re: VPN [7:21120]

[Ramesh c]

Hi corness,

Thanks fer your earlier replies



My setup as follows..

  
pvt network-RouterInternet-Pixpvt network

I want to do a VPN between the private networks using ipsec.I am concerned
with router side.The s0 (10.1.0.1/24) of router is connected to pvt network
and e0(210.11.3.1/24) to internet.

I do the following on my router

access-list 101 permit 10.1.0.0 255.255.255.0 172.1.0.0 255.255.255.255
crypto ipsec transform-set set1 esp-des esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 match-address 101
crypto map vpn set peer 210.14.7.2
crypto map vpn set transform-set set1

isakmp enable e0
isakmp policy 20
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 authentication rsa-sig
isakmp policy 20 group 1

interface e0
crypto map vpn

My questions...

1)What kind of static route should I add?(I want only 10.1.0.0 to talk to
172.1.0.0 and vice versa using vpn.Rest all denied)

2)Do I need this if I don`t use nat on my router?
route-map nonat permit 10
  match ip address 130

3)Will this access list help me with security((i.e)except for 172.1.0.0 all
other network cannot reach pvt network)?

access_list 140 permit ip 172.1.0.0 0.0.0.0 any
access_list 140 deny ip any any
acl_group 140 e0 out 

cheers
Ramesh




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=28256t=21120
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VPN [7:21120]

[Trevor J Corness]

Several points to make on this.

1) How are you using 192.168.x.x/28 on your Serial0/0 on your external 
interface (should this not be your only valid IP?, and why a /28 on a Serial 
unless you are using Frame).  I am now assuming to change this to something 
such like:
  interface Serial 0/0
 ip address live/30

2) If you are using NAT on the Router, then you may not VPN to the PIX, 
making the Router the only possible VPN End-point.  Obtain VPN license for 
your router platform, or plan to redesign slightly.

3) If you ARE using 192.168.x.x/28 on your Serial, even your router is not 
accessible from the public internet, making it entirely impossible for you
to
VPN.

4) You will have problems passing VPN traffic through the PIX, without 
completely opening it up anyways.

May I suggest a possible redesign of the network?

--
I never totally understood the use of what I like to call Double-NAT, 
especially when only a wire exists between 2 devices.  This adds processing 
and memory overhead onto the router that is not neccessary, especially in 
today's world.  May I suggest using LIVE IP's up to the PIX box... or better 
yet, obtaining a WAN interface identical to your S0/0 on the router, and 
placing it directly in the PIX... this will free up the router for lab uses 
.  You then simply NAT once on the PIX, and to add VPN, you can simply 
load in the VPN module into the PIXOS.

Solution 2:
Use Live IP's on the segment between the router and PIX, add a switch or 
better yet, a hub between the two, and add a VPN Appliance, such as a Nortel 
Networks Contivity, or if you like to stay an All Cisco shop, a VPN 
Concentrator 3002.  This will accomplish many things:
VPN troubleshooting will not cause downtime on the PIX
Router processing/memory demands lowered, it is merely routing now
Throuphput increased due to packets only going through 1 translation
VPN is direct into internal network
VPN is the only task for the box chosen

Currently where I work, we have traditionally been using a Nortel Contivity 
1500 as a hub of 18 branch-office VPNs using smaller Contivity units for 
Branch-to-Branch, and also as the single corporate VPN endpoint for 
user-to-HQ tunnels.  In the 3 years it was in service, it was downed twice, 
once for a move, and once due to replacing the UPS with an APC 16KVa.  Both 
times were of no fault of the equipment.

Recently, we have replaced everything with Cisco product (6509, 7200VXR, 
VPN3002, 2xPIX, 3600, 2600).  Catalyst reboots are about every 2 weeks, 7200 
came with a faulty Sup blade, VPN 3000 has been rebooted twice in the last 
month because of hickups so it will not allow any more connections.. so far 
no problems with the x600 routers, or the PIX firewalls, that were not 
programming errors.  All in less than 2 months.  It will be happy-days to
see
it all go away in 2 years when the lease expires.  I will just be happy when 
they finally unplug the Contivity 1500 in 2 weeks, and give it to us for our 
lab LAN.

Note: With the arrival of all the Cisco gear, I was released from my 
responsibilities to help maintain the network, and now only run a lab
network
based on the old equipment (HP  Nortel L2 switches, Nortel Passport L3 
switches, Cisco 1600, 2500, 2600 routers, Compaq ML350 servers running Unix, 
Win2k, and soon WinXP).

I wish you luck in finding the solution that works for you.  Do not fear 
approaching management saying that a slight redesign is required to offer
the
VPN solution.  The money they will save by employees working from home, and 
the increased productivity from those same employees, will more than pay for 
any new equipment, or time required to add the technology in a very short 
period of time.


-- 
Regards,
  Trevor J Corness, CCNA CCDA JNCIS NNCSS MCSE MCP+I
  Systems Engineer, Data Services
  Radian Communication Services Corporation
  http://www.radiancorp.com



On September 26, 2001 03:26 am, Ramesh c wrote:
 Hey Guys,

 My setup as follows

 Internet -- Router  PIX -- Internal network

 We are using a 192.168.x.x network and using NAT to change to valid ip
 address.So when I need to setup VPN should I use the 192.168.x.x or the
 Valid Ip address?

 My internet router config

 interface FastEthernet0/0
  ip address 192.168.y.x 255.255.255.252
  ip nat inside

 interface Serial0/0
   ip address 192.168.x.x 255.255.255.240

 More which is advisable..
 1)VPN to router or VPN to PIX ?

 Pls explain in detail...



 Make a difference, help support the relief efforts in the U.S.
 http://clubs.lycos.com/live/events/september11.asp
 Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=21718t=21120
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VPN [7:21120]

[Kent Hundley]

The addresses assigned to the VPN client will typically come from a pool of
addresses from the inside network.  It's also typical to terminate VPN
clients on your firewall, so in this case you would terminate them on the
PIX.  There are examples on Cisco's web site for configuring client to PIX
VPN.  Just do a search on PIX technical tips and you should find all the
info you need.

HTH,
Kent


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Ramesh c
Sent: Wednesday, September 26, 2001 3:26 AM
To: [EMAIL PROTECTED]
Subject: VPN [7:21120]


Hey Guys,

My setup as follows

Internet -- Router  PIX -- Internal network

We are using a 192.168.x.x network and using NAT to change to valid ip
address.So when I need to setup VPN should I use the 192.168.x.x or the
Valid Ip address?

My internet router config

interface FastEthernet0/0
 ip address 192.168.y.x 255.255.255.252
 ip nat inside

interface Serial0/0
  ip address 192.168.x.x 255.255.255.240

More which is advisable..
1)VPN to router or VPN to PIX ?

Pls explain in detail...



Make a difference, help support the relief efforts in the U.S.
http://clubs.lycos.com/live/events/september11.asp




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=21186t=21120
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]