04-15-2004 05:44 AM - edited 02-20-2020 11:20 PM
We're looking at using an Internet VPN as a backup connection between 2 data centers. To handle this dynamically, we'd like to put a router in a DMZ of our PIX 525s and have it share OSPF tables with a router on the inside network from the PIX. Anotherwords, our 6509s make a policy based routing decision on whether or not to send traffic out the private MPLS network, or, they send it to the DMZ VPN router to travel across a VPN to its destination. I'm having trouble finding documentation on how to do this, can anyone assist?
04-15-2004 06:32 AM
If you do not want the pix firewalls to process the ospf updates, instead just forwarding them between your internal and dmz routers, this is called sending ospf thru the pix (instead of to it). This can be done only if you configure gre tunnels or ipsec tunnels between your internal and dmz routers.
When configure acls on all of the pixes to allow the gre or ipsec traffic, you need add the rules on both the internal and dmz interfaces of each pix that will see the traffic. This is because you cannot determine which router (dmz or internal) will send the updates first.
If you want to use ipsec, the relevant acls would include udp src port 500 to dest port 500, the ah and the esp protocols.
For gre, just spec the gre protocol instead of tcp/udp.
Again the connection can originate on either end so you will need the same rules (with source and dest reversed) on the dmz side as well as the internal side.
Let me know if you have any questions.
04-15-2004 06:38 AM
Hi,
Have a read of the following document:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml
Let me know if this helps.
Jay
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide