I am in the process of setting up 3 branch sites to one headend site with a Hub and Spoke design. All spoke sites will communicate with each other as well as Internet access through the Hub site via a 1721 router at the Hub. All VPNs will terminate on the S0 int of the 1721. Then if they want Hub LAN access they will continue through fa0. If the hub sites want Internet access, they will redirect off the S0 and out the T1. I have a Pix 515 that I would like to implement in the design. The only thing is I only have the 1721 router and one T1 to the Intenet from the S0 of the 1721. If I put the Pix behind the router, the Hub LAN will have go through the firewall for Intenet as well as VPN traffic which is fine. But the Hub Sites coming in with Internet bound traffic will not pass through the PIX. I would like to put the Pix in front of the router like in the following diagram:
Internet ->Pix->1721 VPN router->Hub LAN.
This would be fine because Internet bound traffic from the Spokes would redirect off of the S0 of the 1721, and then pass through the Pix ACLs before getting to the Internet. The only problem is that there is not a T1 CSU/DSU card for the Pix.
Question - Does anyone have a suggestion of how I can accomplish all Internet bound traffic to pass through the Pix with only my one T1, VPN router, and Pix?
In regards to my above scanario, is it possible to terminate the T1 with an external CSU/DSU and then run CAT5 from the CSU/DSU to the firewall? Is this an option so I can keep the Pix in front of the VPN router?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...