I have discussed with my reseller about creating VPN intranets, and he said that if we needed to route between spoke sites, implement GRE with IPSEC. We was going to use a pix515e to terminate RAS VPN's, Intranet VPN's and extranet VPN's but I beleive that you cant route from one spoke site to another spoke site through a hub pix. Hence the recommendation of GRE/IPSEC into a 3600 router at the hub site. Is this the correct recommendation for Intranet VPN's or can we get it done through the pix, we are using EIGRP on the WAN and for corporate remote sites would like to integrate the RP over VPN/3DES.
We will also be implementing extranet VPN's, and I beleive these would be better connecting to the pix?.
The PIX won't do GRE/IPSec, nor will you be able to use the PIX as a hub and have spoke-to-spoke communication thru it, so a 3600 is probably the better option in your case.
If by "extranet VPN's" you mean external VPn connection across the Internet, you can terminate these into either the PIX or the 3600, doesn't really matter. If you need routing over these though, you'll have to use the 3600 with GRE/IPSec.
Thanks for reply. I beleive you can terminate the GRE tunnel between a spoke router and a router at the CO behind the hub pix, so the pix is essentially allowing passthru of the gre tunnel. If this is the case, If I am creating gre tunnels from spoke routers to the router behind the hub pix, will the spoke routers be able to communicate going through the pix. If no, how come?
I am sure I need a router here but am confured as to why
No problem communicating spoke router through hub pix to hub router through hub pix to another spoke router. The PIX just sees two GRE tunnels running through its IPsec tunnels and has no idea what the real destination of any of the tunneled traffic is. What you cannot do is go from spoke router to hub pix back out the same interface on the PIX. You have go through the PIX and make the "U turn" in an inside router.
You've already read the white paper on redundant VPN routing on my web site (you seem to be doing a lot of VPN routing, or at least posting lots of questions, so I will not repeat answers I've already posted to your prior questions). But in this environment, the BGP approach would only work if you implemented a full mesh of IPsec tunnels (so the spokes could communicate directly). To get a good handle on what is happening, walk through a packet going from site to site and see what each box sees, including source and destination address of the packets going into and out of each box. With an hour or two of effort, you'll see that the rules are really quite simple and the consequent limitations are "obvious."
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :