Pix to Pix VPN

[spidermanfan]

Hi all,
Setting up a small company's to sites using business Class DSL. Each site has 1 public IP number, setting up the two Cisco Pix's to do VPN between them should not be a problem right? Each Pix only needs one public ip address?

Thanks in Advance

 

[bwilliam13]

You're correct.

 

[chicocouk]

Unless of course you need a router to plug the PIX into, which must be on a public address - which you do.

In which case you must configure the router to forward all packets to the PIX, if that's possible. That will depend entirely on the router chosen. If you can do that, then you're fine.

 

[spidermanfan]

Hey Chicocouk I'm a little confused with your explanation.
Why would I need a router to plug my pix firewall into? I could see if I am setting up for a DMZ zone, but for a small business wanting vpn on a business Class DSL......Why would I need or want a router?

Thanks in advance.

 

[chicocouk]

I'm thinking of adsl for small businesses in the uk, so if that isn't relevant, then don't worry about it, you may be fine. But just in case;

Typically an isp will assign you either a single ip address or a range or addresses, for a small business possibly just the one, or anything up to 6 (/29 bit subnet mask, 6 useable public addresses)

If you have just one address, that will be assigned to your router. Now, if that is a nat-enabled router (which might typically in that sort of deal be a freebie one provided by your isp), that will have two interfaces, one public, which will be assigned the public IP, and the inside address will be an RFC1918 private address (eg, 192.168.0.1)

Often the router will work as a dhcp server, and you can connect a hub behind it, so you might have a few devices, eg, a couple of pcs, which get ips from the router, so one might get 192.168.0.2, the other might get 192.168.0.3. So imagine one of those devices is your PIX, on, say 192.168.0.4.

So the thing is, if you plug a pix behind that router, how does the router know to forward IpSec VPN traffic to one device or the other?

If the router receives vpn traffic directed to it's public address, what does it do with it? The router (in this example) is not vpn aware, so it can't deal with it itself. It must forward the info to something else. But it's not featured enough to do that. Even if the only device behind it is the PIX, it won't necessarily NAT incoming traffic through to internal addresses. Can it NAT incoming ESP traffic for example, which is essential for IpSec VPNs? The feature you're looking for is often sold as "IpSec pass-thru". If the router has that, you may be fine, provided the pix is the only device directly connected to the router.

If you do get a NAT router to sit outside the PIX, be sure to turn on nat-traversal on both pix, which is available from 6.3 onwards on the PIX.

Another approach, if you have what a lot of small businesses end up with in the uk, a router provided by BT (through one isp or another) then if you have what they call a "no-nat" router, which is what cisco refer to as ip-unnumbered (it's outside and inside ip address "share" a public address), so it effectively acts as a bridge between the adsl network and the local ethernet network, then you can put the pix on a SECOND ip address behind the router, and you're good to go. But that relies entirely on you buying the package where you get more than one ip, and the "no-nat" router option. So the router is on one public ip, the pix on another. You will have less configuration headaches.

I'm not trying to put you off, honestly It's just that I've some experience of making this work in the uk. If I can be any help, then please ask, and I'll try to explain more clearly, or help with config.

At the end of the day, the point i'm making is this - You can't plug a PIX directly into an ADSL connection on the wall in the uk. You have to connect it to a router, which then connects to the ADSL connection. So in the uk you have to consider what the router is doing, especially when vpns are involved, because NAT can upset vpns.

All the best

Chico