Definitely possible. It's called hairpin.

you can do it with Pix or ASA in version

7.x or higher.

CCIE Security

firstly make sure the tunnel is active between both firewalls and make sure both firewalls can ping each other inside interface.

since your ipsec tunnel already exit between your PIX you only need to define the traffic you are interested in on your ipsec tunnel between your pix.

for example, to allow the first firewall vpn clients (192.168.253.0/24) to access firewall 2 inside interface (192.168.10.0/24), you will need to Defines interesting traffic that is protected by the IPSec tunnel

on firewall 2:

1, Defines interesting traffic that is protected by the IPSec tunnel.

access-list 101 (use current acl applied to your currect ipsec policy) permit ip 192.168.10.0 255.255.255.0 192.168.253.0 255.255.255.0

2, Do not perform NAT for traffic to other PIX Firewall.

access-list inside_nat0_outbound permit ip 192.168.10.0 255.255.255.0 192.168.253.0 255.255.255.0

3, Tell the PIX not to NAT any traffic deemed interesting for IPSec.

nat (inside) 0 access-list 101

Might be a good idea to upload your pix vpn config so i can be more helpful.

Franco.

i suggest you use the PIX PDM to make changes instead if you are not familiar with the CLI.

Hi, I went with the same above example but not able to access the Firewall 2 inside network as I am connecting to Firewall 1 by remote VPN. Now anyone give me the solution.

Is it required any access-list crypto setting?

The site to site tunnel is set with esp-des-md5 but when i connect to VPN and see the status then it shows the encryption 128 AES and authentication Hmac-sha1Thanks

Hi, can anyone responds please... I have to resolve this issue on priority basis. Thanks

Hi Ray,

1) A very important detail, what you want to do is allowing traffic which enters outside interface to exit the same interface. (VPN client at outside interface enters interface and exits to VPN tunnel that is again connected to outside) This is called hairpinning or U-Turn. And the command which enables this is NOT! same-security-traffic permit inter-interface. It is intra-interface

2)Exempt NAT statement should not be applied to inside interface. This traffic never enters inside.

India

access-list outside_nat0_outbound permit ip 192.168.253.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound outside

access-list Interestingtrafficacl permit ip 192.168.253.0 255.255.255.0 192.168.10.0

same-security-traffic permit intra-interface

clear xlate

Second Firewall

access-list outside_nat0_outbound permit ip 192.168.252.0 255.255.255.0 192.168.12.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound outside

access-list Interestingtrafficacl permit ip 192.168.252.0 255.255.255.0 192.168.12.0

same-security-traffic permit intra-interface

clear xlate

If you post sanitized config of sites, I will do on-config corrections

Regards

I didn't able to understand following command:-

same-security-traffic permit intra-interface

Thanks

Hi, both FW configuration are attached and here I would like to provide the access of VPN only on India FW and want to access other DMZ and Inside network of Rwanda FW. Please suggest which of the command has to be add and which of the commands has to be remove. Thanks.

Please respond asap.

As I explained, it will make you able to connect your VPN client which is terminated at outside interface of firewall1 over the tunnel to the remote VPN peer firewall2 which is also terminated at outside interface. Simply follow the commands I posted

Thanks everyone... The problem has been solved. I appreciate...

You are welcome :)