Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to configure the PIX

Currently, I have configured two PIX 506 firewalls with site-to-site and remote access VPN. The configuration commands on one of PIX firewall to be:

access-list 120 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

ip local pool pool1 192.168.1.200-192.168.1.254

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map peeroffice 10 ipsec-isakmp

crypto map peeroffice 10 match address 120

crypto map peeroffice 10 set peer 172.16.1.2

crypto map peeroffice 10 set transform-set myset

crypto map peeroffice 20 ipsec-isakmp dynamic dynmap

crypto map peeroffice interface outside

isakmp enable outside

isakmp key **** address 172.16.1.2 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup officevpn address-pool pool1

vpngroup officevpn dns-server 123.123.123.123

vpngroup officevpn idle-time 1800

vngroup officevpn password *****

The problem that I have is if I want to use the remote access VPN to connect one of the PIX firewall called PIX-A. Then can I use this remote VPN connection to connect to the other PIX firewall called PIX-B by having both firewalls being configured with site-to-site VPN. Actually, I found the current configurations are not supported, thus I would like someone give me an advice on how to make this possible.

Thanks for your advice!

2 REPLIES
Silver

Re: How to configure the PIX

I don't think you will be able to do this - the pix does not allow traffic to leave on an interface it came in on:

you are home

you vpn connect to pix A.

if you were to ping a machine on network B, it would go thru your remote connect tunnel to PIX A on its outside int, and back out its outside int via the point to point tunnel to pix B

currently, pix os does not support this. this is allegedly a feature that will be included in the next major version of the OS

New Member

Re: How to configure the PIX

True PIX is only one way street and does not allow you to do this however this can be achieved if you have a Perimeter router on both the sites.

I knwo its a bummer but thats how PIX is designed, i tried to do this but just couldnt.

225
Views
0
Helpful
2
Replies
CreatePlease login to create content