VPN site to site (2 pix) and firewall behind one pix

Unanswered Question
Mar 19th, 2008
User Badges:

We're making this configuration:

Internal network 1 -- PIX 1 -- Internet -- PIX 2 -- Firewall -- Internal Network 2

We don't have problems configuring the VPN site to site, but the problem now is that we have to pass thru the firewall in fron of internal network 2.

What type of configuration could be use in that firewall?? Maybe to No-NAT packets from internal network??? Or change some configuration in PIX device?

In a simple topology without firewall, we're using the "Simple PIX-to-PIX VPN tunnel configuration Example" from this article:


The idea is to use the same configuration, but adding a firewall in one of the network.

Can you give me some advice to make this configuration?

Thanks in advance.

Diego Saez

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
wasiimcisco Wed, 03/19/2008 - 07:52
User Badges:

you have to make the static and access-list on firewall that is located on internal network 2. static will be the interested traffic of internal network 2 and access-list allow the interested traffic of internal network 1. You may also have to enable the NAT-T on internal network firewall 2 to pass the vpn traffic.

use ASDM on firewall located on internal network 2 and make the source of interesting traffic coming from inernal network 1 and and destination internal network 2. U will get to know where your packet is actually dropping.

dsaezpramer Wed, 03/19/2008 - 08:04
User Badges:

So, in your opinion I don't have to change anything in PIX 2 configuration? All have to be done in firewall 2?

wasiimcisco Wed, 03/19/2008 - 08:10
User Badges:

no dear, u have to change all things on firewall located on network 2. not main firewall where u have vpn connected. change everything on firewall that is located behind and infront of internal network 2.

VPn is already established just make sure you have route inside towards the firewall in front of internal network 2.

First establish vpn and then configure the network 2 firewall so that u can access internal network 2.


This Discussion