Freddy Vs Jason
Guest
|
 Posted:
Tue Dec 06, 2005 5:20 pm Post subject:
Question on dynamic routing and PIX VPN |
|
|
Hi there,
I have a diagram online. http://cjoint.com/?mgneAeP1Tt and a scenario I
am going to type here.
Let say, I am a online backup service. I have by then an ftp server
farm. In order to get the files in a secure way through the internet, my
servers are behind a PIX and I need to use an IPSEC VPN to link the sites.
Let say I have 3 customers. Those customers are insisting the fact they
wanna have a dedicated SDSL line on my location.
In front of my PIX, I have a router which I own. On this router, the
routers of my 3 customers. Note, those routers are on 3 different ISP
backbones.
What are the involved technologies to make sure a packet supposed to
reach 195.238.4.17 (a VPN peer of my customer) will go through the
Belgacom's link and not through AT&T.
Also. On the diagram, I've mentionned my infrastructure is on the COLT
backbone. Well, I am not sure I need an ISP there. I can be my own ISP
for this cross-over cable? Do I have to get in contact with an ISP to
register a subnet?
Thank You,
Freddy |
|
Walter Roberson
Guest
|
| Posted:
Tue Dec 06, 2005 11:02 pm Post subject:
Re: Question on dynamic routing and PIX VPN |
|
|
In article <4395828d$1_3@x-privat.org>,
Freddy Vs Jason <nospam@nothing.lan> wrote:
| Quote: | I have a diagram online. http://cjoint.com/?mgneAeP1Tt and a scenario I
am going to type here.
Let say, I am a online backup service. I have by then an ftp server
farm. In order to get the files in a secure way through the internet, my
servers are behind a PIX and I need to use an IPSEC VPN to link the sites.
Let say I have 3 customers. Those customers are insisting the fact they
wanna have a dedicated SDSL line on my location.
In front of my PIX, I have a router which I own. On this router, the
routers of my 3 customers. Note, those routers are on 3 different ISP
backbones.
What are the involved technologies to make sure a packet supposed to
reach 195.238.4.17 (a VPN peer of my customer) will go through the
Belgacom's link and not through AT&T.
|
You have 3 different outside interfaces on the router. If necessary,
add static routes on the router pointing each remote destination out
the correct interface. I say "if necessary" because if your router
is configured as shown in your diagram, your router will very likely
add the routes automatically as "connected" routes.
| Quote: | Also. On the diagram, I've mentionned my infrastructure is on the COLT
backbone. Well, I am not sure I need an ISP there. I can be my own ISP
for this cross-over cable? Do I have to get in contact with an ISP to
register a subnet?
|
You can use a private IP address range between your router and your PIX.
Before getting rid of your COLT link, though, you need to figure out
what you want to have happen with packets from inside that are destined
to somewhere other than your 3 customers. I'm sure your customers
don't want you to surf the web over your VPN connection to them ;-)
You probably need a public IP connection (such as the COLT one) in
addition to your dedicated links to your customers.
You do not need to register a subnet with your ISP, and you only
need one public IP address for your router (or none if you never need
to talk to the outside world).
What you -do- need to do, is some fancy NAT on the router.
Each packet coming in through one of the decidated SDSL interfaces
should have its destination IP modified to the outside IP address
of the PIX (on the public or private subnet shared between the router
and the PIX.) The source address of the incoming packets can be left
alone. The PIX will receive the packet, decapsulate it, pass it inward;
when the inside replies, the PIX will examine the {now} destination IP
[e.g., 10.10.10.x], determine the proper VPN tunnel to use by searching
in the crypto maps for that source/destination combination, encapsulate
the packet with the appropriate "peer", and punt the packet out towards
the router. The router will then have to NAT the IP address of the PIX
that is in the packet source, transforming it into the appropriate public
IP address as known to that destination peer. If you set up the
ingoing NAT the right way, then the router will see this operation
as a normal de-NAT and will know how to do it without specific
configuration. Note: you might find that you need to use
"policy based NAT" in order to be allowed to configure multiple
destination IPs (the public peer IPs known to your customers)
to a single IP address (the outside IP of the PIX.)
Notice that this configuration process is essentially independant
of the PIX -- nothing at all different needs to be configured on the PIX to
support it. The PIX remains ignorant of the path to each of the clients.
This is not a dynamic routing configuration as far as the PIX is concerned.
It isn't even a dynamic routing configuration as far as the router is
concerned...
--
"No one has the right to destroy another person's belief by
demanding empirical evidence." -- Ann Landers |
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in