cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
487
Views
4
Helpful
7
Replies

routing traffic across pix to pix vpn

tjsgrp001
Level 1
Level 1

hi,

I have two pix's configured and can pass traffic back and forth...however i am having trouble figuring out how to route all public traffic from site2 to across the vpn and out site1's gateway...any advice?

Thanks

7 Replies 7

acomiskey
Level 10
Level 10

So, at site 2 you want to force all traffic over the vpn to site 1. You then want to bounce off site 1 to go to the internet? Is this correct or did I misunderstand?

This is possible. At site 2, define your vpn interesting traffic and nat exemption as "to any", this will force all traffic over the tunnel. Then, as long as you are running pix code 7.x, you can use public internet on a stick for site 2 internet access.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

yep. thats what i am trying to do..ill take a look at the link you sent. thanks!!

Are you running pix 7.x?

please rate if it helped.

just checked...no, we arent...is there another way..or should i upgrade?

also to force the traffic on site2 pix...is that done by creating an acl such as

access-list NoNAT permit ip xxx

then

nat (inside) 0 access-list NoNAT

(just grabbed those off a cisco config example)

You cannot do ver 7.x on pix 501,506,520.

Is there an existing vpn tunnel between the 2 pixes?

Yes, that is the nat exemption part, there would also be interesting traffic, something like

access-list 100 permit ip any

crypto map newmap 10 match address 100

site 1 is a 515e..

site 2 is a 501

there is an existing site to site vpn via those two pix's..

Your 515e would probably require a memory upgrade to support 7.x. Needs at least 64M I believe. But, if you wanted to go this route, it would work. Only site 1 would require 7.x for public internet on a stick.

The reason I asked if you already had a tunnel is you must already have your nat (inside) 0 statements etc.

What is the reason for needing site 2 internet to go out site 1?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: