aryoba
Premium,MVM
join:2002-08-22
| reply to VVSneakEh
Re: PIX 515 - Private T1, Public IP
said by VVSneakEh  :For the customer that wants the public ip over the private T1, i think i'll just get a new ip range from our isp and not have any public routing for it. Well, it'll have to go through the 26xx router (it has the T1 cards) and then terminate @ the pix. So static routing end to end. I guess my main concern right now, is that other customer that wants public ips over the vpn. They even want the termination point to be a public ip. The way i would do it in linux, would be making an alias for the public ip and then 1:1 natting it to our private loadbalancer ip. Am i even remotely close in regards to a similar pix configuration? Does it even do something like that? From your description, it sounds like your customer would like to have a redundant route path between your DC and their network. One path is over the private T1 link and another path is over the Internet.
My guess is that the private link is the preferred path and the Internet is the backup path. However you should confirm this with your customer.
If your customer uses Internet-routable (Public) IP address, then there should be no need to route traffic over IPSec VPN tunnel. Your customer can just go through the Internet to connect to the Public IP address directly, unless your customer has specific technical reason or requirement that validates the use of IPSec tunnel. |
|
VVSneakEh
join:2003-02-17
Toronto, ON
clubs:
| said by aryoba :If your customer uses Internet-routable (Public) IP address, then there should be no need to route traffic over IPSec VPN tunnel. Your customer can just go through the Internet to connect to the Public IP address directly, unless your customer has specific technical reason or requirement that validates the use of IPSec tunnel. This one is actually a credit bureau, they only want ipsec vpn or dedicated T1. I can understand the requirement, but this no private ip business is painfull. |
|
aryoba
Premium,MVM
join:2002-08-22
| said by VVSneakEh :said by aryoba :If your customer uses Internet-routable (Public) IP address, then there should be no need to route traffic over IPSec VPN tunnel. Your customer can just go through the Internet to connect to the Public IP address directly, unless your customer has specific technical reason or requirement that validates the use of IPSec tunnel. This one is actually a credit bureau, they only want ipsec vpn or dedicated T1. I can understand the requirement, but this no private ip business is painfull. Assuming it is correct that your customer would like to have redundant route path between your DC and their network (where one goes over the private T1 and another goes over IPSec tunnel), then there must be dynamic routing protocol in place to make it work.
Typically you use either RIP or BGP as the dynamic routing protocol, although EIGRP and OSPF are common choices as well. Does your customer have specific requirement as to which routing protocol to use? |
|
VVSneakEh
join:2003-02-17
Toronto, ON
clubs:
| OK, well they've changed specs on me.. at the last minute.
One customer wants a public ip range over a dedicated T1.
One customer wants a public ip range over an ipsec vpn, which is going over the internet.
The pix is the first point of contact for the vpn customer, the T1 goes to a 26xx router and that router is connected to one of the 4 eth ports on the add-in card on the pix.
I've been looking at the spreadsheet that the T1 customer wants me to fill-out, another customer is using 198/32 and 192/32 range as their subnets.. i'm getting really confused. |
|
aryoba
Premium,MVM
join:2002-08-22
| said by VVSneakEh :OK, well they've changed specs on me.. at the last minute. You really dislike that when such thing takes place? 
said by VVSneakEh :One customer wants a public ip range over a dedicated T1. One customer wants a public ip range over an ipsec vpn, which is going over the internet. Are both customers using the same Public IP address to connect? Or does each customer have their own dedicated Public IP address?
said by VVSneakEh :The pix is the first point of contact for the vpn customer, the T1 goes to a 26xx router and that router is connected to one of the 4 eth ports on the add-in card on the pix. I've been looking at the spreadsheet that the T1 customer wants me to fill-out, another customer is using 198/32 and 192/32 range as their subnets.. i'm getting really confused. Can you post the network topologies to make it clearer to understand? |
|
VVSneakEh
join:2003-02-17
Toronto, ON
clubs:
| We're going to use one ip for the specific T1 connection and one ip for all vpn customers.
The topology is going to change, as of tonight.
Right now,
isp -> main switch
main switch -> 2x linux boxes acting as routers/loadbalancers
linux boxes/routers -> appserver switch
app servers -> back-end (db servers & SAN)
Tonight,
isp -> main switch
main switch -> 2x pix515e (HA package)
2x T1s -> 26xx router
26xx router -> 2x pix515e
2x pix515e -> appserver switch
linux boxes/routers (now only doing loadbalancing) -> appserver switch
This means the termination point for the tunnel will be the loadbalancers, they will in turn forward to the inappropriate app server(s). |
|
aryoba
Premium,MVM
join:2002-08-22
edit:
April 16th, @02:58PM
| said by VVSneakEh :We're going to use one ip for the specific T1 connection and one ip for all vpn customers. The topology is going to change, as of tonight. Tonight, isp -> main switch main switch -> 2x pix515e (HA package) 2x T1s -> 26xx router 26xx router -> 2x pix515e 2x pix515e -> appserver switch linux boxes/routers (now only doing loadbalancing) -> appserver switch This means the termination point for the tunnel will be the loadbalancers, they will in turn forward to the inappropriate app server(s). Is this the tonight's topology?
Customer -- INTERNET -- ISP -- Main Switch -- 2x pix515e -- appserver switch -- linux box es/routers
(HA package) (now only doing loadbalancing)
| |
| |
2x T1s -- 26xx router ------------------------------+
where there are multiple routing path between the customer and your DC.
Or is it like this?
Customer 1 -- INTERNET -- ISP -- Main Switch -- 2x pix515e (HA package) -- appserver switch -- linux boxes/routers (now only doing loadbalancing)
Customer 2 -- 2x T1s -- 26xx router -- 2x pix515e -- appserver switch -- linux boxes/routers (now only doing loadbalancing)
where there is only single route path between each customer and your DC.
Or probably something else? |
|
VVSneakEh
join:2003-02-17
Toronto, ON
clubs: | Each customer's traffic must be separate from each other.
The setup will be almost the same, except T1 people are going through the 26xx router before hitting the pix515e's instead of going over the internet. |
|
aryoba
Premium,MVM
join:2002-08-22
| said by VVSneakEh :Each customer's traffic must be separate from each other. The setup will be almost the same, except T1 people are going through the 26xx router before hitting the pix515e's instead of going over the internet. Can you repost the topology then? FYI, you can simply use PRE tags like I did to post topology (available on the right side when you post); or you can attach JPG file to your post. |
|
VVSneakEh
join:2003-02-17
Toronto, ON
clubs:
|
VPN Customer(public) -- INTERNET -- ISP -- Main Switch -- 2x pix515e(public) -- appserver switch -- loadbalancers(private nat)
-or-
T1 Customer -- 2x pix515e(public) -- appserver switch -- loadbalancers(private nat)
This will essentially be the goal, everything that both customers see has to be a public ip address. Doesn't mean that it has to be routable on the internet.. but it has to be public.
I guess we could always have the laodbalancers on the main switch and give them a public side and a private side. These would use the 515's as their default gateway. |
|
aryoba
Premium,MVM
join:2002-08-22
| said by VVSneakEh :VPN Customer(public) -- INTERNET -- ISP -- Main Switch -- 2x pix515e(public) -- appserver switch -- loadbalancers(private nat) -or- T1 Customer -- 2x pix515e(public) -- appserver switch -- loadbalancers(private nat) Questions to clarify:
1. Are those 2x pix515e, appserver switch, and loadbalancers the same physical equipments for both VPN and T1 customers and not separated equipments?
2. What is the purpose of the PIX 515E? Are they just doing firewall (traffic filter and stuff), or are they doing IPSec tunnel termination to the VPN customer?
3. Which box that does the IPSec VPN tunnel termination? The loadbalancers? |
|
VVSneakEh
join:2003-02-17
Toronto, ON
clubs:
edit:
April 16th, @04:41PM
| 1) Yes, same hardware end to end
2) We decided to bring the 515e's into the picture because of our new requirement for allowing an ipsec vpn. I'm happy about this move as we can also use them to replace linux iptables that's running on the loadbalancers.
3) I want the tunnel to terminate at the 515e, then connect to the loadbalancers via a natted ip range. The alternative would be assigning the loadbalancers a public ip address range and have the tunnel terminate at the loadbalancers. The thing is, i don't know if the 515e supports this type of connection. |
|
aryoba
Premium,MVM
join:2002-08-22
| In that case, this is one way of setting up the physical connection
==================================== IPSEC VPN Tunnel ===================
VPN Customer(public) -- INTERNET -- ISP -- Main Switch -- 2x pix515E(public) -- appserver switch -- loadbalancers(private nat)
|
|
T1 Customer -- 2x T1s -- 26xx router ----------------------+
* Connect the PIX outside interface to the Main Switch toward the Internet
* Connect the PIX DMZ interface to the 26xx router
* Terminate IPSec VPN tunnel on the PIX
* The PIX will do NAT/PAT as necessary between Public and Private IP addresses |
|
VVSneakEh
join:2003-02-17
Toronto, ON
clubs:
| If i were to run that setup, what ip/range would i provide the customers for completing the tunnel?
Usually, i give them the vpn router's public ip and then i would say.. OK, 10.20.40.5 is our loadbalancing cluster.
That would be negative for them, as they only want to talk to public ips. |
|
aryoba
Premium,MVM
join:2002-08-22
| When I said the PIX would NAT/PAT as necessary, that would be the key. The NAT/PAT on PIX between Public and Private IP addresses would be probably only for Internet access for your DC or for any outside access unrelated to the T1 and VPN customers.
The Public IP address for both T1 and VPN customer need do not reside at PIX. Instead they should reside on your loadbalancers. I believe the actual servers the customers access are using your internal Private IP addresses. Therefore your loadbalancers would do NAT/PAT between the associated Public and Private IP addresses. The PIX then do no NAT/PAT for these Public IP addresses to match.
Note that there is Public IP address on your PIX outside interface to serve as your side IPSec VPN peer. There are ACL that determine which traffic go over the IPSec tunnel (encrypted) and which traffic go straight to the Internet (unencrypted).
There are also some routing on the PIX to determine which traffic go toward the IPSec tunnel for your VPN customers and which traffic go toward the private T1 links for your T1 customers. This routing could be static or dynamic routing. |
|
