how to set routing inside vpn tunnel (PIX)

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
hello
I`ve following problem:


remote site1----central------remote site2

remote locations connected with vpn to the central location,
now I need to set communication between site1 and site2 but it must be
realized inside the existing vpn tunnel (using ),
in other words -how to make central device to route packets form site1 to
site2 and reversly?


site1--- pix 506 (10.6.0.0/24)
sie2 --pix 506 (10.100.0.0/24)
central-- pix 515 (10.0.0.0/16)


Dominik



Re: how to set routing inside vpn tunnel (PIX)
Quoted text here. Click to load it

The PIX itself can't do this, as it does not allow traffic from the
same interface it was received on to be sent back out that same
interface.  The newer OS PIX 7.1 may have a fix for this, but I'm not
sure.  You may have to send that traffic back to a router at the
central site and send it back to the pix.  The other option is to use
an IOS router and use route-maps and a loopback to get around this.

Brian


Re: how to set routing inside vpn tunnel (PIX)
On Oct 3, 2007 17:19 (-0700) response3 wrote:

:> remote site1----central------remote site2
:>
:
:The PIX itself can't do this, as it does not allow traffic from the
:same interface it was received on to be sent back out that same
:

from the diagram it does not look like he wants to pass traffic back on
the same interface.

static and acl commands can make the pix transparent as much as you
configure it to be.

regards
Adam

Re: how to set routing inside vpn tunnel (PIX)

Quoted text here. Click to load it


hmmm
I didn`t think about it,
today remote locations are connected with the same interface  but
I have one interface free in my central pix, so is there anything against to
connect the interface to the same subnet as the used outside interface, give
it the IP number (I have free ip numbers too) ,set appropiate routing and
reconfigure one of the vpn tunnels to use the additional interface? how
about this idea ?
regards
Dominik



Re: how to set routing inside vpn tunnel (PIX)
domino wrote:

  >I have one interface free in my central pix, so is there anything
against to
  >connect the interface to the same subnet as the used outside interface,
give

Yes, the PIX won't allow this. It doesn't like two interfaces in the same
network.

But as Brian said, PIX 7 and above is able to use one and the same
interface for incoming and outgoing traffic.

Regards

    fw


Site Timeline