Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

routing traffic across pix to pix vpn

hi,

I have two pix's configured and can pass traffic back and forth...however i am having trouble figuring out how to route all public traffic from site2 to across the vpn and out site1's gateway...any advice?

Thanks

7 REPLIES
Green

Re: routing traffic across pix to pix vpn

So, at site 2 you want to force all traffic over the vpn to site 1. You then want to bounce off site 1 to go to the internet? Is this correct or did I misunderstand?

This is possible. At site 2, define your vpn interesting traffic and nat exemption as "to any", this will force all traffic over the tunnel. Then, as long as you are running pix code 7.x, you can use public internet on a stick for site 2 internet access.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

New Member

Re: routing traffic across pix to pix vpn

yep. thats what i am trying to do..ill take a look at the link you sent. thanks!!

Green

Re: routing traffic across pix to pix vpn

Are you running pix 7.x?

please rate if it helped.

New Member

Re: routing traffic across pix to pix vpn

just checked...no, we arent...is there another way..or should i upgrade?

also to force the traffic on site2 pix...is that done by creating an acl such as

access-list NoNAT permit ip xxx

then

nat (inside) 0 access-list NoNAT

(just grabbed those off a cisco config example)

Green

Re: routing traffic across pix to pix vpn

You cannot do ver 7.x on pix 501,506,520.

Is there an existing vpn tunnel between the 2 pixes?

Yes, that is the nat exemption part, there would also be interesting traffic, something like

access-list 100 permit ip any

crypto map newmap 10 match address 100

New Member

Re: routing traffic across pix to pix vpn

site 1 is a 515e..

site 2 is a 501

there is an existing site to site vpn via those two pix's..

Green

Re: routing traffic across pix to pix vpn

Your 515e would probably require a memory upgrade to support 7.x. Needs at least 64M I believe. But, if you wanted to go this route, it would work. Only site 1 would require 7.x for public internet on a stick.

The reason I asked if you already had a tunnel is you must already have your nat (inside) 0 statements etc.

What is the reason for needing site 2 internet to go out site 1?

128
Views
4
Helpful
7
Replies