Re: VPN Not Link after generate key - Page 2

Phoungsakdavin · ‎10-17-2005

Hello,

I have pix 515e.I used CA GEN RSA KEY 1024 command to generate key. After enter this command, a message asks me to delete all the keys. In this case, does it affect to my vpn link, coz after use this command my vpn was disconnected.

Thanks,

VIN

Phoungsakdavin · ‎10-26-2005

Please note that my head office has the Internet connection which connect with the HO Router.

Thanks

VIN

jackko · ‎10-26-2005

just wondering if the branch office accesses internet directly or via the head office.

assuming the branch office has direct internet access, then i suspect that the nat/global statement maybe inaccurate.

Phoungsakdavin · ‎10-26-2005

Hello Jackko,

The branch office access internet via the head office. The vpn link is for backup purpose. In fact, we have the existing connection from the branch office router to head office router by lease line. and normally brach office access to data center and internet at head office by lease line, but if the lease line is diconnected, we will go back to vpn link backup. And now the problem is that we branch office go though vpn link, they can't access internet.

Note: Head office router connects to another ISP (ISP2), and branch office also go to the internet via ISP2.

Thanks

VIN

jackko · ‎10-27-2005

it may not be feasible to allow internet browsing for the branch office via the vpn backup link, assuming that the head office pix has the internet as the default gateway.

e.g. providing we "tunnel everything" from branch office via the vpn. head office pix receives the internet traffic, decrypts the packets and tries to determine the next hop. since the packets are destined for the internet, the head office pix will try to forward the packet back to the outside interface. unfortunately, the operation is not allowed on pix v6.x.

alternatively, if the pix default gateway is not the internet link. then "tunnel everything" originated from the branch office should work.

Phoungsakdavin · ‎10-27-2005

Hello Jackky,

Plz find the attached file for the whole network diagram and its scenario.

Plz advise me, coz i have tried to route on the router and pix , but still can't access internet.

Hope to hear from you soon.

Thank you.

Regards,

VIN

jackko · ‎10-28-2005

i guess you've got 2 options.

when leased line fails and the vpn backup kicks off, branch office browse the internet directly via isp1; or

when leased line fails and the vpn backup kicks off, branch office browse the internet via the head office.

regardless which option you choose, you'll need to configure 2 routes on the branch office router. one is the primary (i.e. the leased line); another one is a backup (i.e. the vpn link). to configure these 2 routes, you can manipulate the metrics.

now, if you prefer to let the branch office has direct internet access while the leased line fails. you can just configure nat/global.

alternatively, if you prefer to let the branch office to browse via the head office over the vpn. then you'll need to:

1. head office pix point to the internal router as default gateway; configure static route point to branch office via the isp1 link.

2. create an acl "tunnel everything" for traffic originated from and destined for branch office.