Pix to Pix (site to site) VPN

[sab4you]

If I purchase 2 PIX 515E's, I understand I can create a site to site connection between the two. My question is can I have them both use the same inside IP address range?

Looking at the simple example:

http://www.cisco.com/warp/public/110/38.html

They use 2 different internal IP ranges, and I am not sure if its for clarity or necessity?

Reason being is I want to extend my LAN into both sites and they need to use the same subnet.

 

[NetworkGhost]

You would need a device on the inside of both sites natting your internal addresses before they go through the tunnel. Just a question, Why do you have to use the dame subnet?

 

[sab4you]

NetworkGhost, thanks for your response!

I plan to use microsoft clustering with one server at a location, and another server at another. From my understanding, you need to have clustered servers on the same subnet.

Another question, if I have the 2 PIX's VPN site-to-site, can I also have people VPN in from their cleint computers? Meaning can the PIX have both a site to site connection and also still allow other VPN connections?

 

[NetworkGhost]

Yes it can. I would suggest going to Pix 7.0. I am pretty sure the issue is fixed with hairpinning in one of the earlier versions but I know 7.0 is for sure.. Either way you can most definitly have vpn clients along with peers. Clustering across the VPN? Just curious, what do you need to cluster across the tunnel?

 

[sab4you]

Primary location has Exchange 2003 and File server. If primary location fails, it will have mirrored exchange and file servers at another location. Plan to use microsoft clustering for Exchange and then HP software to mirror the storage between locations. User will need to be able to VPN into either location to use files. Let me know if you think there is a better way to do this?

Thanks again!

 

[NetworkGhost]

Here is a link that will lead you to good info on clustering:

http://www.microsoft.com/technet/pr...ide/2493c2d6-618c-4c49-9cb1-fff556926707.mspx

You can do it with different subnets but there are some implications. What version of exchange do you guys have at both sites?

 

[sab4you]

Its a fresh installation - so Exchange 2003 Enterprise.

It looks like quite the project I have gotten myself into. Slightly worried about the Exchange clustering...

 

[NetworkGhost]

Yeah I dont know how well it will act over the VPN Tunnel. There will most likey not be a seemless transfer of service. One option may be to make 2 separate stores for each location. Replicate to each site and just manually bring up the second store if a server fails. How much of a pipe are you going have from site to site? Fixed bandwidth or just bouncing through the net?

 

[sab4you]

Plan to have each site with a fractional T1, to guarantee bandwidth.

I kinda need to have it automated if one location fails, the other picks up and continues to accept mail + users can VPN and check mail via Outlook or simply with OWA

 

[NetworkGhost]

Do you have lots of mail flow? How many users? Is the frac T1 dedicated to the cluster? A frac T1 may not be adequate. I would question how stable the cluster will be. How do you plan to implement the cluster?

 

[sab4you]

Only about 15 users total, so not too much traffic.

The frac T1 will be for the entire office on each end. As for how I plan to implement the cluster, I havent researched more than that. DOes this sound like it wont work?

I am kinda leaning towards asking the site to hire somebody more knowledgable about network hardware, since I am not very experienced on this end.