10-17-2005 02:43 AM
Hello,
I have pix 515e.I used CA GEN RSA KEY 1024 command to generate key. After enter this command, a message asks me to delete all the keys. In this case, does it affect to my vpn link, coz after use this command my vpn was disconnected.
Thanks,
VIN
10-26-2005 06:05 PM
Please note that my head office has the Internet connection which connect with the HO Router.
Thanks
VIN
10-26-2005 08:00 PM
just wondering if the branch office accesses internet directly or via the head office.
assuming the branch office has direct internet access, then i suspect that the nat/global statement maybe inaccurate.
10-26-2005 08:16 PM
Hello Jackko,
The branch office access internet via the head office. The vpn link is for backup purpose. In fact, we have the existing connection from the branch office router to head office router by lease line. and normally brach office access to data center and internet at head office by lease line, but if the lease line is diconnected, we will go back to vpn link backup. And now the problem is that we branch office go though vpn link, they can't access internet.
Note: Head office router connects to another ISP (ISP2), and branch office also go to the internet via ISP2.
Thanks
VIN
10-27-2005 03:23 PM
it may not be feasible to allow internet browsing for the branch office via the vpn backup link, assuming that the head office pix has the internet as the default gateway.
e.g. providing we "tunnel everything" from branch office via the vpn. head office pix receives the internet traffic, decrypts the packets and tries to determine the next hop. since the packets are destined for the internet, the head office pix will try to forward the packet back to the outside interface. unfortunately, the operation is not allowed on pix v6.x.
alternatively, if the pix default gateway is not the internet link. then "tunnel everything" originated from the branch office should work.
10-27-2005 07:08 PM
10-28-2005 07:29 AM
i guess you've got 2 options.
when leased line fails and the vpn backup kicks off, branch office browse the internet directly via isp1; or
when leased line fails and the vpn backup kicks off, branch office browse the internet via the head office.
regardless which option you choose, you'll need to configure 2 routes on the branch office router. one is the primary (i.e. the leased line); another one is a backup (i.e. the vpn link). to configure these 2 routes, you can manipulate the metrics.
now, if you prefer to let the branch office has direct internet access while the leased line fails. you can just configure nat/global.
alternatively, if you prefer to let the branch office to browse via the head office over the vpn. then you'll need to:
1. head office pix point to the internal router as default gateway; configure static route point to branch office via the isp1 link.
2. create an acl "tunnel everything" for traffic originated from and destined for branch office.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide