11-16-2003 04:53 AM - edited 02-21-2020 12:52 PM
I've got 2 pix 506 with release 6.3
Setup with a pix to pix vpn and each pix is configured for vpn-clients using cisco vpn dialer 3.5.1
Everything is working fine!
Question:
Is it possible for vpn-clients who are connecting to pix-a to reach the network behind pix-b over the pix to pix vpn connecting? If so how can I configure it?
If it's not possible what type of equipment do I need to implement this?
Thanks,
Stefan van Merrienboer
Netherlands
11-21-2003 08:06 AM
It should be possible to fo that. I am not too sure if additional configuration is required. You might want to check this list of sample configurations.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
11-21-2003 03:56 PM
It is my understanding with the PIX Firewalls that you cannot send IPSec traffic out the same interface that it received IPSec traffic on.
That is, if I connect to PIX-A using the VPN client, I will not be able to access resources behind PIX-B over the VPN tunnel between PIX-A and PIX-B.
The way I have circumvented this issue, is to have a host behind PIX-A that I can remotely attach to, a Windows box running Terminal Services, or a Unix/Linux box running SSH. I attach to that host over my client VPN connection, and then from that host, I access the resources behind PIX-B.
Hope this helps.
02-20-2004 12:18 PM
try split-tunneling
Good luck !
02-21-2004 08:32 AM
you cannot do this with a pix. the only solution (hack), is to have a multiple interface pix for site a, and configure the site to site tunnel to terminate on the non outside interface (this is an interface that in theory is higher security than the outside one, but you muck around so that it acts more like a secondary outside interface).
this solution requires a 515 at a minimum, to have a 3rd interface, or to use vlan interfaces.
apparently, cisco is working on a software solution for 7.0 pix os. pix do not allow packets to leave the interface they came in on - in your environment, vpn clients send packets to pix a's outside int. they would then need to leave that interface and go to pix b,which is not allowed by pix os.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: