Add Cisco Router to Pix VPN Link

[southside]

Hi All,

Apologies but I am fine with Pix but new to Routers (strange but true).

I currently have a VPN link operational between two Pix 506e's. Due to DoS symptoms on one end of the VPN I need to install a router in front of the Pix. The other Pix has an ISP router in front of it at the moment.

Therefore:
Pix A -- VPN -- ISP Router -- Pix B
(VPN Pix A to B)
needs to be:

Pix A -- Router --ISP Router -- Pix B
(VPN Pix A to B)
If the Pix A has an IP of 1.1.1.1 (example) and this IP is used on the outside interface of the Router, what configuration would I need for the Router to allow the VPN tunnel to route through to the Pix on an Internal IP between the router and Pix.

Thanks in advance.

Adrian

 

[KiscoKid]

My advice is this: Nearly all VPN solutions I've seen have pretty much been built around the PIX firewall being configured with a public address on its outside interface. Naturally your new router will need a public address too.

Typically when I've solutions like this, I request at least 2 public addresses - one for the router, one for the PIX outside interface. I configure the router's LAN interface with the 1st public address and the PIX's outside interface with the 2nd one. I configure the router's WAN interface (DSL. Frame Relay etc) with ipunnumbered (using the LAN interface as the source address). Following is a snapshot of a Cisco router config I did for an ADSL customer recently.

WSB-RO#sh run
Building configuration...
.
.
.


interface Ethernet0
ip address xx.xx.xx.xx 255.255.255.248
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
ip unnumbered Ethernet0
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
ppp chap hostname xxxxx
ppp chap password 0 xxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
.
.
.

end