Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
329
Views
0
Helpful
3
Replies

which subnet to use?

m.matteson
Level 2
Level 2

‎01-04-2006 09:11 AM - edited ‎03-03-2019 01:19 AM

i'm sort of curious about where i should end up performing certain services such as vpn and stuff like that. right now i have a 2621 router with 2 t1s connected to a pix 515e connected to an isa server connected to a 3750 switch. since we just started to roll our voip i've been configuring and replacing our older switches with 2950 switches in our other buildings on the same campus. so instead of the simple config of have the user vlan located on those buildings we now have smarter cisco switches. now i need to configure trunking for vlan 1(mgmt), 5(users), 6(voice) to be at our buildings and come across the fiber link to the 3750. my question is right now i had vlan 1 existing between the pix and isa. then isa and the 3750.

so my question is, is it normal to have vlan 1 between all these devices and just have a 2 host subnet configured? i have isa connected directly to port 1/0/1 on the 3750 and have that port set to L3 with an ip address assigned. so that means that all my vlans, for clients, servers, voice get routed through this vlan (vlan 1) subnet 172.18.1.16.

is this okay? does anyone have any suggestions on what to change? is this normal practice?

what do you guys think about the idea of getting a gigabit nic for isa that is vlan aware and then just trunk it to the 3750? is that smarter?

btw attached is a pic. thanks for your input!!

also the router is being replaced with a 2811. at some point.

so i'm curious about where i should do my vpn'ing. in the pix? in the router? what if i get a am-vpn-II plus for the pix. then how would my vpn clients tie into my internal network? isa server is in the way....just some questions. thanks again.

Labels:
Preview file
18 KB
0 Helpful
3 Replies 3

m.mcconnell
Level 1
Level 1

‎01-04-2006 01:24 PM

When you have an IP adress directly on an interface, such as g1/0/1, then that is no longer a switch port it is a L3 interface. Since it is no longer a switchport it is not in any VLAN (think router interface). Using these small subnets as you have is normal and a good practice.

If you were literally using VLAN 1 on all of these ports then that would be a bad practice and portentially a security risk. When using a single switch like you are (this is common these days) if the ports are L2 ports it is imperative to place all of these ports in VLANs that are specific to the purpose. For instance, router to PIX would be VLAN 2, PIX to ISA would be VLAN 3, DMZ is VLAN 4 etc. When a packet gets written to a switch port it is immediately tagged with the VLAN info adding security to packets as they traverse the backplane. If all of the "segments" are in the same VLAN you just lowered your security posture. Oppositely, if all of these segments are in different VLANs it is considered to be as secure as utilizing separate physical switches. It is also recommended to not use VLAN 1 for anything .

For VPN connectivity, I would terminate the VPN users on the PIX. The 2611 will be slow. Very slow if you have more than just a couple of concurrent users.

As far as suggestions for ISA, I would just dump it. I never seen ISA produce benefits that out way the problems it causes.

-Mark

0 Helpful

m.matteson
Level 2
Level 2
In response to m.mcconnell

‎01-05-2006 08:21 AM

Hey Mark thanks for the explaination, it helped greatly.

As for isa, i would love to see it make it to my desk as a paperweight, but since we're using it a little while longer for caching and per user based policies (integrated into AD, and we're publishing multi-domain, multi-certicate SSL bridging on isa it's going to be around for the long run.

right now i just have the public VPN ip static nated to the external of ISA. and PPTP tunnels are terminated there. i would love to have tunnels going to the PIX and use ipsec and certiciates with our CA. but if they vpn into the pix then they are still in front of ISA X which is concidered from its point of view un-safe. sort of like outside and inside on a pix. i have a 3rd unused nic on the pix that i used to have for the DMZ, but when we used ISA the dmz vlan is connected to the third nic on isa for server publishing. what if i used the 3rd nic on the pix and connected it to a 4th nic on isa and then did some sort of fancy routing solution or something for vpn users to vpn into the pix, and be routed through the 3rd pix nic to the 4th isa?

i know the pix isn't a router is it poss to do PBR?

0 Helpful

m.mcconnell
Level 1
Level 1
In response to m.matteson

‎01-06-2006 11:44 AM

No, there isn't any PBR on the PIX. I would probably just keep the VPN the way it is even though IPSec is far more secure than PPTP.

-Mark

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents