Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
0
Helpful
2
Replies

U turn of IPSEC traffic on PIX 6.3

swapnendum
Level 1
Level 1

‎10-16-2007 11:54 PM - edited ‎03-11-2019 04:26 AM

Hi all experts,

i'm using PIX6.3(5)

is it possible to route IPSEC traffic coming through one tunnel , decrypt , encrypt again and send it back through a new VPN tunnel.

Basically an U-turn of IPSEC traffic on outside interface-> decrypt ->encrypt again -> new tunnel

All this is happening on the outside interface.

i can achieve this on PIX 7.2 but not happening on 6.3...6.3 doesnt have the same-security feature for intra-interface traffic. Wouldn't it be allowed for IPsec traffic ??

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎10-17-2007 03:06 AM

Hi

Unfortunately no you can't do this for the very reason you state ie. you cannot send traffic straight back out the interface it has come in on with v6.3 but you can with v7.x.

That is why if you wanted a hub and spoke design where the spokes communicated with each other via the hub prior to v7.x of pix/ASA you needed to use a router which does not have the same limitation as pix v6.x.

HTH

Jon

0 Helpful

cmcbride
Level 1
Level 1

‎10-17-2007 06:34 AM

The only way to achieve this is by configuring Multiple outside interfaces either by using seperate physical ports or an 802.1q VLANed outside port. You then have static routes pointed out one outside interface for the static VPN tunnel and you terminate that tunnel on that interface. The other outside interface is used for the other tunnel(s), dynamic or static.

Email me if you'd like a config example.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card