Site-to-Site VPN config between routers with Firewallin on PIX

fmatrine · ‎11-03-2004

Dear All,

I hv searched the cisco site a lot but not getting the config for my specicfic requirement.

We want to connect our branch office with our central site using Site-to-Site vpn between routers of Main site and branch office (Over Internet).

At the main site behind the VPN router we will be using PIX firewall for firewalling funtionality only.

Data Flow:- 1)Branch office users will access main site data and vive versa.

2)Restricted Main site users will access internet.

3)Traffic destined for internet should not go to VPN tunnel.

4)Traffic destined for intranet should not go to Internet.

5)Main site firewall will have Natting for Web Servers and Mail Servers which will be accessed by branch users over intranet (VPN) as well as mobile users over internet.

Kindly provide me with the sample config for the same...

Note PIX will not be used for VPN tunnel formation

We are using VPN feature set on the router for the same.

Regards

Deepak

sachinraja · ‎11-03-2004

Hi deepak,

Do the following:

configure IPSEC between router to router using a pre-shared key. The configuration of PIX is going to be critical here.

When you are doing NAT for web/mail servers to a public IP on the PIX, make sure you give the public IP as the source for the IPSEC access-lists on the router. This way, these servers will be accessed by branch users over IPSEC and mobile users will access it through internet.

Do the following on the PIX:

1) static (inside,outside) configured for webserver and mail server.

2) configure PAT for internet users.

3) configure nonat access-list for VPN users.

nat (inside) 0 nonat

access-list nonat permit ip 192.168.1.0 255.255.255.0 (local network) 10.10.1.0 255.255.255.0 (branch network)

By doing this all the users destined for internet get NATed and go to the router to internet, and all the VPN users will not get natted and go through the IPSEC tunnel configured on the router.

Hope you got it.

Give us the basic IP addressing details, so that we can build a configuration for you..

router to router IPSEC can be configured using the URL below:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml#diag

fmatrine · ‎11-03-2004

Hi SachinRaja,

Thanx for the guidance...

One more help required from u....Sample config If u can manage....of both the router and firewall for my scenario as per addressinf given.

Main site :- Lan 192.168.1.0/24

Pix inside - on private

Pix outisde on Public (202.54.1.0/22)

Internet Router - Ethernet+Serial - On

public IP

Web Server - Internal Ip 192.168.1.100

Mail Server - Internal IP 192.168.1.200

Web Server - Public IP - 202.54.1.10

Mail server - Public IP - 202.54.1.11

Remote Site- Internet Router - Wan - On Public IP

Lan - On Private IP

Remote Site Lan - 192.168.2.100/24

Network Topology:- Main Site Lan-PIX-Router-ISP-Router-Remote Site LAN.

Hope this will help u in preparing the config for both the routers and PIX with the appropriate policies as mentione in my previous posting.

Regards

Deepak

fmatrine · ‎11-08-2004

Dear All,

Any update on the same

Regards

Deepak