Hi all,
I would permit traffic incoming from a VPN towards another IPsec tunnel. It' quite vital the traffic between those 2 remote sites. So I thought to add use another interface where to terminate one of the tunnels. My doubts are about the two interfaces will have 2 different IP address of the same subnet our provider supplied to us.
Do you think is there any kinf of implication of problem doing that?
Thanks,
Alex.
In article , AM wrote: :I would permit traffic incoming from a VPN towards another IPsec tunnel.
:So I thought to add use another interface where to terminate one of the tunnels.
Which platform is this for? 3/4 of your questions are about PIX, but the other quarter are about your routers, so we cannot make any assumptions about your needs when you do not say the devices involved.
Sorry Walter :), you are correct. The question is about PIX which has this limit. We want the traffic between two remotes sites connected via VPNs (terminated to our PIX) to flow without any problem. so my idea was,k and is, to use another physical interface but giving it an IP of the same subnet of IP range which the other IP (where we terminated all the VPN) belongs to.
Do you think there will be problems doing this? Consider we want to "attach" to our network as an extension of our one and PC of that network ought to be able to go any place we go, remote sites through VPNs as well.
Thanks, Alex.
In article , AM wrote: :The question is about PIX which has this limit. :We want the traffic between two remotes sites connected via VPNs (terminated to our PIX) to flow without any problem. :so my idea was,k and is, to use another physical interface but giving it an IP of the same subnet of IP range which the :other IP (where we terminated all the VPN) belongs to.
:Do you think there will be problems doing this?
In PIX 6, this cannot be done -- each [logical] interface must be in a different subnet. PIX 7.0, for the 515/515E, 525, and 535 might remove this limit -- it introduces major changes in the handling of interfaces. 7.0 will be available any day/week now (but wasn't available for download as of late last week.)
[Note: I would hesitate to trust "highly important" data flows to the -first- edition of any major rewrite of software!]Perhaps due to the long hours I've been putting in lately, I have not grasped why you are considering two interfaces. Could you expand on (or re-explain) that part?
to our PIX) to flow without any problem.
IP of the same subnet of IP range which the
As the version 7.0 is not still available and my boss won't allow me (if not really needed) to upgrade th IOS (Finesse) as it's working fine and as we have 2 unused interfaces I posted my question to allow traffic between two VPN tunnels using the existing one used as VPN points and the new one for the other half of company network. I would wait for the latest version of the Finesse just to be sure there aren't bugs or announced caveauts.
Alex.
In article , AM wrote: :As the version 7.0 is not still available and my boss won't allow me (if not really needed) to :upgrade th IOS (Finesse) as it's working fine and as we have 2 unused interfaces I posted my :question to allow traffic between two VPN tunnels using the existing one used as VPN points and the :new one for the other half of company network.
Ah, do I understand correctly then that this is a hub/spoke issue? That you want to relay between two VPN spokes using a single PIX at the hub?
If so, and if you are not able to beg, borrow, or steal an IP in a different public IP subnet, then you can work it like this:
____ {internet} ------> main outside IP-->|PIX|inside IP ----> switch ---> LAN ^ | | v {internet} ----> another public IP-^ | |dmz IP
really needed) to
interfaces I posted my
as VPN points and the
I'm not sure to understand what you mean, but anyway this is the correct scenario.
------outside---- 1st provider --------------|-----|-----inside | | | |
--official VPN endpoint 4 our customers 1)--| |--- DMZ1 | | | |--- DMZ2
-VPN coming from 2nd half of company net 2)--| | -------
outside has an IP from 1 provider. Don't care about outside and named DMZ interfaces. Interface 1) and 2) will have 2 IP of the same IP range from a provider different from the outside one.
As PIX doesn't permit traffic coming from and going to the same interface, regarding only VPN, it is expected to work fine, but my doubts were about using IP belonging to the same I pool but applied to different interfaces. Perhaps my doubts should be cut off by the imperative "Are the traffic flowing through different interface? - Y... es - OK Don't worry, it will work!". I only want to be sure all aspects be considered without leaving off nothing.
Thanks,
Alex.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.