[c-nsp] PIX VPN Mesh w/ OSPF

su1droot su1droot at gmail.com
Sun Jan 16 14:54:41 EST 2005


Rumor is 7.0 is Q1.  

I know we terminate GRE tunnels on a 4500 switch and the configuration
is available on a 3560.  I would think that I would have to be an EMI
switch.  There is mention of it on a white paper for the 3750.


On Sat, 15 Jan 2005 23:18:13 -0800, Dave Breiland
<superdave at dynamicis.com> wrote:
> The main reason I am even looking at the PIX, is because we need
> firewalls at all locations anyways.  There are currently only
> linux/iptables boxes acting as firewalls.  I want some sort of
> solid-state firewall.  The question I originally posted was more of a
> "nice-to-have" than a project necessity.  I know that IOS can run as a
> "firewall", but haven't found it to be as easy to manage as a PIX.
> That's just my opinion... I'm sure others would argue the opposite.  As
> always its a matter of a persons familiarity.  If I didn't have a need
> for firewalls I would probably go that route.  I am probably going to
> have some 3750's behind the PIX's.  Could I perform the GRE tunneling on
> those?
> 
> This may sound like a silly question... but when is 7.x expected to be
> released?  Just curious how long it will be till we get these fun new
> features.
> 
> Thanks,
> Dave
> 
> 
> Rodney Dunn wrote:
> 
> >On Sat, Jan 15, 2005 at 02:22:04PM -0500, su1droot wrote:
> >
> >
> >>You will have to watch out the PIX will not route traffic between VPN
> >>tunnels in the current 6.x release.  I've seen note that this feature
> >>will be in the upcoming 7.0 release, but i don't hold my breath.
> >>
> >>
> >
> >I've helped troubleshoot some issues similar to this
> >lately.  I asked this same question for a deployment
> >we were doing yesterday and I was told the same thing about
> >7.0 that it should have the ability to route traffic between
> >VPN's.
> >
> >
> >
> >>Also to support a routing protocol across the the tunnels (since IPSec
> >>doesn't support multicast or broadcast)  you should run GRE across the
> >>IPSec tunnels.  We are doing a similar setup at a customer who is
> >>doing IPSec PIX to PIX and GRE from and internal router over the IPSec
> >>to an internal route at the remote end.  You will have to play with ip
> >>mtu and mss values on the GRE tunnel tho.
> >>
> >>
> >
> >I also helped troubleshoot two issues like this last week.
> >One was with a PIX as the IPSEC termination box and the
> >other was with a VPN3000.  The hardest thing to get working
> >was the routing over the tunnels and at the same time
> >make sure you do not have a recursive routing problem.
> >Especially between the IPSEC termination box and the router
> >sitting behind it doing the GRE termination.
> >
> >Just an fyi..
> >
> >Rodney
> >
> >
> >
> >>On Tue, 11 Jan 2005 09:55:49 -0800, Dave Breiland
> >><superdave at dynamicis.com> wrote:
> >>
> >>
> >>>I want to make sure I'm on the right track and haven't set myself up for
> >>>failure...
> >>>I have 4 offices around the US.  Each site has a different ISP...
> >>>connected with a T1.  My plan was to have a PIX-515 at each site.  I
> >>>would use the PIX's to create VPNs between each and every site.  My
> >>>guess is that there will be times that the ISPs will have routing issues
> >>>between each other.  To get around this, I would think that...
> >>>-Route between Site A and Site B fails
> >>>-Site B re-routes data to Site C which still has VPN to Site A.
> >>>Presumably this would require EIGRP or OSPF.  Unfortunately it looks
> >>>like the PIX only supports OSPF.
> >>>Is this the right direction/steps I should be taking?
> >>>Am I just over complicating things?
> >>>Has anyone had success with OSPF and the PIXs?
> >>>
> >>>Thanks for any input.
> >>>
> >>>Dave
> >>>_______________________________________________
> >>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>>
> >>>
> >>>
> >>_______________________________________________
> >>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list