routing traffic across pix to pix vpn

Unanswered Question
Mar 14th, 2007

hi,

I have two pix's configured and can pass traffic back and forth...however i am having trouble figuring out how to route all public traffic from site2 to across the vpn and out site1's gateway...any advice?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
acomiskey Wed, 03/14/2007 - 05:58

So, at site 2 you want to force all traffic over the vpn to site 1. You then want to bounce off site 1 to go to the internet? Is this correct or did I misunderstand?

This is possible. At site 2, define your vpn interesting traffic and nat exemption as "to any", this will force all traffic over the tunnel. Then, as long as you are running pix code 7.x, you can use public internet on a stick for site 2 internet access.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

tjsgrp001 Wed, 03/14/2007 - 06:06

yep. thats what i am trying to do..ill take a look at the link you sent. thanks!!

tjsgrp001 Wed, 03/14/2007 - 06:19

just checked...no, we arent...is there another way..or should i upgrade?

also to force the traffic on site2 pix...is that done by creating an acl such as

access-list NoNAT permit ip xxx

then

nat (inside) 0 access-list NoNAT

(just grabbed those off a cisco config example)

acomiskey Wed, 03/14/2007 - 06:28

You cannot do ver 7.x on pix 501,506,520.

Is there an existing vpn tunnel between the 2 pixes?

Yes, that is the nat exemption part, there would also be interesting traffic, something like

access-list 100 permit ip any

crypto map newmap 10 match address 100

tjsgrp001 Wed, 03/14/2007 - 06:36

site 1 is a 515e..

site 2 is a 501

there is an existing site to site vpn via those two pix's..

acomiskey Wed, 03/14/2007 - 06:45

Your 515e would probably require a memory upgrade to support 7.x. Needs at least 64M I believe. But, if you wanted to go this route, it would work. Only site 1 would require 7.x for public internet on a stick.

The reason I asked if you already had a tunnel is you must already have your nat (inside) 0 statements etc.

What is the reason for needing site 2 internet to go out site 1?

Actions

This Discussion