Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX to PIX VPN then back to Internet

I am trying to set up a remote site link via PIX to PIX VPN. This works fine. The problem is that all traffic is required to go out to the Internet via Firewall 1 at the central site using NAT. It appears to work then stops. Any ideas?

4 REPLIES
Cisco Employee

Re: PIX to PIX VPN then back to Internet

The PIX won't send a packewt back out the same interface it came in on, so if you have this tunnel terminating on the outside interface, the remote site will NOT be able to use the VPN to come into the hub site and then go back out the same interface to the Internet.

The only way to make this work is to terminate the VPN tunnel on a different interface than the outside interface, then they'll be able to route between the two interfaces.

New Member

Re: PIX to PIX VPN then back to Internet

Thanks for this but we have 2 internet connections, 1 used for this VPN termination on the outside interface. The inside of the PIX is on a private subnet. This private subnet routes out to the Internet via a different link via a Firewall 1 box using NAT. I can hit the private address from remote LAN fine. When I then try to go out to Internet it works for the first few locations tried then stops. Re-booting either PIX starts it working but only for a few locations.

New Member

Re: PIX to PIX VPN then back to Internet

I'm not sure what the main culprit is in this situation, but I suspect it shouldn't really work anyway. You may say "why shouldn't it work"? You can only have 1 default route. I would assume that you have your default route set as an outside route to your isp. Then for the remote traffic you essentially need a default route on your inside network to point to your Firewall1 box. I'm not sure what the point of this is except for monitoring or controlling where people can get to on the net, but you may want to rethink this plan.

New Member

Re: PIX to PIX VPN then back to Internet

One way around this would be a Proxy Server. You can point all of your VPN Users to the Proxy Server and it will handle all Internet traffice for the VPN Users. Since the Proxy is on the inside, you will not have the problem with the PIX not allowing traffic out the same interface it came in on. The only other way would be to set up a seperate NAT Pool for internet access at the remote site. That way any traffic to the other network would go through the tunnel, and internet traffic would use NAT.

219
Views
3
Helpful
4
Replies
CreatePlease to create content