Re: Multple ADSL configuration

scolombo · ‎07-22-2005

A customer has the following configuration

ADSL --- Router 837 --- PIX---LAN

|

-----DMZ

Now he would like to add a second ADSL ,attached to the same router , to be used only for extranet VPN connections to be terminated by the PIX the configuration would look like this

ADSL1 ---

|- Router 837 --- PIX---LAN

ADSL2 --- |

-----DMZ

The two ADSL provides a different range of IP each .

The PIX , at the moment , has its outside interface's IP address in the ADSL1 range .

I thought I might create a loopback interface on the router and create a new,privete, subnet between PIX and router.

Then I would NAT an address from ADSL2 Ip range to the PIX's outside IP .

My questions are:

- Is this possible

- Is there a configuration example of a similar situation I can look to.

- Can I use source routing to direct IPSEC traffic through ADSL2 ?

Thanks

Stefano Colombo

ehirsel · ‎07-23-2005

Since the 837 router is acting as a vpn gateway and all traffic to/from the dmz by partners will be over the ipsec vpn, you make things simpler by doing the following:

1. Use ipsec tunnel not transport mode in your ipsec vpn configurations.

2. Keep the same link between the 837 and the pix that you use now.

3. Since the 837 already knows how to reach the dmz behind the pix, you can keep those addresses hidden by partner networks by forcing them to use the 837 adsl #2 interface as the vpn peer to reach the dmz subnets. You can use the current public ip addresses for the dmz by telling your partner nets to reach those addresses by directing the traffic over the ipsec vpn to the 837 router on adsl interface #2.

Using a seperate subnet between the pix and 837 to accomodate the 2nd adsl interface may complicate the pix config, and since the adsl connections are off of the 837 and not the pix, and the pix uses ASA - what will happen if the 2nd subnet connection gets dropped is that the pix will NOT flow the traffic over the 1st subnet since different interfaces (logical or physical) are involved. So let the 837 handle the routing.

Let me know if this helps, or if you need more help.

scolombo · ‎07-25-2005

Hello ,

I don't want the 837 acts as VPN gateway , I want to terminate the VPN extranets directly to the PIX.

The 837 knows nothing about the DMZ , and it doesn't need to , as the DMZ hosts are published by the PIX with ADSL1 IPs . The PIX and 837 , at the moment , share the ADSL1 public IP range .

So I thought I need to create loopback interfaces on the 837 to terminate the ADSL IP ranges. And then use a private IP range between the 837 and PIX to do the NAT stuff

Can you provide me an examples of how you'd do the configuration so I can understand it better ?

Thanks

Stefano

jackko · ‎07-25-2005

"Now he would like to add a second ADSL ,attached to the same router."

how would the 837 cope with 2 adsl lines? 837 is not a modular router and has only got 1 adsl and 1 ethernet.

scolombo · ‎07-25-2005

I'm really sorry I wrote 837 but it's a 1700

sorry for that

thanks for point it out

Stefano