for PIX VPN gurus... [7:58448]
I have a requirement in which a single Headquarters PIX needs to VPN over the internet to a single remote site which have two separate PIXes (connected the same site LAN). The goal is to introduce redundancy into the VPN connection to the remote site. Unfortunately, it has to be like this due to the company's hardware limitations. This is not a classic PIX failover configuration via the serial method (515, 525, 535), but two separate PIX 506's connected separately to the same LAN. I can't find anywhere on CCO whether this config is supported, and the TAC engineer is also clueless (he even said that he doesn't have a way to LAB it up--can you believe that?. This is Cisco we're talking about here). Anyway, anybody ever done something like this? Will this work? Can somebody test this? BTW, I need to know ASAP, because the customer wants to implement this immediately if it will work. Thanks, Eddie Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58448t=58448 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: for PIX VPN gurus... [7:58448]
Taking a guess, but could you specify multiple destination IP's under the crypto map peer statement? PIX#(config) crypto map TEST 10 set peer 10.20.30.1 10.20.30.2 PIX#(config) show crypto map Crypto Map: TEST interfaces: { } Crypto Map TEST 10 ipsec-isakmp Peer = 10.20.30.1 Peer = 10.20.30.2 No matching address list set. Current peer: 10.20.30.1 Security association lifetime: 4608000 kilobytes/28800 seconds PFS (Y/N): N Transform sets={ } I believe that this will first cause it to build to .1, and if it is unavailable to .2 I would be curious as to how your going to handle the internal routing back to the corporate site? I think that would be a stumbling block from what I can tell. Thanks Larry -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 11:14 AM To: [EMAIL PROTECTED] Subject: for PIX VPN gurus... [7:58448] I have a requirement in which a single Headquarters PIX needs to VPN over the internet to a single remote site which have two separate PIXes (connected the same site LAN). The goal is to introduce redundancy into the VPN connection to the remote site. Unfortunately, it has to be like this due to the company's hardware limitations. This is not a classic PIX failover configuration via the serial method (515, 525, 535), but two separate PIX 506's connected separately to the same LAN. I can't find anywhere on CCO whether this config is supported, and the TAC engineer is also clueless (he even said that he doesn't have a way to LAB it up--can you believe that?. This is Cisco we're talking about here). Anyway, anybody ever done something like this? Will this work? Can somebody test this? BTW, I need to know ASAP, because the customer wants to implement this immediately if it will work. Thanks, Eddie Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58455t=58448 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: for PIX VPN gurus... [7:58448]
A diagram would help. I'm visualizing the remote site as having one Internet connection. The gateway router's inside interface connects to a hub/switch. The outside interfaces of the two 506s connect to this hub/switch. The inside interfaces of the 506s connect to a second (common) hub/switch which is the LAN. So the two 506s are in parallel. True? I repeat the mantra of this list. What is the problem that you are trying to solve? What is the perceived problem? What is the supposed solution? Does the solution really fix the problem? Can you be more clear about how redundancy will be provided. Is the customer concerned about a PIX failing? Does he need both 506s working at the same time? If not, one could be on line with the other as a cold spare (either installed or on the shelf.) Imagine the joy of keeping those configs in sync!! If so, then I'm guessing that the 506s are in parallel. Then each requires its own outside address - which is different from a standard failover scenario. Can you create a VPN from HQ to each 506 - with one preferred? -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 10:14 AM To: [EMAIL PROTECTED] Subject: for PIX VPN gurus... [7:58448] I have a requirement in which a single Headquarters PIX needs to VPN over the internet to a single remote site which have two separate PIXes (connected the same site LAN). The goal is to introduce redundancy into the VPN connection to the remote site. Unfortunately, it has to be like this due to the company's hardware limitations. This is not a classic PIX failover configuration via the serial method (515, 525, 535), but two separate PIX 506's connected separately to the same LAN. I can't find anywhere on CCO whether this config is supported, and the TAC engineer is also clueless (he even said that he doesn't have a way to LAB it up--can you believe that?. This is Cisco we're talking about here). Anyway, anybody ever done something like this? Will this work? Can somebody test this? Thanks, Eddie Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58461t=58448 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: for PIX VPN gurus... [7:58448]
Larry, Good find, however, we are GRE tunneling EIGRP across sites. This is before the PIXes. Thanks, Ed --- Roberts, Larry wrote: Taking a guess, but could you specify multiple destination IP's under the crypto map peer statement? PIX#(config) crypto map TEST 10 set peer 10.20.30.1 10.20.30.2 PIX#(config) show crypto map Crypto Map: TEST interfaces: { } Crypto Map TEST 10 ipsec-isakmp Peer = 10.20.30.1 Peer = 10.20.30.2 No matching address list set. Current peer: 10.20.30.1 Security association lifetime: 4608000 kilobytes/28800 seconds PFS (Y/N): N Transform sets={ } I believe that this will first cause it to build to .1, and if it is unavailable to .2 I would be curious as to how your going to handle the internal routing back to the corporate site? I think that would be a stumbling block from what I can tell. Thanks Larry -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 11:14 AM To: [EMAIL PROTECTED] Subject: for PIX VPN gurus... [7:58448] I have a requirement in which a single Headquarters PIX needs to VPN over the internet to a single remote site which have two separate PIXes (connected the same site LAN). The goal is to introduce redundancy into the VPN connection to the remote site. Unfortunately, it has to be like this due to the company's hardware limitations. This is not a classic PIX failover configuration via the serial method (515, 525, 535), but two separate PIX 506's connected separately to the same LAN. I can't find anywhere on CCO whether this config is supported, and the TAC engineer is also clueless (he even said that he doesn't have a way to LAB it up--can you believe that?. This is Cisco we're talking about here). Anyway, anybody ever done something like this? Will this work? Can somebody test this? BTW, I need to know ASAP, because the customer wants to implement this immediately if it will work. Thanks, Eddie [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58491t=58448 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]