Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
313
Views
0
Helpful
6
Replies

Back-to-back PIX

jtorkos
Level 1
Level 1

‎11-12-2003 04:36 PM - edited ‎02-20-2020 11:06 PM

Does anyone know if this can work. I have two Pix 515 firewalls and the setup is as follows:

ISP - Router - PIX1 - PIX2 - Internal

Remote VPN users will terminate at PIX1 and I need to know how they will get to the internal network and how the internal users will get out to the Internet.

I'm thinking of setting up IPSEC between the firewalls, but do I need to configure "isakmp enable inside" on PIX1 and "isakmp enable outside" on PIX2.

Please let me know if anyone has any ideas on this subject.

Thanks.

0 Helpful
6 Replies 6

nkhawaja
Cisco Employee
Cisco Employee

‎11-12-2003 04:39 PM

Hi,

Why would this setup not work? Why do you need IPSEC between PIX1 and PIX2. Just terminate VPN on PIX1 and allow the traffic for those IPs towards and from PIX2.

For outbound traffic, simple NAT should work.

Thanks

Nadeem

0 Helpful

jtorkos
Level 1
Level 1
In response to nkhawaja

‎11-12-2003 04:56 PM

Wow, what a quick response. Just to understand what you have said. I create an ip pool for VPN users and create an access list that will forward the packets to PIX2. As for internal users, I just set up NAT and they should go out the Internet. I there a chance I can send you a diagram of how it looks like or is there a Cisco link that has a similiar example.

My home email address is jtorkos@rogers.com

Thanks again.

0 Helpful

nkhawaja
Cisco Employee
Cisco Employee
In response to jtorkos

‎11-12-2003 09:26 PM

Hi,

You can send me diagram at nkhawaja@cisco.com

Thanks

Nadeem

0 Helpful

jtorkos
Level 1
Level 1
In response to nkhawaja

‎11-13-2003 06:27 PM

I've setup the FWs, so internal users can access the Internet, DMZ and everything else. I've terminated the VPN on PIX1 and I'm able to connect from outside. However, I'm unable to get into my internal network. Do I need to add a route inside statement so that packets get forwarded from the PIX1 to the PIX2 inside interface. Perhaps, I need to add a static address? Does anyone have any ideas.

Thanks in advance.

JT

0 Helpful

nkhawaja
Cisco Employee
Cisco Employee
In response to jtorkos

‎11-15-2003 12:17 AM

Hi,

You definitely need route statement for the inside network@PIX2 on PIX1

route inside PIX2_outside_address

You also need the following on PIX2

static translation for inside network

access-list to allow the VPNIPs to come to the inside.

Thanks

Nadeem

0 Helpful

jtorkos
Level 1
Level 1
In response to nkhawaja

‎11-17-2003 06:11 AM

It's working fine now.

Thanks for your help.

JT

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card