Is a site to site VPN in this scenario possible?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View


We have 5-6 users who are operating out of another company's office,
and I want to create a site-to-site VPN tunnel from that location's
PIX 515 DMZ to the outside interface on our local PIX 515.  Is this
scenario possible?  Thanks for any and all replies.

Re: Is a site to site VPN in this scenario possible?


Quoted text here. Click to load it

In your scenario I think that this is not going to work because for IPSec
tunnel traffic should leave source location's VPN firewall trough it's
outside interface and enter destination location's VPN firewall trough it's
outside interface. So, in your case you have to set vpn configuration
(crypto map) on outside interfaces on both PIX boxes.
So, why you simply don't set crypto map on outside interfaces and then use
cypto acl's to select traffic for encapsulation, for example traffic sourced
from DMZ LAN? This is how things should be done at least AFAIK on pix.
On Cisco routers you can put the crypto map on loopback interface and then
policy route traffic from dmz to loopback...this has some chances to work...
Pix doesn't support policy routing nor loopback interfaces.
Or if this is scalable and practical configure remote access VPN on your pix
and then connect remote users with software vpn clients...Then you don't
have to worry about PIX in another company. They just have to let you pass
trough IPSec UDP packets trough their PIX out to the Internet.

i



Re: Is a site to site VPN in this scenario possible?


Quoted text here. Click to load it

We terminate VPNs on the outside and DMZ interfaces on PIX 515, there
is no restriction on that. It sounds though like you have the 5-6
hosts connected to the DMZ? If that is the case, you would terminate
the VPN on the 515 outside interface and pass the VPN traffic to the
DMZ and your hosts.  On the "local" 515, you would terminate on the
outside.  Some more detail would help like IP ranges and where you
want the encrypted traffic to pass.

RE: Is a site to site VPN in this scenario possible?
Let me add it's out of site and dyn-o-mite and i learn to do this in technical terms. Can't recognize my own momma and I make alot of money..seems we have went through this before in the real world and waiting on this guy..

Sosolar  



Site Timeline