Can I simulate a VPN at home, with this equipment?

Unanswered Question
Sep 28th, 2008
User Badges:

Hi,


I want to practise creating a site-t-site VPN at home, possible?


I have a Cisco 2620 and 1721 with a crypto ISO and a Cisco 2950 switch and a cisco Pix 515 with 3Des.


Could I create a VPN between 2 routers? I guess I would need to use the switch with it's VLAN's somehow.


I would also like to setup a router to the Pix after, I just can't working how I can set this up as I believe I will need to use a VLAN to work as the internet?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
whiteford Sun, 09/28/2008 - 07:41
User Badges:

Hi Andrew,


I will have to use loopbacks as both routers only have 1 FE each, what would the loopback be used for?


For both scenarios would I need just the one VLAN on the switch and put the FE of each router in and for the other scenario one FE of the router and one of the PIX?


Just wondered how you would set this up? I will go away and set this up then.


Thanks

I would:-


Create 3 vlans:- Internet, SiteA & SiteB


Have 3 IP Addressing subnets for each.


The switch would have no SVI's


Create loopback interfaces on both routes (they are the inside)


Assign internal IP subnets to the loopbacks.


Assign the external IP subnet to the physical interfaces (they are the outside)


Create the:-


VPN

No-NAT

Encryption domains


Then to bring the VPN's up - use an extended ping from loopback to loopback, this will work if the rest is setup OK.


For now leave the PIX out of it, once you get the above working - then you can add the pix, as this changes the topology quite a bit.


HTH>

whiteford Sun, 09/28/2008 - 08:26
User Badges:

This is most useful. I am trying to draw this before I start, unfortunately I don't have any software to do this, so pen and paper.


I'm a bit confused with the 3 VLAN's.


Router 1 requirements:

Loopback (inside) - 192.168.1.1/24

FE (outside) - 10.10.10.1/24

Add to VLAN 1 on switch


Router 2 requirements:

Loopback (inside) - 192.168.2.1/24

FE (outside) - 10.10.11.1/24

Add to VLAN 2 on switch


VLAN 3 - Internet


How can I get the 3 VLAN's to work as the internet? I have a L2 switch (2950), but also a L3 switch (3550), we I be routing the VLAN's?

For the current setup - the internet vlan is all you need.


The other 2 vlans can come into play with the pix and the 35xx - when you have the above running.


Just put the FE of the 2 routers into the Internet VLAN. They will sumulate the "Internet" the 2 loopbacks will simulate the 2 LAN's of the retmote sites.


Nice and simple - 2 routers, 1 switch - nice topology to start with.


HTH>

whiteford Sun, 09/28/2008 - 10:31
User Badges:

Thanks Andrew, I guess the 2 FE's of the 2 routers that are in the "internet" vlan will have to have similar IP's in the same "subnet" to talk to each other as it the routing is working?

whiteford Mon, 09/29/2008 - 02:26
User Badges:

Hi Andrew,


So for the FE's on each router I should use a class A IP?


I'm not sure I understnad the rest. Each router into the same "internet" VLAN, then they must be using a similar IP range to ping each other I guess, before I add the crypto's etc.


Unless you are suggesting I can route within the single "internet" VLAN to 2 completely different IP Peers address and use some static routes?


Thanks


Andy,


Yes - something like:-


rt1 - 1.1.1.1 255.0.0.0

rt2 - 2.1.1.1 255.0.0.0


Yes - that's why you configure classless routing, with a default gateway. I could into a deep an long explaination of both, but for this lab you just need to confgure on both routers:-


ip classless

ip route 0.0.0.0 0.0.0.0 interface FE



whiteford Mon, 09/29/2008 - 02:40
User Badges:

Andrew that's great, it makes sense.


Add the route to the FE's for the outbound traffic.


The only other part is the VLAN itself. I have a L2 and L3 switch that I can use here.


I see the 2 IP address for the FE's are on different subnets but in the same VLAN, so the L3 switch will be needed? If so how would this be done?


In my head I was thinking more or 2 vlans for each router and route between the 2, if if there is an easier way then :)

Andy,


You can use the L3 switch if you want to - but for this simple lab I don't see the need to be honest.


The VLAN is layer 2 - so the IP addresses that the routers use will never leave the VLAN will they? As the L2 switch does not have a L3 interface - it just works on L2, effectivly a closed VLAN.


If your routers only have 1 FE interface - how are they going to route to each other if they are in seperate VLANS? For that topology you would need to use the L3 switch, as the L3 switch would have a L3 interface in both VLAN's. Do not forget to have inter-vlan routing you NEED a layer 3 routing device.


HTH>

whiteford Mon, 09/29/2008 - 02:57
User Badges:

I see, I couldn't get round in my head that 2 IP's for the FE were on different subnets in the same VLAN so wondered how they would the ping each other, so I assumed some sort of ruting would be needed.



cisco24x7 Mon, 09/29/2008 - 03:55
User Badges:
  • Silver, 250 points or more

For simple lab, you can do something like this:


interface f0/1

ip address 192.168.1.1 255.255.255.0

ip address 10.0.0.1 255.255.255.0 secondary

ip address 172.16.1.1 255.255.255.0 secondary


that way, you can connect the router to a hub,

host A on network 192.168.1.0/24 net, host B

on network 10.0.0.0/24 net and host C on

network 172.16.1.0/24 network and they

can ping each other because of secondary

address on the router. No need for VLAN

and switch.

cisco24x7 Mon, 09/29/2008 - 04:35
User Badges:
  • Silver, 250 points or more

People use secondary ip addresses everyday in

a production environment. You see this a lot

on Nokia IP appliances running Checkpoint

firewalls.


I use secondary IP for a lot of customers

whiteford Mon, 09/29/2008 - 04:54
User Badges:

Not sure I understand, are these 3 IP's add to each VPN router?

cisco24x7 Mon, 09/29/2008 - 10:12
User Badges:
  • Silver, 250 points or more

What I am trying to say is that you can use

just one interface on the router with multiple

secondary ip addresses to simulate an Internet

cloud.

Actions

This Discussion