09-27-2005 05:09 AM - edited 02-21-2020 02:00 PM
Hello everyone.
We recently installed a Cisco 831 at a remote site and are wanting to connect it to our WAN. We currently have
two PIX 515e (failover mode) with remote sites connecting to us via IPSEC vpns and clients authenticating through W2KRAS. Is there a guide available for connecting the 831 to the PIX 515 via site-to-site VPN? I have used SDM before but am not crazy about it.
Would it be a better idea for all vpn traffic to pass through our PIX then to the 831? Is it possible for this to work (IPSEC vpn to the PIX which then passes the traffic to the 831)? The other solution is to have site-to-site connections from their sites
(PIX 515s also) directly to the 831s.
Any input or ideas would be appreciated, thank you.
Tim
10-03-2005 07:51 AM
First and foremost, a VPN needs to provide private, ubiquitous communications to the locations and users that require it. It must do this in a secure manner while maintaining as many of the characteristics of traditional private WAN connections as possible. It must integrate with the overall network designs based on the SAFE Security Blueprint for Enterprise Networks.
10-03-2005 08:47 AM
Is there a guide available for connecting the 831 to the PIX 515 via site-to-site VPN?
Would it be a better idea for all vpn traffic to pass through our PIX then to the 831?
do you mean this?
existing lan1 <--vpn--> www <--vpn--> pix
new lan2 router 831 <--vpn--> www <--vpn--> pix
so lan1 will be able to connect to lan2 over vpn via the pix515e. if so, then it depends on the pix version. it works with pix v7, not v6.x.
10-13-2005 06:06 PM
just wondering how you go.
10-17-2005 10:55 AM
jackko,
Thank you for your response. We have created IPSEC vpns for the new clients needing access to a LAN workstation. I will be visiting a new site today that will use the setup.
We are wanting to send traffic from a client to our PIX via vpn and then to another offsite workstation.
someclient---vpn(www)---pix---vpn(www)---ourWANsite.
I will keep you informed.
10-17-2005 04:18 PM
someclient---vpn(www)---pix---vpn(www)---ourWANsite
with the above topology, v7 is required as v6 doesn't allow traffic receive/send back to the same interface.
e.g.
"someclient" send a packet destined for "ourwansite". pix receives the packet on outside interface, decrypts and tries to determine the next hop. since the destination is another lan-lan vpn, pix will have to encrypt and send the packet back to the outside interface. unfortunately, v6 doesn't allow such "re-route" activity.
11-10-2005 07:08 AM
Hello everyone.
We decided not to relay the connection from outside->ipsec vpn->pix515->vpn->831->inside. I know that it was recommended to upgrade to PIX version 7. At the moment that would require a hardware upgrade so we are working around it.
I am trying to establish a connection to a remote PC over ipsec VPN but am having problems. The connection will need to be between a PIX 515e and Cisco 831 over IPSEC. I have added attachments. I cannot pass any traffic between sites (Local Lan of 10.1.1.0 to remote Lan of 10.50.1.0). I am not familiar with the CLI of the 831 and the Cisco SDM software for the 831 does not seem to correct the issue. Any help would be greatly appreciated. As always, thank you. T-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide