Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX to PIX ipsec vpn on the inside interface


I have two pixes connected to each other in the intranet(LAN) via the inside interfaces on both.

On both pixes, the outside interfaces connect to a different dmz.

I would like to create a ipsec vpn from the inside interface of one pix to the inside interface of the other pix.

The DMZ traffic at each end of the pix would then be connected to each other over this ipsec tunnel. The servers in both DMZ's would talk to each other over the vpn.

My question is, will this work? Most of the configurations always have the OUTSIDE interfaces of the pix as the vpn endpoint, not the INSIDE interface.

If it will work, can the inside interface be of a higher security on both pixes? What about the nat?

Any config issues I should be aware of, especially to not affect existing production traffic on the inside interface of the pix going to the DMZ?

If there are any urls to look at, that would help.

New Member

Re: PIX to PIX ipsec vpn on the inside interface


I have not tested this,but I dont think there should be any issue.It is not nessasry that we use only outside interface as lower security interface.We can change the security levels so it does not make sense to keep the VPN binded only to outside interface.

I think it should work.



New Member

Re: PIX to PIX ipsec vpn on the inside interface

Hi Tanveer,

Thanks for the reply.

I also would like to know if the vpn endpoints can be the outside interface. In this scenario, we are using the intranet(that is the tunnel is actually the LAN). Does the pix allow traffic to cross the its interfaces if the endpoints are on the far side.

Also, I would like to know the static nat and or global nat command necessary to not affect the existing production traffic in the original scenario when the endpoints are the inside interface. Is there any reference anywhere similar to this scenario?

According to your reply, we can keep the inside as higher security, is this correct?