I have an 827 ADSL router for a small SOHO LAN and a PIX 515 at the office. BellSouth is providing the DSL service, and I have a block of eight public IPs at my disposal. I currently have a functioning VPN (tunnel works, can ping both sides, pcAnywhere works, etc.) but I'm seeking expert's advice on how I can improve the setup.
Some details: BellSouth "business-class" ADSL service is provisioned so that the WAN IP is dynamic (PPPoE) but the block of eight public IPs are reachable, regardless of that dynamic WAN address. Currently, I am not using those public addresses on the LAN, instead I'm using the 172.16.0.0 private block. More on that in a minute. The corporate LAN uses the 10.0.0.0 block but the PIX outside interface is accessible from the Internet. The purpose of the VPN is for access to server data (W2K network) and, more importantly, for IP telephony and H.323 videoconferencing.
On the 827 side, the tunnel is terminated on the Dialer interface, which gets its IP via PPPoE. As this address is dynamic, the tunnel must be initiated from the 827 to the PIX, with the PIX accepting wildcard sources and authenticating the remote with a shared secret. I set up the 827 this way because I didn't know you could terminate IPSec tunnels anywhere else but on the WAN interface. The problem with this setup is that the tunnel will only setup if there is LAN traffic originating from the 172.16.0.0 network and going to 10.0.0.0. I'd like for the tunnel to be established any time that the 827 is on, so that I can remotely manage the SOHO LAN.
So here are my questions:
1. Should I terminate the tunnel on a different interface?
2. Very Important: How can I have the tunnel up any time the 827 is on?
3. Would using the public IPs help any of this to happen? How could they best be used?
4. How can I configure the 827 and PIX so that the H.323 traffic stays out of the encrypted tunnel?
5. What would an experienced engineer add to or delete from the config?
I would use EzVPN in this scenario, and with the "connect auto" command the tunnel will always try and establish itself as long as the router is running. If you set it up in Network Extension mode then you'll still have access to the internal hosts, split tunnelling is also supported which is what you're currently doing.
You'll need 12.2(8)YJ1 on the router, and you can read how to configure it here:
It basically turns your router into a VPN client, rather than a LAN-to-LAN tunnel like you have now. The config on the head-end is also shown in this link. Use the example WITHOUT XAuth, otherwise you'll have to have someone at the remote end manually authenticate before the tunnel will come up each time.
Thanks for your reply. I'm already digging into the EzVPN documentation. Sounds like that is the best long-term solution for not just this setup, but for many others as well.
If you have a second I'd appreciate your advice about the setup if I weren't using EzVPN. I haven't been able to find much on pros/cons of tunnel termination on virtual interfaces. Also, how can I manually configure the setup to achieve the same results as the Network Extension mode of EzVPN? Lastly, is it at all possible to get that tunnel to establish itself w/o EzVPN (like maybe a RIP update to generate traffic..)?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...