While working on a side project I gleaned some useful information and thought it might come in hand in the future, and maybe for other people, so why not record it here.
A company I am associated with has a Cisco Pix 515 in their main office and actually happens to have a spare 501. So they thought it would be a good idea to have a VPN between their main office and their branch office. Their branch office has a Lucent Pipeline 75 for their 128 Kbps ISDN connection. The offered me a nice payday to get the VPN to work for them, so having quite a few years of Cisco and general network experience I happily accepted. Read on for a technical overview of the problems and solutions I encountered.
The initial network I found in the branch office was quite simple. A static IP address on the Pipeline that was configured for Port Address Translation (PAT), or in Lucent Pipeline terms, NAT with a single address. Probably a pretty common configuration for an office like this and most any house network using one of those Linksys now Cisco devices.
The problems began when I realized the NAT/PAT on the Pipe75 wasn't smart enough to do some sort of workaround translation on ipsec packets. The incompatability and workarounds on this are generally well known. Googling for the various combinations of vpn, ipsec, nat, masquerading, etc. will give you some nice background material on the problem.
Well now I run into the first major roadblock and that is that Lucent is terrible at providing information and support on the products the assimilated. I don't have a support contract with Lucent and neither does this company, they just were given the hardware when they signed up for ISDN service many years ago. In order to get access to Lucent's knowledge base and forums apparently you need to pay them for support. Obviously this kills of any secondary free support structures that could arise in their forums before it even could begin. Well I was able to locate some useful documents: Pipeline 75 Users Guide and the Pipeline 75 Reference Guide. Also I was able to get a support account that had minimal access to some whitepapers that Ascend published for the customers years ago, but none of them dealt with this situation, only with trying to get the VPN implementation on the Pipe75 to work.
I was able to get the ISP to issue an additional Static address. So now I have to /32's to work with. The pipe75 and the Pix. Now what I am going to do leave the original static address on the external interface of the Pipe75, I am having the ISP statically route the other slash-32 to the first one (the external pipe75 interface).
And here is where I got a little ghetto or clever, depending on how you look at it. Say the addresses I have are 172.16.1.105/32 and 172.16.1.180/32. Well 172.16.1.105 is the outside interface of the pipe75, and somewhere the ISP should have an entry like: ip route 172.16.1.180 255.255.255.255 172.16.1.105
. Now the internal interface of the pipe75 is set to 172.16.1.177/29 and I set the external interface of the Pix to 172.16.1.180/29, and I set the default gateway on the PIX to go to 172.16.1.177. Yeah I am masking out a few real addresses. But it won't effect the ISP and I am severely doubting that the users at the branch office have any reason to go to those real IP addresses I am masking out. Well anyway it is a risk I am willing to take. So at this point all I need to do is turn off NAT on the Pipe75 and I am good to go.
The status at this point is I am waiting on someone at the ISP to enter the route for me. Then I can get into the Pipe75 and turn off NAT. The Pix and everything else are already in place as they should be, just need that route so I can stop doing uneccesary translations which are breaking my ipsec, and all other non-ipsec traffic will just be PAT'd by the PIX to 172.16.1.180.
If nothing else, I have some nice notes here, if I ever need to revisit this configuration.