Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX Case outside inside

Unanswered Question
Nov 2nd, 2007
User Badges:

Hi there, attached is what i want to do.

I want to:

1.start a vpn site to site with the pix firewall A and the Checkpoint VPN.

2.pc has to connect to PC 3(via the VPN)and also to PC1 on the Lan ext.

3. For testing i want pc1 and pc3 to be able to ping PC2 and vice versa, pc2 to ping pc3 and pc1

can this be established? how can i do this. can some one point me in the right direction? Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Fernando_Meza Wed, 11/07/2007 - 14:30
User Badges:
  • Gold, 750 points or more

Hi .. OK

Let's divide this in two tasks.

1.- Communication between PC1 and PC2

* on the PIX You need a static NAT entry for PC2 as below

static (inside,outside1) PC2-Real-IP-Address PC2-Real-IP-Address netmask

* allow access from PC1 to PC2

access-list outside1_inside permit icmp host PC1 host PC2-Real-IP-Address

access-group outside1_inside in interface outside1

* If you have an access list applied to the inside interface then you need

to add an entry that allows icmp access from PC2 to PC1 i.e

access-list inside-out permit icmp host PC2-Real-IP-Address host PC1

access-group inside-out in interface inside

* You might need to add a static route on the firewall for

route outside1

* Make sure any other devices between those segments know how to get to each other

2.- Communication between PC2 and PC3

Can you clarify .. is the VPN between routerA and Checkpoint already UP ?

if it is then we would need to have a look at the config of routerA before sugggesting

next steps to follow.

I hope it helps .. please rate it if it does !!!

greg-bnets Fri, 11/09/2007 - 11:15
User Badges:

Hi ferando.

I did some home work and resolved the issue. But thanks for the help anyway. i will still rate for you. What i still have is that with the VPN my site can only initiate the tunnel to be up. Lets only if i start pinging the other side, they can ping me back. How can i keep the tunnel up 24/7?



This Discussion