09-19-2004 11:50 PM - edited 02-20-2020 11:38 PM
Customer has a PIX firewall with 5 interfaces.
They have 2 internet links which is terminating on two separate routers.
From the router the links has to be terminated on the different interfaces of the pix.
He want to use one interface for normal internet purpose and other one for the Remote Access VPN. He wants the second link to be utilised when remote users connect using vpn client to the pix.
plz check this link for the network diagram
Can this be done...if it can be please guide me to do this..
09-20-2004 02:33 AM
Hello,
You may run into routing issues. If you dedicate one interface for Internet access then that interface should have the default route. If your VPN clients are coming in on the second interface from anywhere, then for the ISAKMP negotiation to succeed that interface must have a route back to those clients. Unless you can specify the VPN client's source addresses in the routing table for the second interface, the PIX will route replies via the other interface and the negotiation will fail.
Lan to Lan tunneling will be Ok as the remote end point will have a static address and a host route can be added to your second interface's routing table.
Hope this helps.
Clive
09-20-2004 02:56 AM
hai,
Thanks for looking into the issue.
For remote users to connect to vpn i have given a pool of address in the firewall. Remote VPN users will get the ip address from this pool.
Will it work if i give a route to that particular network through the second interface, since the vpn clients will get ip address from that network.
shobith
09-20-2004 05:32 AM
Unfortuantely, it still won't work. The reason is because the IPSEC traffic needs to be routed backl to your remote client's ISP IP, and since that IP could be anything, there's no way to put host entries in for those.
That said, we utilize two circuits at our location. Both terminate at our edge router and we use BGP to separate VPN traffic from WWW traffic. Inbound VPN comes through one circuit, and inbound WWW through the other. All outbound traffic from us goes through the same circuit due to the default route in the PIX. For us it works well because outbound VPN is much heavier than outbound WWW (WWW is typically just the website requests).
09-21-2004 01:40 AM
Hi,
One way of doing it is with Policy Base Routing (PBR) configured externally on a router "in front" of the PIX.
The router can be a 831 for example, if the bandwidth is not too big.
With PBR you can make statements like: "all ESP + UDP 500 and 4500" (IPSec) is going to this router, and all the rest of the traffic is going to the default route. Unfortunately PIX does not support PBR functionality (although it has route maps for OSPF route distribution, it can not be used for PBR)
Let me know if you want an example config.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide