[clue-tech] OT: Cisco PIX VPN quesion

Mike Staver staver at fimble.com
Wed Jan 12 23:20:30 MST 2005 

David - thanks for the input, I did successfully get the VPN going at 
work using IPSEC with a PIX 515e. A lot of people weighed in and gave me 
advice, and I read a lot of docs on it. I love it, I think it's very 
fast and it met every expectation I had for a VPN.  It was a lot of work 
to rearrange my poorly designed network, but now that I did, I'm glad I 
did it.  This brings me to my next question... I got my hands a PIX 501 
recently, so I'm trying to use it at home - eventually setting up a 
direct tunnel to work.  I used to have my Cisco 678 DSL router nat'n 
traffic and I did some port forwarding because I have a static IP with 
Viawest.  Well, now I threw my PIX into the mix.... and what I would 
like to do is have my static IP be completely forwarded through the 678 
to the PIX, and I'll handle NAT, etc from there. Right now this is what 
I have:

   Viawest
       |
       |
   Cisco 678
(external IP 216.150.207.X,
  internal IP 192.168.2.1)
       |
       |
   Cisco PIX 501
  {external IP 192.168.2.2,
   internal IP 192.168.1.1)

I then have my LAN setup behind the PIX with DHCP, etc.  What I want the 
678 to be completely passive, forwarding all network traffic and routing 
for 216.150.207.X to my PIX.  I see a setting on the 678 to turn off 
NAT... which is what I want I think.  That brings me question though, on 
the PIX what would my routes look like? Currently on the PIX:

ip address outside 192.168.2.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

So, I think I would change the address outside to 216.150.207.X - but 
it's that route statement that's gonna get me... right now I route it to 
the internal IP of the 678... but what is that internal IP going to 
become if I turn off NAT?  And also, I'm not sure about the static 
mappings through the PIX - I've never mapped a specific port using a PIX 
like that, I just map the entire IP like so:

static (inside,outside) 192.168.2.10 192.168.1.10 netmask 
255.255.255.255 0 0

I'm sure there is a way to forward just the ports, like I would on the 
678...

Maybe I'm just overthinking this... has anybody done this with their DSL 
lines and a router/firewall?

David Anselmi wrote:
> Mike Staver wrote:
> 
>> Is there anybody out there familar with setting up a Cisco PIX VPN and 
>> using PPTP to connect to it? If so, please email me off list. I'm 
>> having a problem while troubleshooting a connection. Thanks!
> 
> 
> Sadly, no.  I might not have left my last job if they'd let me help with 
> the VPN design/config.
> 
> But the PIX will do L2TP and IPSEC, which is built in to Win 2k and 
> later (2k may need the right service pack, IIRC).  And it has its own 
> fancy-shmancy client that runs on Win and Linux.  Maybe that helps and 
> you can let PPTP die (it's time, after all).
> 
> Dave
> _______________________________________________
> CLUE-tech mailing list
> CLUE-tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech

More information about the clue-tech mailing list