vpn with 2 pix's

treebug00 · ‎10-09-2007

I have 2 pixs (501 and 506) that I am setting up as a test. I want one of the pixs to handle all of the incoming vpn and the other to be the gateway firewall.

i am having problems when someone connects to the vpn, the connection gets made and they get an ip address. the pix hosting the vpn allows packets to come through, but they don't know how to go back out through the vpn pix. I could see the ping trying to get translated to the public ip of the gateway firewall. so i added the route so packets destined for the my vpn ip local pool would be sent to that internal ip that i have the vpn pix set up on.

im missing something. hopefully, i explained enough so someone can tell me what.

basically: 2 pixs

pixA=gateway

pixB=vpn server

vpn traffic can come in pixB but doesn't know to go back out to vpn ips through pixB

everything works if i set the route on the machine itself.

thanks,

Jon Marshall · ‎10-09-2007

Hi

Could you clarify how you tried to route the packets from pixA back to PixB.

If the packets coming back from inside your network first go to the inside interface of pixA you cannot then add a route pointing back out of the inside interface of PixA to get to pixB.

If this is how it is setup this won't work with pix v6.x. This feature, called hairpinning, was added in pix v7.x but unfortunately 501's and 506E's do not run pix v7.x (you need pix515E at a minimum or an ASA device).

So unless you have a router internally your solution of adding a route on the machine is the only way to make it work.

HTH

Jon

treebug00 · ‎10-09-2007

Yes, I tried adding a route.

Thank you for your post. That answered my question.

I added the route with a router instead of a pix and that worked great.