Setting Up A VPN on CISCO 2600 / 2500 / PIX520? 17
Haakon asks: "I'm considering setting up a VPN across our USA offices by upgrading the existing 2600 / 2500 routers to FW / VPN feature set. My question relates to some 'Cisco' advice passed on by our supplier: to establish a VPN link between the USA and an existing PIX520 in Europe apparently we have to use another PIX520 in the USA -- Why is this?"
trustworthy advice? (Score:2)
Is the 'supplier' you mention the place that supplies your networking hardware? If so, I'd trust their advice about as much as I would the answer resulting from asking a car salesman "do I need a new car?" or "is leasing wiser than buying financially?". At the very least you should get a second opinion (e.g. usenet, other sysadmins in the area, etc) from somebody who doesn't stand to gain $$$ from your buying new networking kit.
--
Linux (Score:1)
PIX-to-PIX VPN (Score:1)
Ask Cisco (Score:1)
Why don't you check yourself on CCO ?
Or better, why don't you ask a question on the Cisco Open Forum [cisco.com] ?
Cisco VPN (Score:2)
It sounds like your vendor is trying to milk you for a buck or they don't know what they are talking about. The only exception to this is if your 2500/2600 is under heavy load already that it can't handle the CPU overhead of the encryption. The 2600's have hardware DES accelerators for the NAM slot that can greatly improve VPN performance. You would still have to bump up your RAM and Flash to the IOS specs of choice.
A few notes for the fray:
A PIX-to-IOS-Firewall is fairly easy. You can use 3DES on both ends (if you can legally get it offshore) or DES for other stuff. To my knowledge the PIX doesn't support Cisco proprietary encryption so IPSec would be the way to go. Setup the connections with the same group key on ISAKMP and IPSec tunnel parameters and you should be ready to roll.
The only caveat is that your router should have IOS 12.1 or higher (12.1(4) has a NAT bug) - the 12.0 series has troubles with VPN key negotiation. The other option is to manually exchange the keys and SPIs on a 12.0 IOS version but that is difficult to get right and not recommended for the weak at heart.
User interfaces for PIX or IOS-Firewall configuration are lacking at best. The Cisco tools available are difficult to follow, rather unintuitive, and lagging behind in the development cycle from the firmware releases by about 6 months. The command line isn't too difficult for those with some router experience although the PIX is sorta unique. Just remember "the PIX is not a router" - it does not support routing protocols (other than simplified RIP) or many interfaces other than Ethernet. It also has a wierd arrangement for access-lists. Check this Cisco page for command notes:
http://www.cisco.com/univercd/cc/td/doc/product/i
You would be better off monitoring with a syslog stream on the secure fringes of your VPN and a server-side script to parse out violations.
Hope this helps...
Re:Linux (Score:2)
There were some early cisco routers that used intel boards in the multibus chassis, but then when the MGS/CGS line came out, cisco had completely switched to a motorola architecture. That was when IOS really started. The earliest boxes ran a stripped down variant of M$ Xenix, they were quite fun to play around with.
The AGS+ boxen in my workshop have CSC/3 boards, with 68030 running at 25MHz, and a CSC/4 board with a 68040 at 50MHz. I was certain I had seen a 386 board somewhere in my pile of spares, perhaps one of the peripherals used it. The TR and FDDI boards use an AMD processor. Some cisco acquisitions used intel, such as the Combinet ISDN routers, rebranded as the 700 series. But the more recent 800 series switch to a motorola controler.
Never post before the first 3 cups of coffee have taken effect
the AC
We did it in the states (Score:1)
Onlu if you have extensive IOS experience (Score:1)
While this isn't too bad for us since our networking guy has IOS experience, it can get really irritating when he's out and one of us has to set up new firewall rules for testing. I think ipchains is more flexible and easier to use then the PIX!!
The client software sucks. This is really where admin becomes a bear. There is no easy way to change authentication methods, as a matter of fact, I believe the PIX only supports shared tokne authentication. Only the high-end models support RADIUS.
While I'm sure the PIX is a good product, it has not worked well for what we needed it for, and if I had to do it a second time, I would definitely shop around.
Perhaps it's due to export controls? (Score:1)
Re:Linux (Score:1)
-- Eat your greens or I'll hit you!
That doesn't sound right to me. (Score:1)
But the short answer to your question is that it should work fine without any PIX's anywhere. We're running IOS 12.1.3a. It seems to work well.(and, if you've got memory spewing out your orifices, you can try the T images, and you can ssh into your router, if you so desire)
PIX (Score:1)
GRE (Score:1)
Re:Ask Cisco (Score:1)
Re:Linux (Score:2)
I am just using the boxes to do frame relay switching for testing routing protocols, and this hardware still supports old interfaces like FDDI and token ring so I can study for CCIE renewals. It chugs along, and except for drawing enough power to dim the lights in the neighborhood, its enough.
I suspect much of cisco's code has been quietly forked into the open source community, because so many of the networking features available on Linux and BSD work surprisingly well with cisco routers, with the possible exception of ISAKMP protocols which are still being thrashed about and generally don't work well. I know of several
the AC
The supplier might not know how (Score:2)
Over the last weekend I setup a test VPN using the same exact hardware you have. Cisco has a lot of documentation on seting up VPNs with there products. But almost all is IOS -to- IOS or PIX -to- PIX , there is only _one_ example document that shows how to setup a IOS -to- PIX VPN. But like another poster stated, The first time is a bear, after that it is easy. So, your vendor might not know how to do a IOS -to- PIX VPN, only PIX -to- PIX. That is why they state that you must have a PIX.
And on cisco equipment in general, I have cisco routers, switches, firewalls, and localdirectors. They all rock! All my servers are linux, all the network hardware is cisco. It is a hard combination to beat.
--
Christopher McCrory
"The guy that keeps the servers running"
chrismcc@localhost.pricegrabber.com
http://www.pricegrabber.com
"Linux: Because rebooting is for adding new hardware"
Re:Linux (Score:1)
I'm racking my brain here, what Cisco equipment uses a 386? I know some of the more off-the-wall stuff like Localdirector, Cache Engine, etc. run on Intel gear, but I'm not aware of any IOS-based routers that do.