how to set routing inside vpn tunnel (PIX)

hello I`ve following problem:

remote site1----central------remote site2

remote locations connected with vpn to the central location, now I need to set communication between site1 and site2 but it must be realized inside the existing vpn tunnel (using ), in other words -how to make central device to route packets form site1 to site2 and reversly?

site1--- pix 506 (10.6.0.0/24) sie2 --pix 506 (10.100.0.0/24) central-- pix 515 (10.0.0.0/16)

Dominik

Reply to
domino
Loading thread data ...

The PIX itself can't do this, as it does not allow traffic from the same interface it was received on to be sent back out that same interface. The newer OS PIX 7.1 may have a fix for this, but I'm not sure. You may have to send that traffic back to a router at the central site and send it back to the pix. The other option is to use an IOS router and use route-maps and a loopback to get around this.

Brian

Reply to
response3

:> remote site1----central------remote site2 :>

: :The PIX itself can't do this, as it does not allow traffic from the :same interface it was received on to be sent back out that same :

from the diagram it does not look like he wants to pass traffic back on the same interface.

static and acl commands can make the pix transparent as much as you configure it to be.

regards Adam

Reply to
adamk

hmmm I didn`t think about it, today remote locations are connected with the same interface but I have one interface free in my central pix, so is there anything against to connect the interface to the same subnet as the used outside interface, give it the IP number (I have free ip numbers too) ,set appropiate routing and reconfigure one of the vpn tunnels to use the additional interface? how about this idea ? regards Dominik

Reply to
domino

Yes, the PIX won't allow this. It doesn't like two interfaces in the same network.

But as Brian said, PIX 7 and above is able to use one and the same interface for incoming and outgoing traffic.

Regards

fw

Reply to
Frank Winkler

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.