Pix routing Branch offices and IPsec

loic.moreau · ‎01-16-2005

We have a main site with a Pix 506 and an fixed IP, 3 branch offices are connected via internet with that PIX in Ipsec with 837 routers in each branch office.

Each branch office is on a different subnet and is working like a charm, everybody can get the servers on the main site.

Now we want to connect hosts between subnets, as the Ipsec is terminated on the same PIX interface it is impossible.

Have you a way to add a router ( 831 for ex.) to connect the differents subnets and to correct the behaviour of the PIX.

The main site is 192.68.0.0/254

each branch office is 10.10.11.0

10.10.12.0

Waiting for any idea ( we dont want a VPN concentrator, we perfer to by a generic router )

regards

Loïc

gfullage · ‎01-17-2005

The easiest way would be to just replace the hub PIX with the 837, as it will re-route traffic between the spoke sites. You can purchase the IOSFW feature set for the 837 and turn it into a firewall also for security of your main site.

The crypto ACL on each spoke site would then just be:

access-list 100 permit ip 10.10.11.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 100 permit ip 10.10.11.0 0.0.0.255 192.168.0.0 0.0.255.255

and on the main hub 837 you'd have something like the following:

crypto map mymap 10 ipsec-isakmp

set peer spokeA

match address 100

...

crypto map mymap 20 ipsec-isakmp

set peer spokeB

match address 101

...

crypto map mymap 30 ipsec-isakmp

set peer spokeC

match address 102

...

access-list 100 permit ip 10.0.0.0 0.255.255.255 10.10.11.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.255.255 10.10.11.0 0.0.0.255

access-list 101 permit ip 10.0.0.0 0.255.255.255 10.10.12.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.255.255 10.10.12.0 0.0.0.255

access-list 102 permit ip 10.0.0.0 0.255.255.255 10.10.13.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.255.255 10.10.13.0 0.0.0.255

In other words, set up each spoke to encrypt traffic from its local network to the entire 10.0.0.0/8 net and to the 192.168.0.0 net. This way each spoke will route traffic for any other spoke (provided it's a 10.0.0.0 subnet) to the hub, and the hub will re-route it back out based on it's other acl's.

Also, if these 3 hub sites are generating a large amount of traffic then you might want to look at something beefier than an 837 for the hub, but then again if a 506 is currently handling the load OK, an 837 should have no problem. Keep in mind that it is going to be decrypting/encrypting spoke-to-spoke traffic twice so it will have extra load than the 506 currently has.

loic.moreau · ‎01-17-2005

Thanks,

I have just ordered a 1712 for that purpose to our volume reseller. As it is equipped with VPN hardware, I think it will be enough and may be more appropriate than a 837. For a little time i had looked for a 2611 but our branch offices have 2/3 peoples per site and so i compromised with the model 1712.

I have a bit anticipated your response in crawling in Google, I found some indication about hub and spoke configs, and so i know already that i have to give up my 506 .

thanks for your config, i was a bit in trouble, I will test when i receive my 1712 and will give you the results.

best regards

Loïc

loic.moreau · ‎02-17-2005

The spokes are not communicating each others

I supose that i have missed something

here is the hub 1710 config

sh conf

Using 2844 out of 29688 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname router1700

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

!

no ip domain lookup

ip domain name yourdomain.com

ip cef

ip ids po max-events 100

no ftp-server write-enable

!

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key xxxx address 0.x.x.x.x.0.0

crypto isakmp keepalive 10 5

!

crypto ipsec transform-set rtpset esp-des esp-md5-hmac

!

crypto dynamic-map rtpmap 10

set transform-set rtpset

match address 115

crypto dynamic-map rtpmap 20

set transform-set rtpset

match address 116

!

crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap

!

interface Vif1

no ip address

!

interface BRI0

no ip address

shutdown

no cdp enable

!

interface FastEthernet0

ip address 100.100.100.205 255.255.255.248

ip nat outside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

duplex auto

speed auto

no cdp enable

crypto map rtptrans

!

interface FastEthernet1

no ip address

no cdp enable

!

interface FastEthernet2

no ip address

no cdp enable

!

interface FastEthernet3

no ip address

no cdp enable

!

interface FastEthernet4

no ip address

no cdp enable

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 192.168.0.11 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

ip tcp adjust-mss 1452

!

ip classless

ip route 0.0.0.0 x.x.x.x.100.100.201

ip route 10.10.11.0 255.255.255.0 10.10.11.1

ip route 10.10.12.0 255.255.255.0 10.10.12.1

ip http server

ip http authentication local

ip http secure-server

ip nat inside source route-map nonat interface FastEthernet0 overload

!

access-list 115 permit ip 192.168.0.0 0.0.0.255 10.10.11.0 0.0.0.255

access-list 115 permit ip 10.0.0.0 0.255.255.255 10.10.11.0 0.0.0.255

access-list 116 permit ip 192.168.0.0 0.0.0.255 10.10.12.0 0.0.0.255

access-list 116 permit ip 10.0.0.0 0.255.255.255 10.10.12.0 0.0.0.255

access-list 120 deny ip 192.168.0.0 0.0.0.255 10.10.12.0 0.0.0.255

access-list 120 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

no cdp run

!

route-map nonat permit 10

match ip address 120

!

control-plane

!

banner login ^Config du 18/01/2005

^C

!

line con 0

login local

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

end

router1700#