01-21-2007 10:10 AM
We would like to upgrade our 1710 router with the PIX 515. With this basic site-to-site VPN on the current router, will be compatible? Thanks.
no ip domain lookup
!
ip inspect name in2out rcmd
ip inspect name in2out tftp
ip inspect name in2out http
ip inspect name in2out udp
ip inspect name in2out tcp timeout 43200
ip inspect name in2out realaudio
ip inspect name in2out vdolive
ip inspect name in2out netshow
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 7
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address 63.172.1.150 no-xauth
crypto isakmp key xxxxxxxx address 65.121.10.2 no-xauth
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map RTPCLIENT 1 ipsec-isakmp
set peer 63.172.1.150
set transform-set myset
match address ECLIPSE
crypto map RTPCLIENT 2 ipsec-isakmp
set peer 65.121.10.2
set transform-set myset
match address BOULDER
!
!
!
!
interface Loopback0
ip address 10.10.10.1 255.255.255.252
!
interface Ethernet0
ip address 64.161.xxx.xxx 255.255.255.248
ip access-group fromoutside in
ip nat outside
ip inspect in2out out
no ip route-cache
no ip mroute-cache
half-duplex
crypto map RTPCLIENT
!
interface FastEthernet0
ip address 172.22.14.1 255.255.255.0
ip nat inside
ip policy route-map nonat
speed auto
half-duplex
no cdp enable
!
ip nat inside source route-map NAT interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 64.165.xxx.xxx
no ip http server
ip pim bidir-enable
!
!
ip access-list extended BOULDER
permit ip 172.22.14.0 0.0.0.255 192.168.168.0 0.0.0.255
ip access-list extended ECLIPSE
permit ip 172.22.14.0 0.0.0.255 172.30.1.0 0.0.0.255
ip access-list extended fromoutside
permit tcp 65.121.xxx.xxx 0.0.0.255 host 64.161.xxx.xxx eq telnet
permit icmp host 65.116.xxx.xxx host 64.161.xxx.xxx
permit esp any host 64.161.xxx.xxx
permit udp any host 64.161.xxx.xxx eq isakmp
permit ip 172.30.1.0 0.0.0.255 172.22.14.0 0.0.0.255
permit ip 192.168.168.0 0.0.0.255 172.22.14.0 0.0.0.255
permit udp host 18.145.xxx.xxx any eq ntp
permit udp host 164.67.62.xxx.xxx any eq ntp
ip access-list extended nating
deny ip 172.22.14.0 0.0.0.255 172.30.1.0 0.0.0.255
deny ip 172.22.14.0 0.0.0.255 192.168.168.0 0.0.0.255
permit ip 172.22.14.0 0.0.0.255 any
ip access-list extended nonat
permit ip 172.22.14.0 0.0.0.255 192.168.168.0 0.0.0.255
permit ip 172.22.14.0 0.0.0.255 172.30.1.0 0.0.0.255
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
route-map NAT permit 5
match ip address nating
!
route-map nonat permit 10
match ip address nonat
set ip next-hop 10.10.10.2
!
01-21-2007 11:02 AM
Hi
As far as the VPN config goes, yes a Pix 515E would be able to do this for you. The commands and syntax are slightly different but the principles are the same.
What i'm not sure is compatible is the PBR you are doing. On the pix you can use policy NAT which allows you to NAT to a different address depending on the destination address which would meet some of your requirements. But you are also setting a next hop ip address which i am not aware you can do on a pix.
You could just set up explicit routes for the 192.168.168.0/24 and 172.30.1.0/24 networks.
Pix firewalls also don't have loopback interfaces. Without knowing the full topology it is difficult to say whether a Pix will meet your full requirements.
HTH
01-21-2007 08:57 PM
Thanks Jon. My last question is if I am going to replace it with the 1841 router would it be compatible?
01-22-2007 12:26 AM
Hi
As long as you purchase the right IOS with it, then yes you should be able to do replace your 1700 with an 1841.
Bear in mind that there may be workarounds with the Pix to accomodate your needs but as i say it is difficult to say for sure without a requirements list.
Generally speaking routers give more flexibility than pix firewalls especially in terms of routing. I would use a pix if i needed a dedicated firewall device. With VPN's a router can actually give more options.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide