Route internet traffic from remote LAN tunnel?

[dagose]

we have multiple remote sites with 506e pix's connecting at the Head office PIX515.

I want to have all internet traffic route through head office PIX.
I understand that the PIX can't route traffic back out the same interface.
I have a 2651 router I would like to install to terminate all LAN to LAN and VPN client tunnels at the Head Office.

My 1st question is - where should I place the 2651 router - in front of the PIX or behind?

2nd - configuration tips fro 2651 and PIX 515 to allow VPN traffic into Head Office network etc..

Thanks,

The goose

 

[308win]

I'd say put it either beside or behind the PIX.

Here is a sample from cisco on how to pass IPSEC through your PIX if it goes behind.

http://www.cisco.com/en/US/customer...s_configuration_example09186a008009486e.shtml

Although it is between two IOS devices, the 2621 might as well be a PIX.

Or if you have IP addresses on the outside, you can also have your 2651 sit parallel to the PIX, have static routes to the peer pixes, (the only routes on the external interface) and all other traffic points in to your default LAN gateway. It helps if you have control of the router outside of your pix, so that you can apply ACL there also to protect the VPN router.

Whatever, once the traffic from the remote offices comes out of your VPN router the PIX should be no wiser as to where it came from, it will look like internal LAN/WAN traffic to it. (The pix is also going to need to know the route to the remote VPN LAN's via your VPN router though.)

Another thing you can do it just use a proxy server if all you are dealing with is FTP/HTTP.

Brian

 

[dagose]

Thanks Brian for the suggestions
I will start designing a config.
Still not sure though which is the better solution - parallel or behind.
We need w2k server access ( file, etc..) via VPN and we already own the cisco router so I can't justify purchasing a Proxy server as well.

Regards and thanks again

Dagoose