[clue-tech] OT: Cisco PIX VPN quesion
Mike Staver
staver at fimble.com
Wed Jan 12 23:20:30 MST 2005
David - thanks for the input, I did successfully get the VPN going at
work using IPSEC with a PIX 515e. A lot of people weighed in and gave me
advice, and I read a lot of docs on it. I love it, I think it's very
fast and it met every expectation I had for a VPN. It was a lot of work
to rearrange my poorly designed network, but now that I did, I'm glad I
did it. This brings me to my next question... I got my hands a PIX 501
recently, so I'm trying to use it at home - eventually setting up a
direct tunnel to work. I used to have my Cisco 678 DSL router nat'n
traffic and I did some port forwarding because I have a static IP with
Viawest. Well, now I threw my PIX into the mix.... and what I would
like to do is have my static IP be completely forwarded through the 678
to the PIX, and I'll handle NAT, etc from there. Right now this is what
I have:
Viawest
|
|
Cisco 678
(external IP 216.150.207.X,
internal IP 192.168.2.1)
|
|
Cisco PIX 501
{external IP 192.168.2.2,
internal IP 192.168.1.1)
I then have my LAN setup behind the PIX with DHCP, etc. What I want the
678 to be completely passive, forwarding all network traffic and routing
for 216.150.207.X to my PIX. I see a setting on the 678 to turn off
NAT... which is what I want I think. That brings me question though, on
the PIX what would my routes look like? Currently on the PIX:
ip address outside 192.168.2.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
So, I think I would change the address outside to 216.150.207.X - but
it's that route statement that's gonna get me... right now I route it to
the internal IP of the 678... but what is that internal IP going to
become if I turn off NAT? And also, I'm not sure about the static
mappings through the PIX - I've never mapped a specific port using a PIX
like that, I just map the entire IP like so:
static (inside,outside) 192.168.2.10 192.168.1.10 netmask
255.255.255.255 0 0
I'm sure there is a way to forward just the ports, like I would on the
678...
Maybe I'm just overthinking this... has anybody done this with their DSL
lines and a router/firewall?
David Anselmi wrote:
> Mike Staver wrote:
>
>> Is there anybody out there familar with setting up a Cisco PIX VPN and
>> using PPTP to connect to it? If so, please email me off list. I'm
>> having a problem while troubleshooting a connection. Thanks!
>
>
> Sadly, no. I might not have left my last job if they'd let me help with
> the VPN design/config.
>
> But the PIX will do L2TP and IPSEC, which is built in to Win 2k and
> later (2k may need the right service pack, IIRC). And it has its own
> fancy-shmancy client that runs on Win and Linux. Maybe that helps and
> you can let PPTP die (it's time, after all).
>
> Dave
> _______________________________________________
> CLUE-tech mailing list
> CLUE-tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
More information about the clue-tech
mailing list