Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Horribly basic PIX/VPN 515E questions

First, while I'm not new to networking or Cisco routers, I'm new to PIX/VPN.

I've been using version 6.3 of the Cisco PIX firewall and VPN configuration

guide. While there is a lot of information in the guide, I've found it to

be cumbersome and difficult to use as a reference. If you guys have any

recommendations, I'm all ears.

As to my situation...

We are replacing the existing Borderware firewall with the 515E, hardware

vpn accelerator included. At that moment, I've got them running in

parallel, until I can verify that everything is working as intended, to

continue support for our 300+ users. I've got a test machine running with

the PIX set as my default gateway, and all seems to be okay, I can do what I

want, http/ftp, etc.

Our DMZ is sitting between our internet router and the firewalls. The

firewalls are directly connected to my local lan, which includes our 3620.

The 3620 provides the WAN connection frame/several T1's to our other sites.

As an experiment/attempt to learn a little about the VPN settings, I used

the wizard. It seems to have worked, with a few exceptions. First, I can't

get the VPN to function reliably if I have ANY ACL on the internet router.

I even tried an ACL with one statement.. permit any any... still doesn't

work, so the acl is disabled at the moment. Second, with the acl disabled,

I can initiate the client vpn connection to the local lan, but it won't

extend across the 3620. I set the PIX box with default routes.. outside to

the internet router, inside to the 3620. I haven't activated any routing

protocols. Honestly, we're using EIGRP internally, and that doesn't seem to

be an option with the 515E, I wasn't eager to fire up OSPF internally, and

didn't see the need. (was I wrong?) As the 3620 has a default route

pointing to the borderware box, I wondered if this wasn't the problem. I

ran a ~60 minute test, changing the route to the pix box. While everyone

could continue accessing the internet, it did nothing to fix my problem. I

still couldn't extend beyond the local lan/3620 to access other WAN


Any ideas/comments are appreciated.


Re: Horribly basic PIX/VPN 515E questions


If you are running EIGRP, are you redistributing statics? Sounds like your going to need a static route routing the VPN pool of addresses back to the inside interface of the PIX. If your running EIGRP at your remote sites your going to have to redistribute that static into your AS or put statics on all your WAN routers.

Hope that helps.

CreatePlease login to create content