10-16-2007 11:54 PM - edited 03-11-2019 04:26 AM
Hi all experts,
i'm using PIX6.3(5)
is it possible to route IPSEC traffic coming through one tunnel , decrypt , encrypt again and send it back through a new VPN tunnel.
Basically an U-turn of IPSEC traffic on outside interface-> decrypt ->encrypt again -> new tunnel
All this is happening on the outside interface.
i can achieve this on PIX 7.2 but not happening on 6.3...6.3 doesnt have the same-security feature for intra-interface traffic. Wouldn't it be allowed for IPsec traffic ??
10-17-2007 03:06 AM
Hi
Unfortunately no you can't do this for the very reason you state ie. you cannot send traffic straight back out the interface it has come in on with v6.3 but you can with v7.x.
That is why if you wanted a hub and spoke design where the spokes communicated with each other via the hub prior to v7.x of pix/ASA you needed to use a router which does not have the same limitation as pix v6.x.
HTH
Jon
10-17-2007 06:34 AM
The only way to achieve this is by configuring Multiple outside interfaces either by using seperate physical ports or an 802.1q VLANed outside port. You then have static routes pointed out one outside interface for the static VPN tunnel and you terminate that tunnel on that interface. The other outside interface is used for the other tunnel(s), dynamic or static.
Email me if you'd like a config example.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide