RE: VPN CONCENTRATOR Parallel FW [7:66819]
You need a router when running them parrallel. The router will determine internet traffic goes to the pix, remote vpn lan's etc go to the vpn 3000. Mine is like VPN 3000 PIX 10.0.0.210.0.0.10 10.0.0.0/24 10.0.0.1 RTR 192.168.0.1 SERVERS 192.168.0.0/24 This way no servers need "route" commands to know where to route what. And you guessed it, my vpn clients get addresses on the subnet between router and vpn (10.0.0.0/24) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66843&t=66819 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN CONCENTRATOR Parallel FW [7:66819]
Joseph, In this scenario all you had to do is specify the TUNNEL DEFAULT Gateway on the Concentrator, Is that right. Also In site to site VPN case, the remote site can get the DHCP addresses from the servers if we define helper address on the remote site VPN router...right ? Thanks, neil ""Joseph Brunner"" wrote in message news:[EMAIL PROTECTED] > You need a router when running them parrallel. > The router will determine internet traffic goes to the pix, remote > vpn lan's etc go to the vpn 3000. > > Mine is like > > VPN 3000 PIX > 10.0.0.210.0.0.10 > > >10.0.0.0/24 > > 10.0.0.1 > RTR > 192.168.0.1 > > SERVERS 192.168.0.0/24 > > > This way no servers need "route" commands to know where > to route what. And you guessed it, my vpn clients get addresses > on the subnet between router and vpn (10.0.0.0/24) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66852&t=66819 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN CONCENTRATOR Parallel FW [7:66819]
No Read what the tunnel default gateway does... (from the concentrator page where you set it) "Enter the IP address of the default gateway or router for tunnels. Enter 0.0.0.0 for no default router." This is used to have a different gateway for IPSEC tunnels than for ip routing.. What we are discussing is how servers with two possible next hops, a pix and a vpn, will determine which to use for what subnets. The servers (defaulted to the pix) have to bypass it to speak to remote subnet (and use the concentrator instead). A common workaround (one I used to employ) was NT route add statements for each subnet that should "bypass" the pix, their default gateway, and use the Concentrator instead. A better and more scalable solution is to put a router between the concentrator and pix internal segment, and the servers. INBOUND For inbound internet and inbound ipsec tunnel traffic back, the pix and the vpn concentrator have a route to the "server's subnet" with the router as the next-hop. OUTBOUND Subnets reachable via vpn 3000 are routed to the vpn concentrator's private interface, a default route for Outbound Internet traffic is towards the pix. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66865&t=66819 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN CONCENTRATOR Parallel FW [7:66819]
I have found it easier, and perhaps easier to audit, if you have the VPN box reside in parallel on the outside, but terminate the inside of the VPN box in one of your firewalls' DMZ sections. This allows you to place firewall rules on all traffic coming through and report easily on them. It also keeps one DG for all traffic (if you presently only have your firewall). If you only have one firewall, it does introduce another single point of failure however. Symon -Original Message- From: Joseph Brunner [mailto:[EMAIL PROTECTED] Sent: 04 April 2003 19:13 To: [EMAIL PROTECTED] Subject: RE: VPN CONCENTRATOR Parallel FW [7:66819] No Read what the tunnel default gateway does... (from the concentrator page where you set it) "Enter the IP address of the default gateway or router for tunnels. Enter 0.0.0.0 for no default router." This is used to have a different gateway for IPSEC tunnels than for ip routing.. What we are discussing is how servers with two possible next hops, a pix and a vpn, will determine which to use for what subnets. The servers (defaulted to the pix) have to bypass it to speak to remote subnet (and use the concentrator instead). A common workaround (one I used to employ) was NT route add statements for each subnet that should "bypass" the pix, their default gateway, and use the Concentrator instead. A better and more scalable solution is to put a router between the concentrator and pix internal segment, and the servers. INBOUND For inbound internet and inbound ipsec tunnel traffic back, the pix and the vpn concentrator have a route to the "server's subnet" with the router as the next-hop. OUTBOUND Subnets reachable via vpn 3000 are routed to the vpn concentrator's private interface, a default route for Outbound Internet traffic is towards the pix. = This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. = = Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66906&t=66819 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]