I have question regarding deployment of VPN network.
We have to provide backup over ISDN network, so we must use OSPF (EIGRP is also possible) routing protocol which will be running among branch offices, regional and central headquarters. When Internet connectivity goes down, must be established backup connection over the ISDN network. We will use also GRE encapsulation, which must be used if you want to put OSPF (multicast) traffic in IPsec tunnel.
This are facts and we know them quite well.
But we have some additional questions :)
I think the easiest solution would be to use PIXes, but unfortunatelly they
don't support routing protocols like OSPF. So we think that we should use PIXes for connectivity to the internet (PPPoE) and for terminating VPN tunnels and for statefull firewalling. The PIX would also be doing NAT/PAT and behind the PIX on the local network (RFC1918 IP addressing) we would put router with ethernet / ISDN wic for backup. Router should be doing GRE and OSPF routing between locations. Also traffic on ISDN backup line must be crypted.
Would it be better to put router in front of PIX? So router would be doing GRE, OSPF, IPsec, NAT/PAT (unfortunatelly I have only 1 public IP address per location) and PIX would be doing just statefull firewaling ?
Most of the designs that I have come accross use the PIX-Router pair with the router placed infont of the PIX, inbetween the PIX and the internet. The strength of this design is that this gives you a two tired perimeter where the router forms the first line of defence. One would need to compromise/work around the perimeter router long before he/she ever has a chance to try anything on the PIX. This is certainly more secure. However, since you need to establish a GRE tunnel to move your routing traffic across, this is not a design that you can count on... unless ofcourse, and as the best option, you go in for two additional routers. Hope you find a way out... and maybe then you could share it with us.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...