On Fri, 2005-03-18 at 11:58 +1100, Jason Ha wrote:
Heya Anthony,
Are you talking about a full-mesh? It certainly is possible, but it's
rather messy to maintain from an administrative perspective. I don't
have a configuration handy (though I would be happy to work through one
with you), but more or less, each firewall will have a tunnel to the
other 3 firewalls (a total of 6 tunnels). Sorry to keep harping on about
PIX OS 7 folks, but it does really have a lot of neat new features for
exactly these type of scenarios. If one of your PIX firewalls is more
like a head office (and there's a good chance of that), then you can
configure Hub and Spoke VPNs in OS 7. That is, there is a single PIX in
which all the other firewalls establish their IPSec tunnel to. Sites can
then communicate with each other through the hub site. This is
especially useful because it allows the hub site to control access
between all the other sites.
I've done it, but not raw on the PIXen themselves; this was a couple
of years back and the technology ennhancements discussed above were
just not available.
At the time, I used Cisco's management platform (the one replaced by
CW2K VMS; CSPM I believe) to manage all the PIX configurations just to
deal with the complexities of the full mesh; I actually had considerably
more peers than you're talking about (13 sites fully meshed and a
partial mesh to many others.
The other benefit of OS 7 is the ability to configure dynamic routing
on-top of the hub and spoke configuration, enabling you to manage your
tunnels more efficiently.
Lately I've been more and more fond of doing this type of configuration
on dedicated VPN routers; using platforms such as the new 2801 ISR, or
even an 1801 gives you a cheap solution; using DMVPN and GRE tunnels
let it look just like a WAN from a routing perspective and I find that
easier to support (YMMV, mind you). And the DMVPN stuff makes setting
up the IPSec environment cleaner and faster....
Hope this gives you son insight.
Regards,
Jason Ha [CISSP, CCSE, JNCIS-FWV]
Senior Security Engineer,
Security Operations Centre
VeriSign Australia
--
- --
Charlie Winckless, CCIE #7331 | |
Senior Consulting Engineer | |
Network Architechs ||| |||
u: http://www.netarch.com .|||||. .|||||.
e: charliew@netarch.com .:|||||||||:.:|||||||||:.
p: (505) 256-9047 Cisco Systems Partner
f: (505) 256-9091 Gold Certified
PGP ID: 0xC07A7E5C
PGP: 09DE 5C1A 6984 01C4 152F 3ED0 CAED 17A1 C07A 7E5C
- -----------------------------------------------------------
"Serenity through viciousness"
signature.asc
Description: This is a digitally signed message part
