Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our beta test area to get started.

New Member

VPN client to create second tunnel

Here is how my netowrk is setup

PIX 515 ( the configuration i send you is for this PIX)

> PIX has 3 interfaces outside, inside - 10.1.0.0/22 -10.10.10.0/24 - 10.10.20.0/24

dmz - 192.168.0.0

I have VPN clients which this PIX assigns IP when they connect to it -

> 172.17.0.0/24

>

> site - site connections:

>

> PIX 515 is connected to a IOS router ( VPN tunnel) - network on that

site -

> 10.2.2.0/24

> PIX 515 is connected to another PIX 506 (VPN tunnel) - 10.3.3.0/24

> PIX 515 connected to NEtscreen (VPN tunnel) - 10.0.202.0/24

>

>

> Now from PIX 515 I cannot ping any of the remote site networks 10.0.202.0

,

> 10.2.2.0 , 10.3.3.0

> I can ping my inside and DMZ network from the PIX.

> from my inside and DMZ interface i can ping the remote sites networks

> 10.0.202.0 , 10.2.2.0 , 10.3.3.0

>

>

> My original problem is When a VPN client connects and recieve a 172.17.0.0

> ip from the PIX 515 he can access the

> inside - 10.1.0.0/22

> 10.10.10.0/24

> 10.10.20.0/24

> dmz - 192.168.0.0

> networks with no problem

> but cannot access

> remote site networks 10.0.202.0 , 10.2.2.0 , 10.3.3.0

Is there a way my vpn clients who are terminating on the PIX 515 can see the other tunnel networks?

  • Other Security Subjects
2 REPLIES
New Member

Re: VPN client to create second tunnel

Hi,

Cisco says this won't do. Incoming and outgoing traffic is not possible on the same interface of the pix-firewall due to the firewall-policy.

But there is a trick. Adding a static and a route for the remote networks overrides that firewall behaviour. But doing this you should be aware of security issues. For security reason you should then have a router with access-list in front of the pix that denys all traffic to nets 10.... incoming from the internet.

This is the only way i know to run a pix in hub and spoke in vpns.

Ulrich

New Member

Re: VPN client to create second tunnel

Sounds like an idea......thanks...i have a router in front of my PIX, I can place access-list..

I will try this.

Ulrich...can i have your email address?

86
Views
0
Helpful
2
Replies