[c-nsp] PIX VPN Mesh w/ OSPF
Rodney Dunn
rodunn at cisco.com
Sun Jan 16 10:10:19 EST 2005
On Sat, Jan 15, 2005 at 11:18:13PM -0800, Dave Breiland wrote:
> The main reason I am even looking at the PIX, is because we need
> firewalls at all locations anyways. There are currently only
> linux/iptables boxes acting as firewalls. I want some sort of
> solid-state firewall. The question I originally posted was more of a
> "nice-to-have" than a project necessity. I know that IOS can run as a
> "firewall", but haven't found it to be as easy to manage as a PIX.
> That's just my opinion... I'm sure others would argue the opposite. As
> always its a matter of a persons familiarity. If I didn't have a need
> for firewalls I would probably go that route. I am probably going to
> have some 3750's behind the PIX's. Could I perform the GRE tunneling on
> those?
>
> This may sound like a silly question... but when is 7.x expected to be
> released? Just curious how long it will be till we get these fun new
> features.
I don't know.
Rodney
>
>
> Thanks,
> Dave
>
>
>
> Rodney Dunn wrote:
>
> >On Sat, Jan 15, 2005 at 02:22:04PM -0500, su1droot wrote:
> >
> >
> >>You will have to watch out the PIX will not route traffic between VPN
> >>tunnels in the current 6.x release. I've seen note that this feature
> >>will be in the upcoming 7.0 release, but i don't hold my breath.
> >>
> >>
> >
> >I've helped troubleshoot some issues similar to this
> >lately. I asked this same question for a deployment
> >we were doing yesterday and I was told the same thing about
> >7.0 that it should have the ability to route traffic between
> >VPN's.
> >
> >
> >
> >>Also to support a routing protocol across the the tunnels (since IPSec
> >>doesn't support multicast or broadcast) you should run GRE across the
> >>IPSec tunnels. We are doing a similar setup at a customer who is
> >>doing IPSec PIX to PIX and GRE from and internal router over the IPSec
> >>to an internal route at the remote end. You will have to play with ip
> >>mtu and mss values on the GRE tunnel tho.
> >>
> >>
> >
> >I also helped troubleshoot two issues like this last week.
> >One was with a PIX as the IPSEC termination box and the
> >other was with a VPN3000. The hardest thing to get working
> >was the routing over the tunnels and at the same time
> >make sure you do not have a recursive routing problem.
> >Especially between the IPSEC termination box and the router
> >sitting behind it doing the GRE termination.
> >
> >Just an fyi..
> >
> >Rodney
> >
> >
> >
> >>On Tue, 11 Jan 2005 09:55:49 -0800, Dave Breiland
> >><superdave at dynamicis.com> wrote:
> >>
> >>
> >>>I want to make sure I'm on the right track and haven't set myself up for
> >>>failure...
> >>>I have 4 offices around the US. Each site has a different ISP...
> >>>connected with a T1. My plan was to have a PIX-515 at each site. I
> >>>would use the PIX's to create VPNs between each and every site. My
> >>>guess is that there will be times that the ISPs will have routing issues
> >>>between each other. To get around this, I would think that...
> >>>-Route between Site A and Site B fails
> >>>-Site B re-routes data to Site C which still has VPN to Site A.
> >>>Presumably this would require EIGRP or OSPF. Unfortunately it looks
> >>>like the PIX only supports OSPF.
> >>>Is this the right direction/steps I should be taking?
> >>>Am I just over complicating things?
> >>>Has anyone had success with OSPF and the PIXs?
> >>>
> >>>Thanks for any input.
> >>>
> >>>Dave
> >>>_______________________________________________
> >>>cisco-nsp mailing list cisco-nsp at puck.nether.net
> >>>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>>
> >>>
> >>>
> >>_______________________________________________
> >>cisco-nsp mailing list cisco-nsp at puck.nether.net
> >>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >>
More information about the cisco-nsp
mailing list