Re: PIX Vpn Multiple Upstream providers Issue

shakeelahmadch · ‎01-06-2006

Hello,

I have a difficult situation here. On my pix i have 3 different upstream service provider's IP Addresses.

We have a number of VPN users and we distribute users on three ISP's accordingly (by priority, bandwidth , latency etc..)

PIX has default gateway of Service Provider 1

VPN users are using another local ISP to connect to our PIX. But they are unable to connect via IP's of SP#2 and SP#1 untill we route the Customer IP's via that interface. (We were doing it till today)

Now we are in a situation, TWO VPN USers from a same ISP (local) needs to connect to different interface of our PIX. IP's of both users is dynamic so we cannot add static route towards both interface.

Is there any solution to this, like when user tries to connect VPN on interface of PIX, its traffic should be routed via same interface, without any sttaic route.

Please do give me some clue.

thanks,

Shakeel

shakeelahmadch · ‎01-06-2006

Just to add a bit,

Clients use Cisco VPN Client Software.

johansens · ‎01-06-2006

Hi there Shakeel,

I'm sorry to say it, but you'll have to redesign your network a little bit to do this. As you know the PIX doesn't support more than one default gateway.

If you could shed some light into how your network is built, ie. a drawing of how the ISP's are connected to your PIX, with IP-ranges etc. (you could make up some new 'fake' addresses to hide this from the forum), we could possibly help you in designing a new network with as few modifications as possible.

Basically a router in front of the PIX with some clever policyrouting should do what you want, but to give you the details, I'll have to have a more understanding of your network.

Did it help? If so, please rate it.

shakeelahmadch · ‎01-06-2006

Actually i have 3 routers for all 3 SP's which are interconnected. I am thinking to use route-maps on routers to route towards proper router.

As per i think, packet is recieved by PIX with a destination IP of PIX interface. Pix tries to reply via default route which tend the traffic to be Assymetric.

What do you sujjest to catch in the route-map.

Shakeel

johansens · ‎01-07-2006

Hi again Shakeel,

I don't think you need route-maps yet since you use three routers.. You would have to do bidirectional NAT'ing on the routers to assign a pool to each of the ISP's which you NAT the remote hosts to.

This is an example (not tested, may contain errors):

router A

interface ethernet0

description towards ISP A

ip address 192.0.2.2 255.255.255.252

ip nat outside

!

interface ethernet1

description towards the PIX

ip address 10.0.0.2 255.255.255.0

ip nat inside

standby ip 10.0.0.1

standby priority 100

!

ip nat pool poolA 172.16.16.0 172.16.16.255 prefix-length 24

ip nat outside source list to-vpn pool poolA

ip nat inside source list general interface ethernet0 overload

!

ip access-list extended to-vpn

permit esp any host 192.0.2.2

permit udp any host 192.0.2.2 eq isakmp

permit udp any host 192.0.2.2 eq non500-isakmp

!

ip access-list extended general

permit ip any any

!

ip route 0.0.0.0 0.0.0.0 192.0.2.1

router B

interface ethernet0

description towards ISP B

ip address 192.0.2.6 255.255.255.252

ip nat outside

!

interface ethernet1

description towards the PIX

ip address 10.0.0.3 255.255.255.0

ip nat inside

standby ip 10.0.0.1

standby priority 95

!

ip nat pool poolB 172.16.17.0 172.16.17.255 prefix-length 24

ip nat outside source list to-vpn pool poolB

ip nat inside source list general interface ethernet0 overload

!

ip access-list extended to-vpn

permit esp any host 192.0.2.6

permit udp any host 192.0.2.6 eq isakmp

permit udp any host 192.0.2.6 eq non500-isakmp

!

ip access-list extended general

permit ip any any

!

ip route 0.0.0.0 0.0.0.0 192.0.2.5

router C

interface ethernet0

description towards ISP C

ip address 192.0.2.10 255.255.255.252

ip nat outside

!

interface ethernet1

description towards the PIX

ip address 10.0.0.4 255.255.255.0

ip nat inside

standby ip 10.0.0.1

standby priority 90

!

ip nat pool poolB 172.16.18.0 172.16.18.255 prefix-length 24

ip nat outside source list to-vpn pool poolC

ip nat inside source list general interface ethernet0 overload

!

ip access-list extended to-vpn

permit esp any host 192.0.2.10

permit udp any host 192.0.2.10 eq isakmp

permit udp any host 192.0.2.10 eq non500-isakmp

!

ip access-list extended general

permit ip any any

!

ip route 0.0.0.0 0.0.0.0 192.0.2.9

Now you'll have to route the different pools to the different routers on the PIX, like this:

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

route outside 172.16.16.0 255.255.255.0 10.0.0.2 1

route outside 172.16.17.0 255.255.255.0 10.0.0.3 1

route outside 172.16.18.0 255.255.255.0 10.0.0.4 1

And remember to route the inside interface of the PIX on the routers... or if you do even more NAT'ing on the PIX, then you should be set.. :)

You could also let the HSRP use a trackingobject which pings some upstream device to check if the link is OK... (for the default output).

Did it help? If so, please rate it.

shakeelahmadch · ‎01-09-2006

um this is good approach , but i am unclear how to nat my PIX via router reversely. LIke if packet comes in on one service provider, its natted into the POOL and then forwarded to the PIX (How forwarded ?? this is unclear , like a static NAT ??).

i have Public IP's from service providers and would like to use one specific say 1.1.1.1 that users dial on this. your help would be great.

thanks,

Shakeel

johansens · ‎01-12-2006

Hi again Shakeel,

Oops, I must have forgot the inside-source NAT'ing.. should be like this:

RouterA:

ip nat inside source static 10.0.0.10 192.0.2.2

RouterB:

ip nat inside source static 10.0.0.10 192.0.2.6

RouterC:

ip nat inside source static 10.0.0.10 192.0.2.10

You have three ISP's.. one giving you a public IP of 192.0.2.2 another with 192.0.2.6, the third with 192.0.2.10.

Your PIX is at a private LAN with the routers and uses a IP of 10.0.0.10.

Now let's say client with IP 1.2.3.4 connects to 192.0.2.2. His IP-address is then NAT'ed to a IP in POOLA, f.ex 172.16.16.1. The destination address is NAT'ed to 10.0.0.10 which is the PIX.

Now the IPSec connection is coming from 172.16.16.1 to 10.0.0.10 on the inside LAN. The PIX now knows where to route the return-traffic due to the static routing of the 172.16.16.0/24 network.

Did it help? If so, please rate it.