Cisco Support Community
Community Member

Can I terminate a VPN tunnel on the inside interface of a PIX?

I have a strange site-to-site VPN scenario between two PIX firewalls.


My customer has a PC (far left) that needs secure VPN access to the FR cloud. This PC is sitting behind the PIX 506 and must be protected from all internal LAN devices. The customer wants a site-to-site VPN tunnel from the PIX 506 to the PIX 515.

I am thinking that a site-to-site VPN tunnel would need to be created from the PIX 506 outside interface (facing the core LAN segment) and terminating on the PIX 515 inside interface (facing the core lan segment).

Some questions I have:

1. To allow 2-way traffic between the FR cloud & the protected PC, how would I go about allowing traffic from the FR cloud into the PIX 515 ouside interface? Should this be a static mapping and inbound access list to allow the subnet on the outside interface?

2. Would it be better to terminate the VPN tunnel on the PIX 515 outside interface? If so, are there any additional rules that need to be configured on the 515?

Thank You in advance for any help on this!!


Cisco Employee

Re: Can I terminate a VPN tunnel on the inside interface of a PI

1. Good question. I would think you'd create a static for the network behind the 506, and just map it to itself. For example, if you have behind the 506, do:

> static (inside,outside) netmask

then an ACL allowing whatever traffic you want to go to that network. if your crypto ACL then includes traffic from the FR cloud to then the PIX should encrypt it.

2. You wouldn't be able to do this, if the inside interface is the one facing the core LAN then you have to terminate it on the inside interface. There's nothing wrong with doing this, the commands are just the same, just enable isakmp and your crypto map on the inside interface rather than the outside. Make sure you have a route for the network pointing to the inside gateway.

Community Member

Re: Can I terminate a VPN tunnel on the inside interface of a PI

Thanks for the tips. I'm not sure I understand why there would need to be a static mapping from to itself. Wouldn't it need to be statically mapped to an address on the subnet on the outside interface of the 515? Let's say a device in the FR cloud needs to ping that PC behind the 506. Wouldn't it have to ping an address on that outside segment of the 515, which will then be translated to a address, which is at the other end of the "internal" vpn tunnel?

My brain hurts! :)

Thanks Again!


Cisco Employee

Re: Can I terminate a VPN tunnel on the inside interface of a PI

If you wantto translate the network to some other network then yes, you can statically map it. The static addresses do NOT have to be in the same subnet as the outside PIX interface though, as long as the FR cloud has a route to that points to the PIX, the PIX will accept the packet because it has a corresponding static for it. I just thought it would be easier from your point of view to leave the addresses as is, then anyone can just connect to the actual address and the PIX will map it to itself on the way through and then forward it on.

CreatePlease to create content