Re: Site-to-Site VPN of PIX 515e to 831

augsupport · ‎09-27-2005

Hello everyone.

We recently installed a Cisco 831 at a remote site and are wanting to connect it to our WAN. We currently have

two PIX 515e (failover mode) with remote sites connecting to us via IPSEC vpns and clients authenticating through W2KRAS. Is there a guide available for connecting the 831 to the PIX 515 via site-to-site VPN? I have used SDM before but am not crazy about it.

Would it be a better idea for all vpn traffic to pass through our PIX then to the 831? Is it possible for this to work (IPSEC vpn to the PIX which then passes the traffic to the 831)? The other solution is to have site-to-site connections from their sites

(PIX 515s also) directly to the 831s.

Any input or ideas would be appreciated, thank you.

Tim

smalkeric · ‎10-03-2005

First and foremost, a VPN needs to provide private, ubiquitous communications to the locations and users that require it. It must do this in a secure manner while maintaining as many of the characteristics of traditional private WAN connections as possible. It must integrate with the overall network designs based on the SAFE Security Blueprint for Enterprise Networks.

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns142/networking_solutions_design_guidance09186a00800a37d3.html

jackko · ‎10-03-2005

Is there a guide available for connecting the 831 to the PIX 515 via site-to-site VPN?

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

Would it be a better idea for all vpn traffic to pass through our PIX then to the 831?

do you mean this?

existing lan1 <--vpn--> www <--vpn--> pix

new lan2 router 831 <--vpn--> www <--vpn--> pix

so lan1 will be able to connect to lan2 over vpn via the pix515e. if so, then it depends on the pix version. it works with pix v7, not v6.x.

jackko · ‎10-13-2005

just wondering how you go.

augsupport · ‎10-17-2005

jackko,

Thank you for your response. We have created IPSEC vpns for the new clients needing access to a LAN workstation. I will be visiting a new site today that will use the setup.

We are wanting to send traffic from a client to our PIX via vpn and then to another offsite workstation.

someclient---vpn(www)---pix---vpn(www)---ourWANsite.

I will keep you informed.

jackko · ‎10-17-2005

someclient---vpn(www)---pix---vpn(www)---ourWANsite

with the above topology, v7 is required as v6 doesn't allow traffic receive/send back to the same interface.

e.g.

"someclient" send a packet destined for "ourwansite". pix receives the packet on outside interface, decrypts and tries to determine the next hop. since the destination is another lan-lan vpn, pix will have to encrypt and send the packet back to the outside interface. unfortunately, v6 doesn't allow such "re-route" activity.

augsupport · ‎11-10-2005

Hello everyone.

We decided not to relay the connection from outside->ipsec vpn->pix515->vpn->831->inside. I know that it was recommended to upgrade to PIX version 7. At the moment that would require a hardware upgrade so we are working around it.

I am trying to establish a connection to a remote PC over ipsec VPN but am having problems. The connection will need to be between a PIX 515e and Cisco 831 over IPSEC. I have added attachments. I cannot pass any traffic between sites (Local Lan of 10.1.1.0 to remote Lan of 10.50.1.0). I am not familiar with the CLI of the 831 and the Cisco SDM software for the 831 does not seem to correct the issue. Any help would be greatly appreciated. As always, thank you. T-