cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
324
Views
0
Helpful
4
Replies

PIX to PIX to VPN-client question

asternsdorff
Level 1
Level 1

I've got 2 pix 506 with release 6.3

Setup with a pix to pix vpn and each pix is configured for vpn-clients using cisco vpn dialer 3.5.1

Everything is working fine!

Question:

Is it possible for vpn-clients who are connecting to pix-a to reach the network behind pix-b over the pix to pix vpn connecting? If so how can I configure it?

If it's not possible what type of equipment do I need to implement this?

Thanks,

Stefan van Merrienboer

Netherlands

4 Replies 4

didyap
Level 6
Level 6

It should be possible to fo that. I am not too sure if additional configuration is required. You might want to check this list of sample configurations.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

Not applicable

It is my understanding with the PIX Firewalls that you cannot send IPSec traffic out the same interface that it received IPSec traffic on.

That is, if I connect to PIX-A using the VPN client, I will not be able to access resources behind PIX-B over the VPN tunnel between PIX-A and PIX-B.

The way I have circumvented this issue, is to have a host behind PIX-A that I can remotely attach to, a Windows box running Terminal Services, or a Unix/Linux box running SSH. I attach to that host over my client VPN connection, and then from that host, I access the resources behind PIX-B.

Hope this helps.

rodoljubt
Level 1
Level 1

try split-tunneling

Good luck !

mostiguy
Level 6
Level 6

you cannot do this with a pix. the only solution (hack), is to have a multiple interface pix for site a, and configure the site to site tunnel to terminate on the non outside interface (this is an interface that in theory is higher security than the outside one, but you muck around so that it acts more like a secondary outside interface).

this solution requires a 515 at a minimum, to have a 3rd interface, or to use vlan interfaces.

apparently, cisco is working on a software solution for 7.0 pix os. pix do not allow packets to leave the interface they came in on - in your environment, vpn clients send packets to pix a's outside int. they would then need to leave that interface and go to pix b,which is not allowed by pix os.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: