Re: IP addressing router to PIX515

steve · ‎04-11-2003

We have a scenario whereby a Cisco2600 is the gateway to the ISP with a single internet routable IP address for the ATM interface assigned by the ISP.

I know it sounds strange but we have to put in a PIX 515 behind that router and enable it as a VPN headend for remote VPN clients.

My question is, how can we ensure that packets are forwarded to the PIX from the router.

The PIX outside interface will be assigned an ip address from a private range and ditto the inside interface.

I am thinking of perhaps an access-list on the router or some form of IP unnumbered between the router and PIX.

Any config help much appreciated.

afakhan · ‎04-11-2003

Hi,

you would need to use pix as ezpvn client and other device (as easy vpn server):

pix - 6.3.1 to negotiate NAT-T (ipsec/udp over udp4500)

if other deivce is IOS - 12.2.13T or later

otherwise, PAT would break ipsec on the gw router.

thx

Afaq

steve · ‎04-13-2003

Many thanks Afaq

This type of deployment does seem to be a little on the 'lets make it complicated for 5the sake of it'

I would think that putting a 2600 as a gateway router just to pass Internet traffic is like overkill when a simple DSL modem (that supports VPN pass-through) would suffice and let the PIX do all the firewalling and authenticating, but that's what the client has actually purchased - before we got involved, I hasten to add!

But if the only way is to configure the router and PIX in the manner you suggest because they only have 1 routable Internet address - then so be it.

Is there a simpler way?

cheers

Steve

m.reay · ‎04-15-2003

Steve - put the public ip address on the pix, set up the router to bridge between the ethernet and ADSL interface, and configure the pix for PPPoE.