Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

U turn of IPSEC traffic on PIX 6.3

Hi all experts,

i'm using PIX6.3(5)

is it possible to route IPSEC traffic coming through one tunnel , decrypt , encrypt again and send it back through a new VPN tunnel.

Basically an U-turn of IPSEC traffic on outside interface-> decrypt ->encrypt again -> new tunnel

All this is happening on the outside interface.

i can achieve this on PIX 7.2 but not happening on 6.3...6.3 doesnt have the same-security feature for intra-interface traffic. Wouldn't it be allowed for IPsec traffic ??

Hall of Fame Super Blue

Re: U turn of IPSEC traffic on PIX 6.3


Unfortunately no you can't do this for the very reason you state ie. you cannot send traffic straight back out the interface it has come in on with v6.3 but you can with v7.x.

That is why if you wanted a hub and spoke design where the spokes communicated with each other via the hub prior to v7.x of pix/ASA you needed to use a router which does not have the same limitation as pix v6.x.



Community Member

Re: U turn of IPSEC traffic on PIX 6.3

The only way to achieve this is by configuring Multiple outside interfaces either by using seperate physical ports or an 802.1q VLANed outside port. You then have static routes pointed out one outside interface for the static VPN tunnel and you terminate that tunnel on that interface. The other outside interface is used for the other tunnel(s), dynamic or static.

Email me if you'd like a config example.

作成コンテンツを作成するには してください