I have a 2610 a PIX firewall 515 and VPN client Software, I dont want to use VPN concentrator. I believe we can do the tunnelling without VPN concentrators. Where will these clients terminate ....on the router....what I m missing here.
You should be able to use either the PIX or the 2610 to terminate your IPSec tunnels. If you use the 2610, you will need an IPSec IOS. If the 2610 is on the Internet side of the PIX, and you use the 2600 as the VPN endpoint, data between the router and the PIX is unencrypted, which may be a concern. If the 2600 is on the private side of the PIX or in a DMZ and you are using IPSec, you will need to punch a hole for ISAKMP and either AH or ESP (suggest ESP). If you use the PIX as the VPN endpoint, you can termiate at the outside interface, and still control access with your conduit rules. If you want to use the PIX to terminate the VPNs but not to impose any rule checks, I understand you can use the "sysopt ipsec pl-compatible" to make it look like they're terminating on the inside interface, although I haven't tried this. The decision between using a concentrator or using the router/PIX is probably an administrative issue. Managing a few VPN connections using a router or PIX is not too bad. I have some of both. Keeping up with a large number of connections would be a nightmare. I would prefer a concentrator for that. Whichever solution you choose, be careful of client software version compatibility.
"If you want to use the PIX to terminate the VPNs but not to impose any rule checks"
Well PIX is my firewall for the network, my point is that as the number of VPN connections will not be large (now by large i mean more then 100) will be 20 max. concurrent connections , so i assume here that my pix 515 has the capacity to work as a terminating point for VPN and also work as the network firewall. I really dont wanna add nother piece of hardware(VPN concetrator) on my network, or u can say i cant. Other question is does Cisco VPN solution works with DSL. wat if some of my clients have DSL or is there ne work around to this?
If you want to have conduit rule checking for both the VPN and non-VPN traffic, use the "crypto map xxxxxx interface outside" command without the "sysopt ipsec pl-compatible". If you use the pl-compatible, I don't think the VPN traffic will be analyzed by the conduits, but non-VPN traffic still will be. Regarding DSL, I haven't set up a VPN over DSL yet, but don't see where there should be any problem unless the DSL provider is doing addresss translation. Even if they are doing NAT, ESP should handle it but AH won't. Neither will handle Port Address Translation, though.
1. Tunneling mode: VPN gateway to VPN gateway. The tunnel is being terminate by the VPN gateways. This mode is generally being use to connect remote office (1-20 users) to the corporate network. This way you can avoid having to install the VPN client software on all users machine. All the work is being done at the VPN gateways
2. Transport mode: Client to VPN gateway. The tunnel is initiated by the client VPN software and terminate at the VPN gateway locate at the corporate site. This is what you would install on road warriors machine with dialup account or machines with Cable/DSL modem
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...