Site-to-Site VPN with PIX and Rouer

tung · ‎01-21-2007

We would like to upgrade our 1710 router with the PIX 515. With this basic site-to-site VPN on the current router, will be compatible? Thanks.

no ip domain lookup

!

ip inspect name in2out rcmd

ip inspect name in2out tftp

ip inspect name in2out http

ip inspect name in2out udp

ip inspect name in2out tcp timeout 43200

ip inspect name in2out realaudio

ip inspect name in2out vdolive

ip inspect name in2out netshow

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 7

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxxxxx address 63.172.1.150 no-xauth

crypto isakmp key xxxxxxxx address 65.121.10.2 no-xauth

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto map RTPCLIENT 1 ipsec-isakmp

set peer 63.172.1.150

set transform-set myset

match address ECLIPSE

crypto map RTPCLIENT 2 ipsec-isakmp

set peer 65.121.10.2

set transform-set myset

match address BOULDER

!

interface Loopback0

ip address 10.10.10.1 255.255.255.252

!

interface Ethernet0

ip address 64.161.xxx.xxx 255.255.255.248

ip access-group fromoutside in

ip nat outside

ip inspect in2out out

no ip route-cache

no ip mroute-cache

half-duplex

crypto map RTPCLIENT

!

interface FastEthernet0

ip address 172.22.14.1 255.255.255.0

ip nat inside

ip policy route-map nonat

speed auto

half-duplex

no cdp enable

!

ip nat inside source route-map NAT interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 64.165.xxx.xxx

no ip http server

ip pim bidir-enable

!

ip access-list extended BOULDER

permit ip 172.22.14.0 0.0.0.255 192.168.168.0 0.0.0.255

ip access-list extended ECLIPSE

permit ip 172.22.14.0 0.0.0.255 172.30.1.0 0.0.0.255

ip access-list extended fromoutside

permit tcp 65.121.xxx.xxx 0.0.0.255 host 64.161.xxx.xxx eq telnet

permit icmp host 65.116.xxx.xxx host 64.161.xxx.xxx

permit esp any host 64.161.xxx.xxx

permit udp any host 64.161.xxx.xxx eq isakmp

permit ip 172.30.1.0 0.0.0.255 172.22.14.0 0.0.0.255

permit ip 192.168.168.0 0.0.0.255 172.22.14.0 0.0.0.255

permit udp host 18.145.xxx.xxx any eq ntp

permit udp host 164.67.62.xxx.xxx any eq ntp

ip access-list extended nating

deny ip 172.22.14.0 0.0.0.255 172.30.1.0 0.0.0.255

deny ip 172.22.14.0 0.0.0.255 192.168.168.0 0.0.0.255

permit ip 172.22.14.0 0.0.0.255 any

ip access-list extended nonat

permit ip 172.22.14.0 0.0.0.255 192.168.168.0 0.0.0.255

permit ip 172.22.14.0 0.0.0.255 172.30.1.0 0.0.0.255

!

dialer-list 1 protocol ip permit

dialer-list 1 protocol ipx permit

!

route-map NAT permit 5

match ip address nating

!

route-map nonat permit 10

match ip address nonat

set ip next-hop 10.10.10.2

!

Jon Marshall · ‎01-21-2007

Hi

As far as the VPN config goes, yes a Pix 515E would be able to do this for you. The commands and syntax are slightly different but the principles are the same.

What i'm not sure is compatible is the PBR you are doing. On the pix you can use policy NAT which allows you to NAT to a different address depending on the destination address which would meet some of your requirements. But you are also setting a next hop ip address which i am not aware you can do on a pix.

You could just set up explicit routes for the 192.168.168.0/24 and 172.30.1.0/24 networks.

Pix firewalls also don't have loopback interfaces. Without knowing the full topology it is difficult to say whether a Pix will meet your full requirements.

HTH

tung · ‎01-21-2007

Thanks Jon. My last question is if I am going to replace it with the 1841 router would it be compatible?

Jon Marshall · ‎01-22-2007

Hi

As long as you purchase the right IOS with it, then yes you should be able to do replace your 1700 with an 1841.

Bear in mind that there may be workarounds with the Pix to accomodate your needs but as i say it is difficult to say for sure without a requirements list.

Generally speaking routers give more flexibility than pix firewalls especially in terms of routing. I would use a pix if i needed a dedicated firewall device. With VPN's a router can actually give more options.

HTH