Solved: Re: VPN addressing question

moconnor · ‎02-05-2004

When configuring a VPN on the PIX you use the 'ip local pool' command to alot IP addresses to clients on the 'outside'.

I am confussed about these addresses. Do they need to be from the local subnet on the inside interface of the PIX? i.e. if the inside interface subnet is 192.168.1.0 do you alot a group of address for VPN connections like 192.168.1.10-15? Or are they just a seperate group of IPs?

Probably an elementary question but I am confused just the same. Also is L2TP w/ IPsec that much more difficult to implement then PPTP?

Thanks for any clarification.

baileja · ‎02-07-2004

Actually if its just mapping drives you want, than this can be done site-site and remote access. For the remote access, things are much easier, because you can assign dns, wins, etc via your vpn group settings. Your question is how do you get remote users to access things like file servers or apps. By this I think you are referring to the users who VPN in and not site to site? It can be done either way. But if you are referring to remote access vpn than when a user dials in, just assign wins and dns on the remote site and when the user VPN's in, it is just like he is sitting on that network (if no restrictions are applied to the VPN). For the site to site it depends on your setup. Do you have multiple Windows domains at each site? To make things easier for the use you would probably want to replicate wins databases accross the site-site and create domain trusts. This is a much more complex method of implementation than the remote access method. Let me know if you need help setting this up. I have many configs saved from the past that I have done this with (for the remote access piece and site-site).

View solution in original post

baileja · ‎02-05-2004

No your ip local pool can be part of a seperate subnet. As long as the inside network has a route back to that subnet than you are OK. Yes, every VPN is harder to configure than PPTP. I believe PPTP is the least secure method of VPN.

moconnor · ‎02-05-2004

Thanks for your response. Can it also be part of the inside subnet? By a route back to that subnet what do you mean? I am full of questions tonight!

Thanks

Marc

baileja · ‎02-06-2004

By route back I mean your internal hosts must be able to get back to it. In most scenarios the PIX is the insides default route out so you wouldnt have to worry about it but if not you just need to ensure that your internal hosts have a route back to the new subnet you create.

moconnor · ‎02-06-2004

Excellent! Well my PIX is my deault route for all my internal hosts already. So the subnet I create for my VPN clients wont need any special route statements in it. Is it possible to run a site to site VPN and also have remote client VPNs as well?

mostiguy · ‎02-07-2004

it is definitely possible to have both a site to site vpn and an end user vpn configured. you would want to:

1. rewrite the access list you use for nat 0 - you want to includes statements that exclude traffic from the remote site ip block, as well as the ip local pool block.

2. make sure your crypto map and isakmp policy sequence numbers are highests for the dynamic config for the end user vpn.

note that your vpn end users will not be able to access resources on the network that is connected by the site to site tunnel

moconnor · ‎02-07-2004

So what way can I configure a branch office (515 headend to 501) to access resources at the main office? I read a post that pointed to information regarding replicating AD domains across a VPN, so how could I get the remote users to access things like file servers or apps over the VPN? There is no way for them to map a drive over the site to site? Could it be done if it was just a remote access type VPN? Thanks for your help.

baileja · ‎02-07-2004

Actually if its just mapping drives you want, than this can be done site-site and remote access. For the remote access, things are much easier, because you can assign dns, wins, etc via your vpn group settings. Your question is how do you get remote users to access things like file servers or apps. By this I think you are referring to the users who VPN in and not site to site? It can be done either way. But if you are referring to remote access vpn than when a user dials in, just assign wins and dns on the remote site and when the user VPN's in, it is just like he is sitting on that network (if no restrictions are applied to the VPN). For the site to site it depends on your setup. Do you have multiple Windows domains at each site? To make things easier for the use you would probably want to replicate wins databases accross the site-site and create domain trusts. This is a much more complex method of implementation than the remote access method. Let me know if you need help setting this up. I have many configs saved from the past that I have done this with (for the remote access piece and site-site).

moconnor · ‎02-11-2004

Wow, thats great info! I think you answered all my questions, so you think it would be best to have two seperate domains and have a trust set up? What about replication across the VPN? Are you sure you dont mind if I drop you an email aout some configs?

Thanks Marc

baileja · ‎02-12-2004

Well if you have one domain, it would be better and easier to leave that as is and place a domain controller /w secondary Wins at the remote site and replicate data accross a Site-Site VPN. If you have two domains currently, than you will need to replicate WINS and create a domain trust. Sure, email me when your ready to set this up. I can shoot you some configs to setup the site to site VPN and some ACL's to allow the replication, authentication, and WINS traffic.