Re: site-to-site vpn and internet control

r.spiandorello · ‎02-25-2002

Central site with pix and remote sites with ipsec ios, vpn over internet.

Could I configure a pix to be both a central vpn peer for many remote sites (via internet) and to be a central controller for remote sites central internet access.

In other words remote sites should encrypt all the traffic to the remote central pix, which controlls internet access.

Thanks

zletaief · ‎02-25-2002

The Pix is not a router: he can not route traffic from one interface to the interface it self, the anti-spoofing will not permit it. The solution is to do it with a router with an IPSec IOS firewall .

r.spiandorello · ‎02-26-2002

Ok, with an IPSEC IOS firewall router in central zone but for those about nat, how can I transalte private ip from vpn tunnel to public internet ip?

Thanks

r.spiandorello · ‎03-05-2002

Any idea about private ip address nat traslation from vpn tunnel to internet, when vpn tunnel come from internet ?

thanks

cbroomes · ‎02-25-2002

Sounds like a hub-and-spoke configuration. See,

http://www.cisco.com/warp/public/110/pixhubspoke.html

r.spiandorello · ‎02-26-2002

Yes, it's an hub-and-spoke configuration but in the hub zone we need to allow central internet access for spoke zone (no split-tunnel in spoke zones)

Thanks

mseanmiller · ‎03-05-2002

I currently have a Hub and spoke config. Four locations are private frame twelve locations have high speed dedicated internet connections. Our servers are at Colo site and remotes in varius locations around the globe. I am using IP/IP tunneling over the internet from remote internet sites to gain access to Colo. Remote sites use NAT for WEB access but travel over tunnel for server access. Private Frame locations connect to colo router and router passes traffic to local servers or to PIX if address isn't on or LAN. I hope this helps.