cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
935
Views
0
Helpful
8
Replies

Network design help

sarat1317
Level 1
Level 1

Hello

I have 2 ISPs. I have internal VLANs on PIX1 unit and use ISP1 for that traffic and our main network is on 10.10.10.x. I am planning to build VPNs to all my client networks from ISP2 through a different PIX2 unit. The VPNs are for remote support purposes and to login the client servers from my location. They will be on different networks other than 10.10.10.x. But I would like to access these servers on VPNs through my 10.10.10.x network as well.

So I would like to know if it is possible to route traffic from PIX1 to PIX2 unit so 10.10.10.x can access client LANs. Please advise

Thank you

1 Accepted Solution

Accepted Solutions

Well a really simple solution would involve a router on the 10.10.10.x - the router would handle the IP subnet routing to point to PIX2.

I assue that you do not have a router, so PIX1 would have to perform this function.

Lets assume that PIX1 IP address is 10.10.10.1 and PIX2 is 10.10.10.2.  For the LAN segement the default gateway is PIX1 - so all traffic will be passed into PIX1.  In PIX1 you have static routes for the remote VPN subnets that point to PIX2.  Depending on the version of PIXos you are running, you need to have same-security-traffic permit intra-interface enabled.

You will perform some NAT at some point the 10/8 is pretty common and widely used.

HTH>

View solution in original post

8 Replies 8

andrew.prince
Level 10
Level 10

Simply put - yes this is possible.

Hello Andrew

Can you please explain how can I achieve this? My initial thought is to remote desktop into a server on ISP2 LAN network and access the VPNs from there. But that may create latency.

Thanks

Well a really simple solution would involve a router on the 10.10.10.x - the router would handle the IP subnet routing to point to PIX2.

I assue that you do not have a router, so PIX1 would have to perform this function.

Lets assume that PIX1 IP address is 10.10.10.1 and PIX2 is 10.10.10.2.  For the LAN segement the default gateway is PIX1 - so all traffic will be passed into PIX1.  In PIX1 you have static routes for the remote VPN subnets that point to PIX2.  Depending on the version of PIXos you are running, you need to have same-security-traffic permit intra-interface enabled.

You will perform some NAT at some point the 10/8 is pretty common and widely used.

HTH>

Andrew

Thanks for the tip. Let me see if that works in my environment. I have PIX515 so same security command should be work on it.

As an alternate solution, how about connecting from LAN1 (PIX1) through a webvpn to PIX2 which will on ISP2 on a seperate LAN? Once connected through webvpn I should be able to access the site-site VPNs configured on PIX2 right?

I am just trying to eliminate my network in the loop if at all possible as I am looking at about 25 client site-site VPNs and worried about security.

Thank you

I would not do that - but it's your network, you can do what you want.

Thank you. I will update once tested through routes

Hello Andrew

I implemented this on my network and here is below I did

PIX2 on a different network from my primary LAN - 192.168.13.x

Created VPNs on PIX2

Created seperate DMZ on PIX1 and PIX2 - 10.10.3.x

Pointed routes to each other through that DMZ

I also had to add the interesting traffic from PIX1 to client VPNs on both PIX1 and PIX2

For the return traffic to PIX1 from the client network - I had to create a VPN tunnel from the client network to PIX1

And finally I am able to reach the VPN network from internal LAN

Thinking back, I am not quite sure if it added any advantage by creating VLANs and putting PIX2 on different network instead of putting that on the same LAN. Either case, I believe I still have to follow the same design for sending the interesting traffic and for the return traffic to/from client networks. Probably if I have a router, I may not have to mention the interesting traffic from my LAN to clients and the traffic may flow just checking the routes?

Now I got to do some more natting to send the traffic to clients who is also on 10.10.10.x LAN. Hopefully I will get there.

Thanks for your help.

Sarat

Sarat,

I'm happy it's working for you - but really, new IP subnets, extra VLAN's, routing thru DMZ's now you need some natting........

The solution did not have to be this complex - but as I said, your network.

Good luck with it, thanks for letting us know.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: