[fw-wiz] IP migration on "hub" VPN terminus [long]

From: Robert L. Wanamaker (bobw_at_avantsystems.com)
Date: 03/23/04

  • Next message: Don Kendrick: "Re: [fw-wiz] outbound traffic security risk" 
    To: <firewall-wizards@honor.icsalabs.com>
Date: Tue, 23 Mar 2004 10:16:30 -0500

    Greetings.

    The challenge. 30 remote sites spread far apart enough geographically that
    site visits are not practical. The remote sites run PIX 506's, typically
    with version 5.x of the PIX OS and no 3-DES activation. The hub is a pair
    of 515-UR's, in failover mode. Customer is switching ISP's at the hub, and
    must switch IP addresses. Hence, the challenge: how to effectively cutover
    remote sites to the new VPN peer?

    The plan. a central admin console is capable of reaching each 506 in the
    field via tunnels. Use this capability to do the following on each remote
    pix:

    (1) upgrade to 6.3.x of the PIX OS
    (2) use the activation key feature in the new OS to get 3-DES capability in
    place
    (3) add necessary statements for Cisco Secure VPN client to connect from any
    location, and telnet into the remote pix.
    (4) Use the VPN client to directly connect to each PIX, and create a
    separate crypto map entry pointing to the new VPN peer
    (5) Split apart the 515's at the hub; run each in standalone mode, one
    connected to the old ISP network, and one connected to the new ISP network.
    (6) Cut the tie to the old ISP. Watch all the tunnels get gracefully
    rebuilt on the second 515 with little or no impact to users.
    (7) Restore failover of the 515's.

    Testing results. I've tested 1, 3, 4 with good results. My only weird
    results are that Cisco's site has numerous e.g.'s of the VPN client
    connecting with DES encryption; however, I can only make it work with 3-DES.
    This is certainly a good excuse for getting the client up to current rev,
    but am I missing something?

    Questions. Does this sound feasible? Is there a better way to accomplish
    this cutover?

    Thanks, and regards,

    Bob

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Don Kendrick: "Re: [fw-wiz] outbound traffic security risk"

    Relevant Pages

    • 3 PIX VPN questions - FUN FUN FUN
      ... upgrade) connected via site to site VPNs to this PIX. ... Can I use BGP with the 1700s over this VPN to my network of routers ... The VPN remote sites ... internal proxy in order to allow them to browse the internet. ...
      (comp.dcom.sys.cisco)
    • RE: [fw-wiz] IP migration on "hub" VPN terminus [long]
      ... The remote sites run PIX 506's, ... > add necessary statements for Cisco Secure VPN client to ... > connected to the old ISP network, and one connected to the new ... > connecting with DES encryption; however, I can only make it work ...
      (Firewall-Wizards)
    • [fw-wiz] Cisco VPN Client Behind a Cisco PIX or Router
      ... I have configured a Cisco VPN Client to connect to a Cisco PIX ... isakmp policy 10 authentication pre-share ...
      (Firewall-Wizards)
    • [fw-wiz] Cisco PiX 501 running 6.2 - Defying me for no reason
      ... Well, after researching, configuring, reconfiguring, and just a bit ... the vpn client through the SecureWay firewall. ... The PiX is outside the firewall, on its own line/lines (explained in a ... the vpn eventually) can access the internet fine. ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Pix 501 & 506 PixOS 7.0 compatability
      ... The info I got from a Cisco Security SE is that the 501 and 506 will support ... >>I am trying to configure a cisco pix as a vpn endpoint for the cisco ... >independent of anything the PIX or VPN client do. ...
      (Firewall-Wizards)