Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Routing through PIX

HI

I have two questions

I am hoping to use a PIX or VPN concentrator to host only vpn connections at the central office. I will be connecting sites up using a mixture of pix, vpn concentrator, and router. Is it possible to pass routing protocols through these devices so that I can route, would I want too or would this be a bad idea. Would I be better using static routes?. I basically want to connect sites using vpn but want to implement routing functionality with in this. Please advise me on whether this will work and what to watch out for. Security is paramount.

I am tring to understand how a vpn connection to a pix is created using esp and 3des. I have been told that on the pix, all incoming ports are blocked, although incoming vpn connections would be allowed. Could anyone please give me a brief overview on how esp and 3des go together and how the connection phase works. Any web page would also help.

Best regards

Karl

8 REPLIES
New Member

Re: Routing through PIX

There are a lot of very good sections within the CCO about this particular topic.

http://www.cisco.com/en/US/customer/netsol/ns110/ns170/ns171/ns142/networking_solutions_implementation_white_papers_list.html

This is a very good overview about site-to-site VPNs.

http://www.cisco.com/en/US/customer/netsol/ns110/ns170/ns171/ns142/networking_solutions_solution_components.html

These are also some good docs to get you started.

Hope this helps. And unfortunately to answer for main question of what would be better static/ routing protocols.....it all depends on your environment. I know you probably hate to hear that, but it is true.

Good reading!

New Member

Re: Routing through PIX

Thanks for reply

Is if safe to route through vpn tunnels in terms of security?

Regards

Silver

Re: Routing through PIX

Routing through VPNs is like routing through a firewall. It is safe only to the extent that you trust what is on the other end (side) of the VPN (firewall). Fortunately, unlike a firewall, the other side of the VPN is also your stuff and probably trustworthy. If you are really paranoid, you can adapt the "routing through firewalls" approach outlined in the Redundant Firewall whitepaper on my web site. However, I expect you would find the "Redundant VPN" whitepaper approach adequate, at least in terms of security. Remeber that there are multiple examples of routing through VPNs on CCO in addition to the examples on my web site.

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com

New Member

Re: Routing through PIX

Hi Vincent

Thanks for your comments and nice to here from you again.

Basically, were saying if done correctly and we manage both ends, security shouldnt be an issue.

Can u route through any firewall, have you had any experience with checkpoint. I am trying to promote a dedicated cisco vpn concentrator or pix at the co, and cisco routers for remote sites, whilst the checkpoint look after internet access and dmz's. This is so I can more easily integrate wan solution with the internet, and lower the cost of ownership. Do the checkpoints handle routing functionality ok or would I be better off with a dedicated cisco solution.

Is you redundant firewall approach in your book, I have a copy but its at work.

Any advice much appreciated

Best regards

Karl Jones

Silver

Re: Routing through PIX

The brand of firewall is immaterial. The key is that you are running the routing protocol _through_ the IPsec tunnel / firewall, not _with_ it. With very few exceptions, running a routing protocol on a firewall is a bad thing for security.

If you're looking at the examples in the book, keep in mind that you don't have to worry about NAT because the IPsec tunnel does not do NAT. You can see the difference in the example in the Redundant VPN whitepaper--its BGP usage is a NATless version of the firewall configuration in Chapter 9.

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com

New Member

Re: Routing through PIX

Hi Vincent

I am currenlty reading my butt off so please forgive the Question?

Bad thing to run a routing protocol on a FW, what about a 1700 router with fw feature set, with a vpn tunnel through to a vpn concentrator at the CO. I want to reduce cost of ownership would this be ok?

Regards

Silver

Re: Routing through PIX

Unlike typical firewalls, most routers have enough "smarts" to protect their routing tables (such as filters on what they are willing to learn from specific partners). On the other hand, you need to ask yourself if the firewall functionality on the router is sufficient for your needs. I normally prefer to use separate firewalls and routers, because it keeps the distinction between security functions and routing functions clear and usually leads to simpler configurations (which consequently, are less prone to error, which translates to less prone to security holes).

I, too, have been in situations where the economics mandated putting everything onto a single router. The key is to have a clear security policy and then translate that security policy into the actual configuration. If the security policy can be implemented using just a router, consider it as a design tradeoff. Just remember to consider all the lifecycle costs, because complex configurations require more work to maintain, particularly when the maintainer is not the original designer or design documentation is inadequate).

Note also that some common security policy clauses eliminate the potential to combine router and firewall. The two most common are "no single point of failure" and "separation of powers." The former requires that the security perimeter be maintained even if an intruder takes complete control of one box, the latter requires separation of network management from security management. Both are common requirements in environments where security is taken seriously, and both mean putting everything on one router ceases to be an option. But in either case, the environment should also be one which recognizes that the desired level of security has a cost attached to it.

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com

New Member

Re: Routing through PIX

Vincent

Thanks for a spot on reply, I agree with all you have said and will try to seperate the router and firewall technologies.

Best regards

92
Views
5
Helpful
8
Replies