U turn of IPSEC traffic on PIX 6.3

Unanswered Question
Oct 16th, 2007
User Badges:

Hi all experts,

i'm using PIX6.3(5)

is it possible to route IPSEC traffic coming through one tunnel , decrypt , encrypt again and send it back through a new VPN tunnel.

Basically an U-turn of IPSEC traffic on outside interface-> decrypt ->encrypt again -> new tunnel

All this is happening on the outside interface.

i can achieve this on PIX 7.2 but not happening on 6.3...6.3 doesnt have the same-security feature for intra-interface traffic. Wouldn't it be allowed for IPsec traffic ??

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 10/17/2007 - 03:06
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Unfortunately no you can't do this for the very reason you state ie. you cannot send traffic straight back out the interface it has come in on with v6.3 but you can with v7.x.

That is why if you wanted a hub and spoke design where the spokes communicated with each other via the hub prior to v7.x of pix/ASA you needed to use a router which does not have the same limitation as pix v6.x.



The only way to achieve this is by configuring Multiple outside interfaces either by using seperate physical ports or an 802.1q VLANed outside port. You then have static routes pointed out one outside interface for the static VPN tunnel and you terminate that tunnel on that interface. The other outside interface is used for the other tunnel(s), dynamic or static.

Email me if you'd like a config example.


This Discussion