01-29-2004 05:56 AM - edited 02-21-2020 01:01 PM
I have a question. If I have a few (4) small remote offices, and want to use GRE tunnels over IPSec VPN's, back to the main office 2651 router...how does that work as far as having my PIX behind the 2651.
The 2651 will have the Internet T1 coming into it, and the PIX's outside address will have a public IP. Do I just create access-lists on the router to forward the remote office subnets to the pix, and/or acl's on the PIX to allow the remote office traffic?
Sorry if this is a stupid ?. Thanks!
01-31-2004 12:33 PM
Hi Wares,
So if I understand you correctly, you have the following topology:
|--inside networks--PIX--2651--(INTERNET)
And all your GRE tunnels will be terminated on the 2651 router. Int his case your PIX will only get the IP packets after they come out of the GRE emcapsulation. hence the PIX should only be allowed for the IP packets to the inside network. As for the IPSec/GRE termination, the 2651 can handle it as the hub without much problems (note: PIX doesn't support GRE termination)
Some resources to look at:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a0080093f70.shtml
Hope this helps,
Regards,
Aamir
-=-=-
01-31-2004 02:11 PM
Thanks, awaheed, for the reply! So, then as far as the IP packets from the remote offices heading onto the PIX, would I just setup static routes in the 2651 to forward them onto the PIX?
Like:
Remote office subnet: 192.168.6.0/24
PIX outside interface: 66.100.100.2
ip route 192.168.6.0 255.255.255.0 66.100.100.2
And then just apply the normal ACL's in the PIX for the traffic that I want to permit?
01-31-2004 02:21 PM
Yeah you would be adding the Static route's on the PIX to return those packets back to the 2651, just make sure that the Syntax of that points to the 2651 inside interface as the next hop, not the PIX outside
So, it would be:
route 192.168.6.0 255.255.255.0 <2651 inside intf>
as per:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1027614
hope this helps,
Regards,
Aamir
-=-=-
02-02-2004 05:20 AM
So would I use a syntax like:
route outside 192.168.x.0 255.255.255.0 66.100.100.3 where 66.100.100.3 the 2651 inside interface address.
Is it possible to have more than one route outside command as long as it is not a default route?
Thanks for all your help!
02-02-2004 11:50 AM
Hi Wares,
Absolutely, you can use as many route outside's as long as they are not the default routes. Additionally being on the PIX this should work for you, let m eknow if it fix's the issue.
Regards,
Aamir
-=-=-
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: