Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NETWORK DESIGN (HELP)

I got a cisco 2610, a PIX 515, VPN client 1.1.....now i m goin to implement IPSec for VPN clients, goin to terminate VPN clients on the PIX. Now I am doin NAT on the PIX, for my 4 internal network. Now the design is i m usin a RSM to route b/w these internal networks, 2 of them are training and testing lans, just wanted to keep traffic with'n segments and manage network better, since i will be having only 2 of these networks goin out on the internet, using one pool of class C ( public ip) . the other 2 test'n and train'n network will prob. only want to use the machines on the DMZ. So i need to define them on the PIX. Now this NAT will be ne problem for my VPN clients, using IPSec. These VPN clients will be authenticated by my TACACS+(Cisco SEcure ACS 4.0 for NT). I will be gratefull to get configuration keeping my network infrastructure in mind. Now my cisco 2610 which will be outside interface of the PIX, with its serial interface connected to the T1 connection. What configuration will be required there. Now it looks that my PIX will be doin everythin and ppl will suggest a VPN concentrator, but i really dont wanna add nother piece of device in my network. U can say right now i will only have few VPN clients, and this will be interim solution. need to get some ocnfig for both my CIsco 2610 and PIX. I searched the cisco site and found many helpful stuff, and i m workin to get the best of it...but some1 with a little time help me with this....now is this network design very complex. I prob. wont have more then 200 hosts goin out on the internet or DMZ, so one pool will work for me i assume. What are other ways .....leavin the PAT, that i can do to utilze my 1 public pool of ip, when i will have more host wanting to go out. thanks in advance...

  • Other Security Subjects
4 REPLIES
New Member

Re: NETWORK DESIGN (HELP)

First of all, you need to at least have enough addresses in your NAT pool as you have users going out. If you have more users than addresses they won’t all be able to get out (syslog error “translation creation failed…”). You can recycle the pool addressed by adjusting the timeout conn and xlate values way down, but I’d recommend still turning on PAT for an overflow. I wouldn’t use NAT pools for DMZ access if it’s a private network. I’d suggest network statics without translation are best.

New Member

Re: NETWORK DESIGN (HELP)

I might be able to help but I have a few question first. Is the 2600 your internet (perimeter)router or do you have another one? Are your 4 internal networks seperate networks that go through the router or are they part of one big network that is switched? Who (applications, remote users, etc)is coming into your site and who is going out? Where?

New Member

Re: NETWORK DESIGN (HELP)

yes, 2610 is our internet router. And the 4 interal networks are switched, i am using RSFC to do intervlan routing. My new T1 will be coonneted to this cisco 2610 which is connected to the outside interface of my PIX 515 , and inside interface is goin to the switch(backbone) and there is nother interface i.e DMZ

New Member

Re: NETWORK DESIGN (HELP)

i can also send a little diagram i made if u give me ur email, thanks

156
Views
0
Helpful
4
Replies