 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
10 messages in net.nether.puck.cisco-nsp[c-nsp] PIX VPN Mesh w/ OSPF| From | Sent On | Attachments |
|---|---|---|
| Dave Breiland | Jan 11, 2005 12:55 pm | |
| Jim McBurnett | Jan 11, 2005 1:29 pm | |
| Rodney Dunn | Jan 11, 2005 2:12 pm | |
| su1droot | Jan 15, 2005 2:21 pm | |
| Joe Maimon | Jan 15, 2005 7:17 pm | |
| Rodney Dunn | Jan 15, 2005 7:26 pm | |
| Dave Breiland | Jan 16, 2005 2:18 am | |
| Rodney Dunn | Jan 16, 2005 10:10 am | |
| su1droot | Jan 16, 2005 2:54 pm | |
| lis...@hojmark.org | Jan 16, 2005 5:17 pm |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | [c-nsp] PIX VPN Mesh w/ OSPF | Actions... |
|---|---|---|
| From: | Rodney Dunn (rod...@cisco.com) | |
| Date: | Jan 16, 2005 10:10:06 am | |
| List: | net.nether.puck.cisco-nsp | |
On Sat, Jan 15, 2005 at 11:18:13PM -0800, Dave Breiland wrote:
The main reason I am even looking at the PIX, is because we need firewalls at all locations anyways. There are currently only linux/iptables boxes acting as firewalls. I want some sort of solid-state firewall. The question I originally posted was more of a "nice-to-have" than a project necessity. I know that IOS can run as a "firewall", but haven't found it to be as easy to manage as a PIX. That's just my opinion... I'm sure others would argue the opposite. As always its a matter of a persons familiarity. If I didn't have a need for firewalls I would probably go that route. I am probably going to have some 3750's behind the PIX's. Could I perform the GRE tunneling on those?
This may sound like a silly question... but when is 7.x expected to be released? Just curious how long it will be till we get these fun new features.
I don't know.
Rodney
Thanks, Dave
Rodney Dunn wrote:
On Sat, Jan 15, 2005 at 02:22:04PM -0500, su1droot wrote:
You will have to watch out the PIX will not route traffic between VPN tunnels in the current 6.x release. I've seen note that this feature will be in the upcoming 7.0 release, but i don't hold my breath.
I've helped troubleshoot some issues similar to this lately. I asked this same question for a deployment we were doing yesterday and I was told the same thing about 7.0 that it should have the ability to route traffic between VPN's.
Also to support a routing protocol across the the tunnels (since IPSec doesn't support multicast or broadcast) you should run GRE across the IPSec tunnels. We are doing a similar setup at a customer who is doing IPSec PIX to PIX and GRE from and internal router over the IPSec to an internal route at the remote end. You will have to play with ip mtu and mss values on the GRE tunnel tho.
I also helped troubleshoot two issues like this last week. One was with a PIX as the IPSEC termination box and the other was with a VPN3000. The hardest thing to get working was the routing over the tunnels and at the same time make sure you do not have a recursive routing problem. Especially between the IPSEC termination box and the router sitting behind it doing the GRE termination.
Just an fyi..
Rodney
On Tue, 11 Jan 2005 09:55:49 -0800, Dave Breiland <supe...@dynamicis.com> wrote:
I want to make sure I'm on the right track and haven't set myself up for failure... I have 4 offices around the US. Each site has a different ISP... connected with a T1. My plan was to have a PIX-515 at each site. I would use the PIX's to create VPNs between each and every site. My guess is that there will be times that the ISPs will have routing issues between each other. To get around this, I would think that... -Route between Site A and Site B fails -Site B re-routes data to Site C which still has VPN to Site A. Presumably this would require EIGRP or OSPF. Unfortunately it looks like the PIX only supports OSPF. Is this the right direction/steps I should be taking? Am I just over complicating things? Has anyone had success with OSPF and the PIXs?
Thanks for any input.
Dave
_______________________________________________ cisco-nsp mailing list cisc...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________ cisco-nsp mailing list cisc...@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/