[c-nsp] PIX VPN Mesh w/ OSPF

Dave Breiland superdave at dynamicis.com
Sun Jan 16 02:18:13 EST 2005 

The main reason I am even looking at the PIX, is because we need 
firewalls at all locations anyways.  There are currently only 
linux/iptables boxes acting as firewalls.  I want some sort of 
solid-state firewall.  The question I originally posted was more of a 
"nice-to-have" than a project necessity.  I know that IOS can run as a 
"firewall", but haven't found it to be as easy to manage as a PIX.  
That's just my opinion... I'm sure others would argue the opposite.  As 
always its a matter of a persons familiarity.  If I didn't have a need 
for firewalls I would probably go that route.  I am probably going to 
have some 3750's behind the PIX's.  Could I perform the GRE tunneling on 
those?

This may sound like a silly question... but when is 7.x expected to be 
released?  Just curious how long it will be till we get these fun new 
features.


Thanks,
Dave



Rodney Dunn wrote:

>On Sat, Jan 15, 2005 at 02:22:04PM -0500, su1droot wrote:
>  
>
>>You will have to watch out the PIX will not route traffic between VPN
>>tunnels in the current 6.x release.  I've seen note that this feature
>>will be in the upcoming 7.0 release, but i don't hold my breath.
>>    
>>
>
>I've helped troubleshoot some issues similar to this
>lately.  I asked this same question for a deployment
>we were doing yesterday and I was told the same thing about
>7.0 that it should have the ability to route traffic between
>VPN's.
>
>  
>
>>Also to support a routing protocol across the the tunnels (since IPSec
>>doesn't support multicast or broadcast)  you should run GRE across the
>>IPSec tunnels.  We are doing a similar setup at a customer who is
>>doing IPSec PIX to PIX and GRE from and internal router over the IPSec
>>to an internal route at the remote end.  You will have to play with ip
>>mtu and mss values on the GRE tunnel tho.
>>    
>>
>
>I also helped troubleshoot two issues like this last week.
>One was with a PIX as the IPSEC termination box and the
>other was with a VPN3000.  The hardest thing to get working
>was the routing over the tunnels and at the same time
>make sure you do not have a recursive routing problem.
>Especially between the IPSEC termination box and the router
>sitting behind it doing the GRE termination.
>
>Just an fyi..
>
>Rodney
>
>  
>
>>On Tue, 11 Jan 2005 09:55:49 -0800, Dave Breiland
>><superdave at dynamicis.com> wrote:
>>    
>>
>>>I want to make sure I'm on the right track and haven't set myself up for
>>>failure...
>>>I have 4 offices around the US.  Each site has a different ISP...
>>>connected with a T1.  My plan was to have a PIX-515 at each site.  I
>>>would use the PIX's to create VPNs between each and every site.  My
>>>guess is that there will be times that the ISPs will have routing issues
>>>between each other.  To get around this, I would think that...
>>>-Route between Site A and Site B fails
>>>-Site B re-routes data to Site C which still has VPN to Site A.
>>>Presumably this would require EIGRP or OSPF.  Unfortunately it looks
>>>like the PIX only supports OSPF.
>>>Is this the right direction/steps I should be taking?
>>>Am I just over complicating things?
>>>Has anyone had success with OSPF and the PIXs?
>>>
>>>Thanks for any input.
>>>
>>>Dave
>>>_______________________________________________
>>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>      
>>>
>>_______________________________________________
>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>    
>>

More information about the cisco-nsp mailing list