IPSEC tunnel traffic

Unanswered Question
Jan 28th, 2003
User Badges:

Is it possible to configure the following:

networkA(watchguard firewall) --ipsec-->networkB(pix)--ipsec-->networkC(pix)

where connection atempts from networkA to networkC are translated to networkB addresses first so that connections are transparent to networkC?

need to connect networkA to networkC through networkB. no changes can be made to networkC.

currently traffic from networkA to networkC results in: 402103: identity doesn't match negotiated identity on networkB pix.

for ex: using http://www.cisco.com/warp/customer/110/pixhubspoke-01.gif , how to make traffic go from pix2 to pix3 through pixCentral.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mchin345 Mon, 02/03/2003 - 13:00
User Badges:
  • Silver, 250 points or more

The setup shown in figure 01.gif won't work simply because traffic received by the PIX on an interface is not sent out over the same. If however you place PIX 2 and PIX 3 on differnt interfaces on PIX central... the issue boils down to passing encrypted traffic through the PIX. For that see the doc Configuring an IPSec Tunnel through a Firewall with NAT at http://www.cisco.com/en/US/tech/tk648/tk367/technologies_configuration_example09186a008009486e.shtml.


This Discussion