cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
451
Views
0
Helpful
2
Replies

Router in front of two PIXs

joe
Level 1
Level 1

Hi all -

I have a network with a 2600 connected to the internet (T-1). The ethernet port on the 2600 is connected to a PIX 515 The public interface on the 515 and the 2600 ethernet interface have public IP addresses, and the private interface has an address on my LAN (192.168.1.1) The PIX is also used for a network to network VPN to another office, and VPNs for employees at home. The network currently uses the 515 private interface (192.168.1.1) as the default gateway.

One of our suppliers is providing a second PIX (their requirement) to establish a network to network VPN back to their office.

I assume that I will need a new router in front of both PIX's, and this router would become the default gateway (Let's say 192.168.1.3).

In this new scenario, would I connect the new router to my LAN and send/receive all packets through the same interface, i.e. 192.168.1.3? Or should I reconfigure the existing PIX (private interface) to use a different network (maybe 10.10.10.1) with a second ethernet interface on the router and the private interface on the new PIX?

Hope I explained this well, and thank you all in advance for your help.

2 Replies 2

tdrais
Level 7
Level 7

I guess it depends on how many public addresses you have.

If you have a extra one just place a switch between the router and your current pix and put the second pix there. You could then cable the private interface of the new pix into your lan. Best would be to use a different vlan to connect to the pc but you could put it in the same network and configure the routing on the PC to select the proper gateway. Static routes in a PC are no fun but can be done.

If you have a /30 net then you have a couple of problems. You must place the new pix behind the current one. This means that it has to run in nat transparency mode. It also means that it cannot use the same ports as your pix is using since I assume your home pc's need to run nat transparency. You also have the problem that private interface of the new pix cannot be on the same network as the public interface. Again you can use vlans to solve this or if they have to have access to both networks at the same time you could just assign a differnet IP subnet and plug them into the same broadcast domain. I would not overlap networks unless you have no other choice.

If it is at all possible I would suggest a client based solution that you allow though your PIX. If they insist on a hardware solution I would then try to force their private network into a separate vlan and require them to move a cable between your lan and their lan. Allowing the lans to overlap as I described about is not a good idea since in effect you have routed your network and their network together.

Thank you for taking the time to reply!

I do have an extra public address, so the first option sound best. Since I have 70 users, i would rather not use static routes on the PCs, but would like to use a router. I am still confused as to the correct ip scheme though.

P.S. I also have a similar situation coming up. This site has a PIX and a concentrator in parallel. The concentrator is currently only used for remote users, but now needs to be used for a network to network VPN. Again, i assume i need a router in front of the parallel PIX and concentrator, but i have the same configuration confusion!

Thanks again!!!

Review Cisco Networking for a $25 gift card