routing traffic across pix to pix vpn

Unanswered Question
Mar 14th, 2007
User Badges:


I have two pix's configured and can pass traffic back and forth...however i am having trouble figuring out how to route all public traffic from site2 to across the vpn and out site1's gateway...any advice?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
acomiskey Wed, 03/14/2007 - 05:58
User Badges:
  • Green, 3000 points or more

So, at site 2 you want to force all traffic over the vpn to site 1. You then want to bounce off site 1 to go to the internet? Is this correct or did I misunderstand?

This is possible. At site 2, define your vpn interesting traffic and nat exemption as "to any", this will force all traffic over the tunnel. Then, as long as you are running pix code 7.x, you can use public internet on a stick for site 2 internet access.

tjsgrp001 Wed, 03/14/2007 - 06:06
User Badges:

yep. thats what i am trying to do..ill take a look at the link you sent. thanks!!

acomiskey Wed, 03/14/2007 - 06:08
User Badges:
  • Green, 3000 points or more

Are you running pix 7.x?

please rate if it helped.

tjsgrp001 Wed, 03/14/2007 - 06:19
User Badges:

just, we there another way..or should i upgrade?

also to force the traffic on site2 that done by creating an acl such as

access-list NoNAT permit ip xxx


nat (inside) 0 access-list NoNAT

(just grabbed those off a cisco config example)

acomiskey Wed, 03/14/2007 - 06:28
User Badges:
  • Green, 3000 points or more

You cannot do ver 7.x on pix 501,506,520.

Is there an existing vpn tunnel between the 2 pixes?

Yes, that is the nat exemption part, there would also be interesting traffic, something like

access-list 100 permit ip any

crypto map newmap 10 match address 100

tjsgrp001 Wed, 03/14/2007 - 06:36
User Badges:

site 1 is a 515e..

site 2 is a 501

there is an existing site to site vpn via those two pix's..

acomiskey Wed, 03/14/2007 - 06:45
User Badges:
  • Green, 3000 points or more

Your 515e would probably require a memory upgrade to support 7.x. Needs at least 64M I believe. But, if you wanted to go this route, it would work. Only site 1 would require 7.x for public internet on a stick.

The reason I asked if you already had a tunnel is you must already have your nat (inside) 0 statements etc.

What is the reason for needing site 2 internet to go out site 1?


This Discussion