I am trying to set up a remote site link via PIX to PIX VPN. This works fine. The problem is that all traffic is required to go out to the Internet via Firewall 1 at the central site using NAT. It appears to work then stops. Any ideas?
The PIX won't send a packewt back out the same interface it came in on, so if you have this tunnel terminating on the outside interface, the remote site will NOT be able to use the VPN to come into the hub site and then go back out the same interface to the Internet.
The only way to make this work is to terminate the VPN tunnel on a different interface than the outside interface, then they'll be able to route between the two interfaces.
Thanks for this but we have 2 internet connections, 1 used for this VPN termination on the outside interface. The inside of the PIX is on a private subnet. This private subnet routes out to the Internet via a different link via a Firewall 1 box using NAT. I can hit the private address from remote LAN fine. When I then try to go out to Internet it works for the first few locations tried then stops. Re-booting either PIX starts it working but only for a few locations.
I'm not sure what the main culprit is in this situation, but I suspect it shouldn't really work anyway. You may say "why shouldn't it work"? You can only have 1 default route. I would assume that you have your default route set as an outside route to your isp. Then for the remote traffic you essentially need a default route on your inside network to point to your Firewall1 box. I'm not sure what the point of this is except for monitoring or controlling where people can get to on the net, but you may want to rethink this plan.
One way around this would be a Proxy Server. You can point all of your VPN Users to the Proxy Server and it will handle all Internet traffice for the VPN Users. Since the Proxy is on the inside, you will not have the problem with the PIX not allowing traffic out the same interface it came in on. The only other way would be to set up a seperate NAT Pool for internet access at the remote site. That way any traffic to the other network would go through the tunnel, and internet traffic would use NAT.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :