PIX VPN, from nat without VPN to nat with it

Archived from groups: comp.dcom.vpn (More info?)

If I understand correctly you want to have your central location
running servers with routable IP addresses? I hope I am
misunderstanding this point but that's another discussion.

You want to have each of the remote location PIX506 connect in to the
central PIX515 to access server-based resources. Not a problem.

You create static LAN-to-LAN VPN tunnels between the 506s and the
single 515. Think of it as a Hubbed Topology. Using the appropriate
static route statements you have traffic route over the VPN. If you
extend the static routes out properly (hopefully using a router, not
the PIX515 you can even have each location accessible across the
sites.

With enough planning and bandwidth, you could even create multiple L2L
tunnels creating a more meshed topology. Mostly to interconnect the
more critical locations. It would mean for faster transfers and
communication as all traffic wouldn't have to route through the
central site. You do run the risk of tapping the throughput of the
PIX506 rather quickly though.

Side suggestion, if you can in any way afford it, an important point
is that your single point of failure is the lone PIX515. Get that in
to an HA pair. It's actually rather simple to configure.

- John




On 5 Jul 2004 03:55:05 -0700, nwu-cge@iximail.com (Allan Wilson)
wrote:

>Hi,
>
>I am not a Cisco PIX guru, I just need to know if something is
>possible ;-)
>
>On a central site, I'd have a PIX 515 with VPN. On remote sites, a lot
>of PIX 506 with VPN capabilities too.
>
>Is it possible to do so.
>
>On the central site, we'd use real IP addressing for the servers. Ie,
>195.238.10.0/26 with .1 for the firewall, ,2, .3, .4 for the servers.
>
>On the renote site, we have most of the time a Private Network
>according to the RFC hide-nated to the IP of the external interface of
>the firewall.
>
>So, now, the RFC hide-nated networks get the external Ip of the PIX
>506 firewall if the need to get into 195.238.10.0/26. It works ok.
>
>Now, for security reasons, we'd need to have the nated data flow to be
>VPN encrypted and auth.
>
>What to add into the PIX 506 and PIX 515 to achieve so?
>
>Thank you,
>
>Allan