PIXie box heck!

[sicron]

1) Please verify this theory:
In properly setting up the following network equipment:
PIX 515e-> 2620 -> INTERNET <- 2620 <-PIX 506
WITH the PIXes encrypting VPN connections (and only 1 public IP address per 2600, the following will result:
1) The routers become invisible
2) The routers must have tunnels to each other (encrypted or not)
3) The PIXes must use PAT (since NAT only operates on pools, and we have only 1 public IP address per location)
4) The 2600s must statically NAT their ser0/0 to f0/0
5) Default routes must be set so that all goes to and from ser0/0 to f0/0

PLEASE PLEASE, if I've missed anything, let me know. It would be nice to be able to telnet into the routers, and still get to PDM (until configuration phase is complete), but that doesn't seem possible with the above configuration, or did I miss something?
Also, any feedback would be appreciated.

&quot;The reward of patience is patience&quot;
-St. Augustine

 

[wybnormal]

it's possible. When the VPN is configured, accesslists control what traffic is put across the VPN. Anything the ACL denies is sent out the un-encrypted outside of the VPN. Even if everything was encrypted, you still should be able to SSH to the routers. PDM is the same thing.. The routers are just passing the encrypted packets. So anything that is not encrypted will *see* the router.

See the link below for alot more details then I can recall this early in the am

Cisco PIX Firewall and VPN Configuration Guide, Version 6.2

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/

There are few good books nowdays that cover configuring VPNs across PIXs.

MikeS

Find me at

http://www.packetattack.com

&quot;Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots.&quot;
Sun Tzu