(Note: This message was posted as part of the "Ask the Expert" Event on configuring Cisco IPSec VPNs that took place December 11 - December 21. Feel free to respond to or form discussions around this question.)
Posted by: rspiandorello SPIANDORELLO
I'd like to know if i can have problems in building vpn between pix firewalls that don't use internet connection in the outside interface for vpn channel, but use a backbone with routers placed in their dmz interfaces for vpn channel.
Im not very clear on your topology but I can tell you that IP in a private network functions identically to IP in a public network. In fact it actually functions better because you have more control over a private network. I think with current PIX code you can terminate your tunnels on the perimeter interfaces but you can definitely tunnel through it and terminate on other devices as well. How many interfaces do you have up on the PIX? Where are the tunnels terminating?
I think that topology looks fine. You should be able to terminate your VPNs through the perimeter interfaces on the respective PIXs as long as you are running current code. Id check to see what version you have because some of the earlier ones dont have perimeter support. Let me know if this helps you out.
it really does not matter if you set up the vpn either through the public network (internet) or by any other means. The media between is just transport media. As long as you have an "IP environment" you can build pix-to-pix vpn.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...