PIX - VPN routing

Unanswered Question


I've a couple of questions relating to the functionality of VPN's configured on a PIX.

I've a PIX 515E, configured with multiple remote VPN's. All are working fine.

My questions relate to the following.

Can I or should I be able to route between these VPN's via the PIX? Currently any site connected via VPN (or client sessions for that matter) are unable to connect to the other VPN subnets. Not such an issue but nice to do.

I get the following logg message

110001: No route to 192.168.aa.ab from 192.168.bb.ab

Secondly, my VPNS terminate to the outside interface.

I've the following configured.

static (inside,outside) udp interface 9996 192.168.aa.ab 9996 netmask 0 0

Sites connected via VPN are required to export Netflow traffic to the outside interface address sourced from the sites external IP.

I cannot get this working using the source interface of the internal VPN subnet, exporting to the inside address.

Can this be explained? Not such an issue but I'm curious as to why it won't work.

Many thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Tue, 05/22/2007 - 17:09

Ok, so as far as your first question goes..it depends on what version you are running. With version 7 you can have traffic routed between your vpns. First you have to enable same-security-traffic permit intra-interface which will allow the traffic in and out of the same interface, the outside interface in this case. Next you will have to define your interesting traffic acl's to include the new networks. For example, if you have 3 sites A, B and C and your existing crypto acl's permit traffic between A-B and A-C, you will have to add an entries for traffic between B-C if you want the remote sites to communicate.

As far as the second question goes, since the traffic is sourced from the external ip, this address must be defined as interesting traffic as well to be able to cross the tunnel. If you do not do this you are attempting to export to a private address (non-routable), which obviously won't work. Here is a link to an example of syslog and snmp via outside interface of pix over a vpn tunnel. Though your remote vpn endpoints may not be pixes, it does explain the concept of it needing to be interesting traffic.


Hey thanks for the speedy reply.

I'm running version 6.3. I do have plans to upgrade to 7.

Generally my interesting traffic is sites /24 to main site /16.

With regards to the second question, I've no issue with netflow being sourced from an external IP exporting to the outside address in the static statement.

IT is however an issue if I wish to have the source and export destination addresses as the internal addresses (of which are defined in the match acl's for the VPN).


acomiskey Tue, 05/22/2007 - 17:39

Well, version 7 will solve your first issue for sure. I misunderstood your second one, not sure how to help you there. So you basically want the netflow traffic to travel over the tunnel or is there a specific requirement to use inside addresses?

Appears VPN's become alot more functional with 7.

No worries with the second one. basically, my netflow data was not working, for any VPN connected site. My work around was to use the static statment I had in place as I was exporting netflow data from my internet routers. The static statement using the interface address saved me wasting an address simply for netflow data. I do use the interface for a number of other services.

I guess from a security view point, netflow traversing the web is not overly ideal :)

Looks like I've to test upgrading my PIX :)

durale1789 Thu, 05/24/2007 - 05:01

i want to exactly the same thing but my problem is that i m establishing the vpn between 515e and 506 so 515e has been upgrading with version 7 but i can t upgrade 506 with version 7. it must use 6.3 anyway.



This Discussion