Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
248
Views
0
Helpful
2
Replies

PIX-to-PIX tunnel and subnets

astodulski
Level 1
Level 1

‎05-28-2003 12:34 PM - edited ‎02-20-2020 10:46 PM

I have a home office and two remote sites I am setting up with VPN tunnels. My architecture is:

Home Office

External router from ISP (cisco 1700)

PIX 515E

Interal network 192.168.1.0 255.255.255.0

Remote location 1

External router from ISP

PIX 515E

Internal network 192.168.2.0 255.255.255.0

Remote location 2

PIX 501

Internal network 192.168.3.0 255.255.255.0

I have a tunnel between the three locations however I cannot communicate with servers across the tunnel. I need to backup servers at the home location to remote location 1 and need to have remote location 2 access both the home office and remote location 1 via the VPN tunnel. On the Pix units I show the tunnel as being up however I cannot see the servers on each subnet.

Most documentation (as well as the recent Cisco PIX book) I have found indicates that I do not need a router on the internal networks but I have found some references that I do. I spoke to post-sales Cisco support with the vendor I purchased the firewalls from who indicated that I do need routers internally at each location. I need to verify if this is correct or if I can configure the PIX units to allow the subnets to communicate.

On all three units I am running PIX IOS 6.2 and PDM 2.1

0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎05-28-2003 05:03 PM

No, you don't need routers at each site internally. Keep in mind that with the PIX at the head-end you won't be able to route through it from Remote1 to Remote2, the PIX won't route a packet back out the same interface it came in on, that includes routing an IPsec packet from one tunnel back out to another. If you want to go from Remote1 to Remote2, you'll have to set up a tunnel directly between the two, so you have fully-meshed tunnels between all 3 sites (see http://www.cisco.com/warp/public/110/pixmeshed.html for details).

When you say you cannot "see the servers" over the tunnel, do you mean you can't ping them or you can't see them in Network Neighborhood. Pinging them should be simple, just make sure you set up the PIX's as shown in the sample config above (pay particular attention to your nat 0 access-list). Seeing them via MS Networking is a whole different ball game, since this relies heavily on WINS and multicast packets, which generally don't go over VPN's too well.

0 Helpful

astodulski
Level 1
Level 1
In response to gfullage

‎05-29-2003 05:11 AM

Thanks for the reply. I was able to resolve my issue last night. I didn't have passive RIP applied on each PIX for the inside interfaces.

Thanks again

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card