Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pix VPN Routing

I have a question... I'm pretty sure this isn't even possible, but I thought I'd get more opinions.

We need to do some routing on our WAN. Here is our current setup:

We have 3 locations. Each has a T1 coming into a router that is owned and operated by our ISP. The router is plugged into a Pix 515E and our LANs are behind the firewall. Publicly we have a /27 subnet for each location as well.

I have VPNs created between all 3 firewalls for WAN connectivity.

Now here is a similar senario to what I need to do. At one location we have a webserver. There is an access list on the firewall at that location to allow tcp 80 access to it from any host on the outside. I also want to setup a public address at another location for this web server. Traffic would go to the remote firewall and then be routed over the VPN to the web server and back again. Is this possible?

As I said, this isn't the actual senario. This one doen't make much sense, but the routing problem is the same.

I'd appreate anyones insight.



Re: Pix VPN Routing

How about giving the actual scenario using more generic terms and situations? What you seek can probably be accomplished, but it will probably require you to use an additional interface (even if only logical) on the firewalls to create a logical full mesh configuration.

Do you have a router behind the firewalls? Is your WAN really just a VPN over the Internet?


Re: Pix VPN Routing

Actual scenario is this:

We have 2 T1s coming into one location (I'll call it location "one"). One goes to the Internet used for all Internet access and WAN (VPN) traffic. 2nd T1 is a private line going to our ASP (ERP system is outsourced). All ERP application traffic goes over this T1. Other two locations access ERP directly over the Internet (https).

For ERP reports to print automatically, they need to be sent directly to the printers. No problem in location "one". Print jobs are sent over the private line. Problem in the other two locations is print jobs would be sent in clear text over the Internet. We would like the print jobs to come over the private line to location "one" and then route the jobs to the printers in the other two locations.

Here's a bit more information on network setup:

Location "one" has a router for each T1 coming in (both ISP property). The two routers and the firewall's outside interface plug into a switch. ASP traffic is routed on the firewall using a ROUTE command.

We have no routers on the inside of the firewall. Just one subnet per location. Small networks.