Re: Routing problem

logintck · ‎06-05-2006

US serves<->US PIX<==>HK PIX<->HK servers

We have already established VPN Tunnels successfully. PING test is ok.

If I add a server(DMZ server) which is outside HK PIX, Do US servers accesss DMZ servers?

IF yes, how?

Thank

Vikas Saxena · ‎06-05-2006

Hello,

Is this really a DMZ or the server is just sitting on the outside interface?

If this is really a DMZ that would mean three legs in the HK PIX. US servers will be able to access the DMZ.

If the server is sitting on the outside interface of the PIX normally it will not be possible.

There could be a workaround in that case.

X

USPIX----internet-----|----HKPIX

Server

Suppose the device X is a router you can create a VLAN in the outside interface and terminate on the router X. Now you will have one virtual and one physical int on your PIX one going to the internet and one going to the X which is connected to the server. This way you can circumvent the redirection problem/feature/bug/security measure in PIX and US servers will be able to access the server in HK.

Vikas

logintck · ‎06-05-2006

My DMZ server is sitting on the outside interface of the PIX normally (actually in oustide interface of the PIX)

If add routing in PIX, can fix the problem?

Vikas Saxena · ‎06-06-2006

Hello,

No, routing will not solve this problem because PIX wont let the packet out the same interface from which it came in. In your case the request to access the server will come through the tunnel on the outside interface and will get decrypted on the outside interface and will try to go out the same way it came in.

Vikas