- Posts: 2
- Thank you received: 0
Ipsec vpn routing and gre tunnels
17 years 7 months ago #19689
by andrewrj
Ipsec vpn routing and gre tunnels was created by andrewrj
I appreciate any help anyone can offer.
Here is my situation. I have a 506e PIX at one side and a 2801 with the security-enabled IOS at the other side. The site with the 2801 is connected to the internet with a T1. At a later time, I may want to add a DSL to provide some redundancy, but not yet. The site with the 506e is actually residing within a colocation center and is fed with a 10mbps ethernet connection.
Lets call the PIX side, Site A and lets call the 2801 side, Site B.
Now here are the questions.
The presumed configuration for the pix will look like this:
route outside 0.0.0.0 0.0.0.0 <next hop ip> 1
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list 102 permit ip <inside network> 255.255.255.0 <site B's internal network> 255.255.255.0
sysopt connection permit-ipsec
isakmp enable outside
isakmp policy 10 authentication preshare
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
crypto ipsec transform-set mycryptor esp-aes-256 esp-sha-hmac
crypto map xyz-map 5 ipsec-isakmp
crypto map xyz-map 5 match address 115
crypto map xyz-map 5 set peer <site B wan ip>
crypto map xyz-map 5 set transform-set mycryptor
access-list 115 permit ip <local network> 255.255.255.0 <site B's internal network> 255.255.255.0
1) ACL 102 used to filter the NATing -- the goal is to exempt site A internal traffic from NAT so long as its destined fro site B's internal network. Am I using the correct statement here? Could NAT 0 and NAT 1 be combined somehow?
2) ACL 115 defines what is interesting enough to pass the VPN. Should it then be assumed that all other traffic will leave the router via the default route in an unencrypted format? I.e. Site A's internal hosts will be able to reach the internet with no problem? Basically, will the pix be clever enough to split the traffic and still provide dynamic ACLs w/ PAT for internet access at site A?
3) At site B the configuration will be slightly different since its the router ios not the pix. Thats of no concern. That site is using a T1 to connect to the internet. Can I simply use a default route like this --> ip route 0.0.0.0 0.0.0.0 s0/1 ??? In my mind that directs traffic out the s0/1 interface but it doesnt name a next hop ip. Is this valid or will I need to obtain a next hop IP from the ISP?
4) And finally my last question (thanks for all your help). I am exempting the internal networks from NAT. I want Site A local addresses to show up as exactly those addresses when they enter site B. What makes this possible is the IPSEC vpn. Theres no NAT, theres no routing protocols (only static routes). So is there any reason I'd need to use GRE Tunnels? No multicast traffic, no NAT (on very specific traffic).
Thanks,
Andrew
Here is my situation. I have a 506e PIX at one side and a 2801 with the security-enabled IOS at the other side. The site with the 2801 is connected to the internet with a T1. At a later time, I may want to add a DSL to provide some redundancy, but not yet. The site with the 506e is actually residing within a colocation center and is fed with a 10mbps ethernet connection.
Lets call the PIX side, Site A and lets call the 2801 side, Site B.
Now here are the questions.
The presumed configuration for the pix will look like this:
route outside 0.0.0.0 0.0.0.0 <next hop ip> 1
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list 102 permit ip <inside network> 255.255.255.0 <site B's internal network> 255.255.255.0
sysopt connection permit-ipsec
isakmp enable outside
isakmp policy 10 authentication preshare
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
crypto ipsec transform-set mycryptor esp-aes-256 esp-sha-hmac
crypto map xyz-map 5 ipsec-isakmp
crypto map xyz-map 5 match address 115
crypto map xyz-map 5 set peer <site B wan ip>
crypto map xyz-map 5 set transform-set mycryptor
access-list 115 permit ip <local network> 255.255.255.0 <site B's internal network> 255.255.255.0
1) ACL 102 used to filter the NATing -- the goal is to exempt site A internal traffic from NAT so long as its destined fro site B's internal network. Am I using the correct statement here? Could NAT 0 and NAT 1 be combined somehow?
2) ACL 115 defines what is interesting enough to pass the VPN. Should it then be assumed that all other traffic will leave the router via the default route in an unencrypted format? I.e. Site A's internal hosts will be able to reach the internet with no problem? Basically, will the pix be clever enough to split the traffic and still provide dynamic ACLs w/ PAT for internet access at site A?
3) At site B the configuration will be slightly different since its the router ios not the pix. Thats of no concern. That site is using a T1 to connect to the internet. Can I simply use a default route like this --> ip route 0.0.0.0 0.0.0.0 s0/1 ??? In my mind that directs traffic out the s0/1 interface but it doesnt name a next hop ip. Is this valid or will I need to obtain a next hop IP from the ISP?
4) And finally my last question (thanks for all your help). I am exempting the internal networks from NAT. I want Site A local addresses to show up as exactly those addresses when they enter site B. What makes this possible is the IPSEC vpn. Theres no NAT, theres no routing protocols (only static routes). So is there any reason I'd need to use GRE Tunnels? No multicast traffic, no NAT (on very specific traffic).
Thanks,
Andrew
Time to create page: 0.116 seconds