dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5250
share rss forum feed


VVSneakEh

join:2003-02-17
Toronto, ON

PIX 515 - Private T1, Public IP

Hello All,

A new customer will be using a dedicated/private T1 to connect to our DCs. The T1 is coming over another cisco router and that router will be connected to one of the pix's interfaces.

The customer has indicated that it is policy to use ONLY public ip addresses when connecting to business partners. I can understand this policy, what if two customers are using the same non-routable private ips.. etc etc.

My question is, how should i go about using a public ip address for a private connection? Also, i'm sure other customers will have the same policy, but over an ipsec vpn. Would i have to do some fancy 1:1 Natting and aliasing or something along those lines?

Cheers


aryoba
Premium,MVM
join:2002-08-22
kudos:4

said by VVSneakEh:

A new customer will be using a dedicated/private T1 to connect to our DCs. The T1 is coming over another cisco router and that router will be connected to one of the pix's interfaces.
Can you post the network topology?

said by VVSneakEh:

The customer has indicated that it is policy to use ONLY public ip addresses when connecting to business partners. I can understand this policy, what if two customers are using the same non-routable private ips.. etc etc.
From technical perspective, you may or may not use Public IP address when connecting to business partners to avoid overlap networks. You still can use private IP address and still avoid the overlap network problem, assuming you and your customer create a proper network design.

I wonder though, how does the routing in place between your DC and your customer network? Are you and your customer planning to use only static route, or is there any dynamic routing in place?

said by VVSneakEh:

My question is, how should i go about using a public ip address for a private connection?
In general, you can use any IP address (either Public or Private) to interconnect with external network. As long as the IP address your network and the external network use is valid IP address, then it should be fine.

said by VVSneakEh:

Also, i'm sure other customers will have the same policy, but over an ipsec vpn. Would i have to do some fancy 1:1 Natting and aliasing or something along those lines?
Some NAT will most likely take place, either on your side, your customer's side, or both.

When your customer mentioned their requirement to use Public IP address, were they saying anything about specific implementation? Or were they pretty much open to any implementation, as long as Public IP address is used?


VVSneakEh

join:2003-02-17
Toronto, ON

For the customer that wants the public ip over the private T1, i think i'll just get a new ip range from our isp and not have any public routing for it. Well, it'll have to go through the 26xx router (it has the T1 cards) and then terminate @ the pix. So static routing end to end.

I guess my main concern right now, is that other customer that wants public ips over the vpn. They even want the termination point to be a public ip. The way i would do it in linux, would be making an alias for the public ip and then 1:1 natting it to our private loadbalancer ip. Am i even remotely close in regards to a similar pix configuration? Does it even do something like that?



mikeeo
Premium
join:2000-03-12
Newark, DE
reply to VVSneakEh

said by VVSneakEh:

Hello All,

A new customer will be using a dedicated/private T1 to connect to our DCs. The T1 is coming over another cisco router and that router will be connected to one of the pix's interfaces.

The customer has indicated that it is policy to use ONLY public ip addresses when connecting to business partners. I can understand this policy, what if two customers are using the same non-routable private ips.. etc etc.

My question is, how should i go about using a public ip address for a private connection? Also, i'm sure other customers will have the same policy, but over an ipsec vpn. Would i have to do some fancy 1:1 Natting and aliasing or something along those lines?

Cheers
What level engineer are you? do you have any senior engineers can that handle this issue?

you can't do destination NAT and crypto on the same interface without doing some funky configuration.


VVSneakEh

join:2003-02-17
Toronto, ON

It's me and another guy, who is at my level or a little lower. We are actively looking for someone to help make this work, with potentially being called upon again as the project moves-on.. we're running out of time though.

I've always found great resources/help here, so i thought asking some questions would be a good idea.

Also as an FYI, we just passed our SAS70 audit for the year.. this new stuff is going to have to pass the next one


aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to VVSneakEh

said by VVSneakEh:

For the customer that wants the public ip over the private T1, i think i'll just get a new ip range from our isp and not have any public routing for it. Well, it'll have to go through the 26xx router (it has the T1 cards) and then terminate @ the pix. So static routing end to end.

I guess my main concern right now, is that other customer that wants public ips over the vpn. They even want the termination point to be a public ip. The way i would do it in linux, would be making an alias for the public ip and then 1:1 natting it to our private loadbalancer ip. Am i even remotely close in regards to a similar pix configuration? Does it even do something like that?
From your description, it sounds like your customer would like to have a redundant route path between your DC and their network. One path is over the private T1 link and another path is over the Internet.

My guess is that the private link is the preferred path and the Internet is the backup path. However you should confirm this with your customer.

If your customer uses Internet-routable (Public) IP address, then there should be no need to route traffic over IPSec VPN tunnel. Your customer can just go through the Internet to connect to the Public IP address directly, unless your customer has specific technical reason or requirement that validates the use of IPSec tunnel.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to mikeeo

said by mikeeo:

What level engineer are you? do you have any senior engineers can that handle this issue?
said by VVSneakEh:

It's me and another guy, who is at my level or a little lower. We are actively looking for someone to help make this work, with potentially being called upon again as the project moves-on.. we're running out of time though.

I've always found great resources/help here, so i thought asking some questions would be a good idea.
So far the network design sounds pretty much straight forward, although there might be some funky stuffs come into play. This is the reason why I ask if the customer has any specific implementation in mind, or if they are pretty much open to any implementation as long as it works?


VVSneakEh

join:2003-02-17
Toronto, ON
reply to aryoba

said by aryoba:

If your customer uses Internet-routable (Public) IP address, then there should be no need to route traffic over IPSec VPN tunnel. Your customer can just go through the Internet to connect to the Public IP address directly, unless your customer has specific technical reason or requirement that validates the use of IPSec tunnel.
This one is actually a credit bureau, they only want ipsec vpn or dedicated T1. I can understand the requirement, but this no private ip business is painfull.


VVSneakEh

join:2003-02-17
Toronto, ON
reply to aryoba

said by aryoba:

This is the reason why I ask if the customer has any specific implementation in mind, or if they are pretty much open to any implementation as long as it works?
They essentially sent a spreadsheet asking for the tunnel specifics, the vpn router ip and the "interesting traffic" range/ips.

I filled it out and then noticed at the bottom of the page, saying "Security Policies require public routable addresses to be used when communicating to Business Partners. Private Address space cannot be used."

This leads me to believe that i have the ability to "just make it work", i just can't have any private ips as the destination range on our end of the tunnel.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to VVSneakEh

said by VVSneakEh:

said by aryoba:

If your customer uses Internet-routable (Public) IP address, then there should be no need to route traffic over IPSec VPN tunnel. Your customer can just go through the Internet to connect to the Public IP address directly, unless your customer has specific technical reason or requirement that validates the use of IPSec tunnel.
This one is actually a credit bureau, they only want ipsec vpn or dedicated T1. I can understand the requirement, but this no private ip business is painfull.
Assuming it is correct that your customer would like to have redundant route path between your DC and their network (where one goes over the private T1 and another goes over IPSec tunnel), then there must be dynamic routing protocol in place to make it work.

Typically you use either RIP or BGP as the dynamic routing protocol, although EIGRP and OSPF are common choices as well. Does your customer have specific requirement as to which routing protocol to use?


VVSneakEh

join:2003-02-17
Toronto, ON

OK, well they've changed specs on me.. at the last minute.

One customer wants a public ip range over a dedicated T1.
One customer wants a public ip range over an ipsec vpn, which is going over the internet.

The pix is the first point of contact for the vpn customer, the T1 goes to a 26xx router and that router is connected to one of the 4 eth ports on the add-in card on the pix.

I've been looking at the spreadsheet that the T1 customer wants me to fill-out, another customer is using 198/32 and 192/32 range as their subnets.. i'm getting really confused.


aryoba
Premium,MVM
join:2002-08-22
kudos:4

said by VVSneakEh:

OK, well they've changed specs on me.. at the last minute.
You really dislike that when such thing takes place?

said by VVSneakEh:

One customer wants a public ip range over a dedicated T1.
One customer wants a public ip range over an ipsec vpn, which is going over the internet.
Are both customers using the same Public IP address to connect? Or does each customer have their own dedicated Public IP address?

said by VVSneakEh:

The pix is the first point of contact for the vpn customer, the T1 goes to a 26xx router and that router is connected to one of the 4 eth ports on the add-in card on the pix.

I've been looking at the spreadsheet that the T1 customer wants me to fill-out, another customer is using 198/32 and 192/32 range as their subnets.. i'm getting really confused.
Can you post the network topologies to make it clearer to understand?


VVSneakEh

join:2003-02-17
Toronto, ON

We're going to use one ip for the specific T1 connection and one ip for all vpn customers.

The topology is going to change, as of tonight.

Right now,
isp -> main switch
main switch -> 2x linux boxes acting as routers/loadbalancers
linux boxes/routers -> appserver switch
app servers -> back-end (db servers & SAN)

Tonight,

isp -> main switch
main switch -> 2x pix515e (HA package)
2x T1s -> 26xx router
26xx router -> 2x pix515e
2x pix515e -> appserver switch
linux boxes/routers (now only doing loadbalancing) -> appserver switch

This means the termination point for the tunnel will be the loadbalancers, they will in turn forward to the inappropriate app server(s).


aryoba
Premium,MVM
join:2002-08-22
kudos:4

1 edit

said by VVSneakEh:

We're going to use one ip for the specific T1 connection and one ip for all vpn customers.

The topology is going to change, as of tonight.

Tonight,

isp -> main switch
main switch -> 2x pix515e (HA package)
2x T1s -> 26xx router
26xx router -> 2x pix515e
2x pix515e -> appserver switch
linux boxes/routers (now only doing loadbalancing) -> appserver switch

This means the termination point for the tunnel will be the loadbalancers, they will in turn forward to the inappropriate app server(s).
Is this the tonight's topology?

Customer -- INTERNET -- ISP -- Main Switch -- 2x pix515e -- appserver switch -- linux box es/routers
(HA package) (now only doing loadbalancing)
| |
| |
2x T1s -- 26xx router ------------------------------+

where there are multiple routing path between the customer and your DC.

Or is it like this?

Customer 1 -- INTERNET -- ISP -- Main Switch -- 2x pix515e (HA package) -- appserver switch -- linux boxes/routers (now only doing loadbalancing)

Customer 2 -- 2x T1s -- 26xx router -- 2x pix515e -- appserver switch -- linux boxes/routers (now only doing loadbalancing)

where there is only single route path between each customer and your DC.

Or probably something else?


VVSneakEh

join:2003-02-17
Toronto, ON

Each customer's traffic must be separate from each other.

The setup will be almost the same, except T1 people are going through the 26xx router before hitting the pix515e's instead of going over the internet.


aryoba
Premium,MVM
join:2002-08-22
kudos:4

said by VVSneakEh:

Each customer's traffic must be separate from each other.

The setup will be almost the same, except T1 people are going through the 26xx router before hitting the pix515e's instead of going over the internet.
Can you repost the topology then? FYI, you can simply use PRE tags like I did to post topology (available on the right side when you post); or you can attach JPG file to your post.


VVSneakEh

join:2003-02-17
Toronto, ON


VPN Customer(public) -- INTERNET -- ISP -- Main Switch -- 2x pix515e(public) -- appserver switch -- loadbalancers(private nat)
-or-
T1 Customer -- 2x pix515e(public) -- appserver switch -- loadbalancers(private nat)

This will essentially be the goal, everything that both customers see has to be a public ip address. Doesn't mean that it has to be routable on the internet.. but it has to be public.

I guess we could always have the laodbalancers on the main switch and give them a public side and a private side. These would use the 515's as their default gateway.


aryoba
Premium,MVM
join:2002-08-22
kudos:4

said by VVSneakEh:

VPN Customer(public) -- INTERNET -- ISP -- Main Switch -- 2x pix515e(public) -- appserver switch -- loadbalancers(private nat)
-or-
T1 Customer -- 2x pix515e(public) -- appserver switch -- loadbalancers(private nat)
Questions to clarify:

1. Are those 2x pix515e, appserver switch, and loadbalancers the same physical equipments for both VPN and T1 customers and not separated equipments?

2. What is the purpose of the PIX 515E? Are they just doing firewall (traffic filter and stuff), or are they doing IPSec tunnel termination to the VPN customer?

3. Which box that does the IPSec VPN tunnel termination? The loadbalancers?


VVSneakEh

join:2003-02-17
Toronto, ON

1 edit

1) Yes, same hardware end to end
2) We decided to bring the 515e's into the picture because of our new requirement for allowing an ipsec vpn. I'm happy about this move as we can also use them to replace linux iptables that's running on the loadbalancers.
3) I want the tunnel to terminate at the 515e, then connect to the loadbalancers via a natted ip range. The alternative would be assigning the loadbalancers a public ip address range and have the tunnel terminate at the loadbalancers. The thing is, i don't know if the 515e supports this type of connection.


aryoba
Premium,MVM
join:2002-08-22
kudos:4

In that case, this is one way of setting up the physical connection


==================================== IPSEC VPN Tunnel ===================
VPN Customer(public) -- INTERNET -- ISP -- Main Switch -- 2x pix515E(public) -- appserver switch -- loadbalancers(private nat)
|
|
T1 Customer -- 2x T1s -- 26xx router ----------------------+

* Connect the PIX outside interface to the Main Switch toward the Internet
* Connect the PIX DMZ interface to the 26xx router
* Terminate IPSec VPN tunnel on the PIX
* The PIX will do NAT/PAT as necessary between Public and Private IP addresses


VVSneakEh

join:2003-02-17
Toronto, ON

If i were to run that setup, what ip/range would i provide the customers for completing the tunnel?

Usually, i give them the vpn router's public ip and then i would say.. OK, 10.20.40.5 is our loadbalancing cluster.

That would be negative for them, as they only want to talk to public ips.


aryoba
Premium,MVM
join:2002-08-22
kudos:4

When I said the PIX would NAT/PAT as necessary, that would be the key. The NAT/PAT on PIX between Public and Private IP addresses would be probably only for Internet access for your DC or for any outside access unrelated to the T1 and VPN customers.

The Public IP address for both T1 and VPN customer need do not reside at PIX. Instead they should reside on your loadbalancers. I believe the actual servers the customers access are using your internal Private IP addresses. Therefore your loadbalancers would do NAT/PAT between the associated Public and Private IP addresses. The PIX then do no NAT/PAT for these Public IP addresses to match.

Note that there is Public IP address on your PIX outside interface to serve as your side IPSec VPN peer. There are ACL that determine which traffic go over the IPSec tunnel (encrypted) and which traffic go straight to the Internet (unencrypted).

There are also some routing on the PIX to determine which traffic go toward the IPSec tunnel for your VPN customers and which traffic go toward the private T1 links for your T1 customers. This routing could be static or dynamic routing.