PIX 501 Site 2 Site + VPN Client

Unanswered Question

Setup Site to Site VPN with 2 PIX 501.

Also configured PIX A to accept a VPN client.

Site A can see Site B and the other way around.

Client sees PIX A network but not Network B.


I know this is a restriction with PIX v6 and the golden rule that trafic cannot come in and go out of the same interface. (need a 515 with v7 for that).


My question is:

-Is there no other way to make this work? How about a router on a stick in Site A? Send traffic to the router and have the router send it back to the PIX. If this is possible any ideas on how to set this up.


Any other solutions except for spending ~5K on a 515 just for this functionality?


I used this Cisco document for my reference and setup:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094cea.shtml



Thanks for the help.

Fred

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jackko Sat, 12/10/2005 - 02:47
User Badges:
  • Gold, 750 points or more

just wondering what sort of resources would the client access from net_b.


for file sharing, you may setup a share on a net_a server, which in turns connecting to another net_b server via lan-lan vpn.


alternatively, deploy a router in net_a replacing the pix. you can confiure "on a stick" on the router for vpn client.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd9e9e1

Jackko,


I don't think that the redirect share thing will work, as the only thing that the server would do is redirect you to a server on net_b. (as least in Windows world).


So only way would be to replace the pix with a router. No change to stick a router behind the PIX on the internal LAN (Like a W2K3 'router'). Think cheap and dirty, it's a small shop that I'm doing this for.

Fred

jackko Sat, 12/10/2005 - 05:02
User Badges:
  • Gold, 750 points or more

please excuse me for poor explanation.


share folder created on net_a server. i really mean like rdp to the net_a server first, then accessing the net_b resources from net_a server.


regarding the router behind the net_a pix, just wondering how it works. assuming the pix is the vpn termination for vpn client. how would the pix forward the traffic destined for net_b to the router, and then from the router back to the pix, which in turn forward the traffic to net_b via lan-lan vpn.


let's put all this into an example.

net_a 192.168.1.0

net_b 192.168.2.0


net_a pix receives a packet from the vpn client destined for 192.168.2. pix has no route to net_b except the crypto map. unfortunately as you know already, pix v6.x doesn't support this with the golden rule saying no traffic in/out the same interface. now, if you apply a static route for net_b pointing to the router, then pix will be confused between the crypto map and the static route for net_b. does it make sense?

Actions

This Discussion