VPN Question.

[MrBadidea]

I just have a quick question about some VPN setup that I hope you can answer...

Anyway, first off, I'm having a second ADSL line installed at home (Leaving me with a 512/256 line and a 4096/256) and the same at work.

What I want to do is use the 4Mb line purely for general internet pap, and setup a second router (Probably a Cisco PIX 501) on the 512K lines (one at each end). I already have 2 D-Link DSL504s that have been working fine for years, so I want to keep them for the 4Mb lines. This would mean that at the most 2 computers at Home would be connected via the"VPN" line at a time to the Work VPN Router. Is this possible to achieve, or am I going to have to cock around with gateway addresses on the machines when I want to use the VPN?

I know very little about VPNs, but my Old Man has asked me to try and set him one up. I think I've got most of it down, its just the physical setup that I need to worry about now

 

[knucklebusted]

I probably consider your solution overkill but it will work if you really want it to.

Here's what I would do and your mileage may vary.

First, get the VPN working and make the inside address on the PIX something on the same subnet as each end of the network it will be installed on.

Second, define a static route for the other end subnet in the Dlink to use the PIX for that route.

Like this:

Work - 192.168.1.0/24
Dlink - 192.168.1.1 4000/256 DSL
DHCP and default route use this machine
Route to 192.168.2.0/24 is 192.168.1.2
PIX - 192.168.1.2 512/256 DSL
No DHCP here

Home - 192.168.2.0/24
Dlink - 192.168.2.1 4000/256 DSL
DHCP and default route use this machine
Route to 192.168.1.0/24 is 192.168.2.2
PIX - 192.168.2.2 512/256 DSL
No DHCP here
Test and smile!

 

[MrBadidea]

Thanks!

I ain't paying for it so I don't really care if its overkill or not- hell my boss asked me to build a Dual Xeon 2.8 to use as a Terminal Server for a maximum of 10 clients - Overkill++;

 

[Boscoh]

The PIX will handle your VPN stuff fine.

It's really not that difficult to setup, especially if you use a feature called EasyVPN on the PIX, as opposed to setting up everything manually.

knucklebusted gave you some good IP's to work with:
PIX 1: Inside-192.168.1.1/24
PIX 2: Inside-192.168.2.1/24 (/24 is also known as 255.255.255.0)
You could use 192.168.x.2 as opposed to x.1, that would just depend on which you like better.
Also note that if your DSL modem is acting like a router and handing out private addresses for anything behind it you'll need to enable a feature on the PIX called ISAKMP NAT Traversal, or just NAT-T.


If you need any help setting up the 501's, just start a new thread about it. I've probably done close to or over a hundred configs of PIXen, almost all of em with VPN.

 

[MrBadidea]

Thanks Bosch.

Were still planning the VPNs yet, so its going to be a few weeks atleast - we're just trying to get the 2 new servers we've got working first - SBS2003 can be a little whore when it wants to be!

You are correct, the two DSL-504s are working as routers and handing out Private Addresses to the machines behind them. As for the internal IP addresses that you've mentioned, our networks more-or-less already look like them.

 

[knucklebusted]

Originally posted by Boscoh
knucklebusted gave you some good IP's to work with:
PIX 1: Inside-192.168.1.1/24
PIX 2: Inside-192.168.2.1/24 (/24 is also known as 255.255.255.0)
You could use 192.168.x.2 as opposed to x.1, that would just depend on which you like better.

But I didn't say put the .1 on the PIX, I said put the .1 on the Dlink and put .2 on the PIX because he will need to statically map the route in the Dlink to the far side VPN via the PIX.