Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IPSec VPN termination question

Status
Not open for further replies.
scottdware

scottdware

Technical User
Apr 15, 2003
30
US
Hello to all.

I am in the process of designing a new DMZ that will go into place in a new facility that our company is building. This facility will act as our "headquarters".

I plan on setting up IPSec VPN tunnels between our HQ and our 4 remote offices. Now, I have so far planned on having in the HQ:

2651XM for the T1 coming in from the Internet. A PIX 515E as the firewall.

So, my question is where should I have the IPSec VPN tunnels terminate? On the router (2651) or on the PIX. And if I have them terminate on the router (2651), then do I just need static routes in the router (2651) forwarding the remote office subnets to the pix's outside address (public), and access-lists on the pix permitting the remote offices' subnets.

Sorry if this sounds stupid, but I have never really setup a DMZ before from scratch by myself. Thanks
 
Sort by date Sort by votes
I'd definitely terminate on the Pix- that's one of things that it's good at. Then, just have the default route on the 2651 point to the Pix inside interface and you should be set.
 
Upvote 0 Downvote
By saying the default route on the 2651, do you mean the default route for all of the remote office subnets.

Say for instance:

remote office 1, subnet 192.168.6.0/24

2651 - ip route 192.168.6.0 10.1.1.1 1 <- (say 10.1.1.1 is the inside address of the pix)

and do that for each of the remote office subnets?
 
Upvote 0 Downvote
Actually the *default* route is all that's needed:
&quot;ip route 0.0.0.0 0.0.0.0 10.1.1.1&quot;.

Part of the Pix setup is to exempt the VPN-reachable networs from NAT, and to send them out via the tunnel. This way, the Pix decides which addresses to tunnel and which to simply send out to the internet. The 2651 doesn't have to deal with that.

 
Upvote 0 Downvote
I see. The default route on my pix would be the ip address (public) of my 2651 right? Assuming that both the serial interface (to the internet) obviously has a public ip, and also the ethernet interface of the 2651, which would also have a public ip...(along with the outside interface of the pix)
 
Upvote 0 Downvote
Ah, I misread your second question. It makes just a little change in my answer, though. Since &quot;public&quot; can be confusing, I'll refer to the interfaces as &quot;inside&quot; and &quot;outside&quot;.

The Pix default route would be to the inside address of your router. 2651's inside address, and the Pix outside address, would be public and in the range assigned by your ISP.

So the routing is:

workstations: default route to the Pix
Pix: default route to the 2651
2651: default route to the ISP

 
Upvote 0 Downvote
Great! The workstations however, will be on seperate VLAN's, so I plan on setting the default route of the workstations to the address of the Layer 3 switch, and in turn, the default route of the L3 switch to the pix's inside address.

Thanks alot for your help!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
339
Zero6
Zero6
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
251
quazimotto
quazimotto
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
278
burtsbees
burtsbees
napoleao
  • Locked
  • Question
IPSec VPN
Replies
3
Views
312
napoleao
napoleao
tviman
  • Locked
  • Question
Same subnet on each side of a VPN 1
Replies
2
Views
258
tviman
tviman

Part and Inventory Search

Sponsor

Back
Top