You can't do that. 10.1.1.254 is your inside interface on your PIX, and the only way to reach the inside interface IP on a 501 is by using a "management interface" VPN. A management interface VPN is an IPSec tunnel that is usable *only* to manage the PIX itself, so if you managed to get any other traffic forwarded to that IP, the traffic would be dropped.
For your purposes, is it good enough to have the PIX terminate the IPSec and PPTP tunnels (and let the traffic encapsulated in the tunnels travel unencrypted to whatever internal hosts), or are you trying to pass the traffic on to one or more hosts -inside- the
501 ?
If you are trying to pass the tunnels -through- the 501 then you need to be more specific about which IPSec protocols you are using.
- If you are using unencapsulated AH you will not be able to do what you want at all (because unencapsulated AH may not be NAT'd.)
- If you are using unencapsulated ESP then you need to establish a one-to-one static between another "outside" IP of the PIX (e.g.,
192.168.1.3) and the internal host that the traffic is going to, and have the 805 route the ESP traffic to that internal IP by either using Policy Based Routing or a Policy Static.
- If you are using NAT Traversal (NAT-T) for IPSec traffic passing through the 501, then you do not need the one-to-one static mentioned above: you just need to forward UDP 4500 to the security endpoint.
- PPTP traffic, port 1723, can be forwarded through the PIX using static PAT (port address translation.) However, PPTP traffic also requires GRE, IP protocol 47, which cannot be PAT'd, so for PPTP you will need the one-to-one static described above.
Probably the easiest route is to use the one-to-one static on the PIX and have the 805 forward all the required traffic to that IP. I'm presuming here that the 805 is able to do policy based routing or policy static.
thanks for the very fast reply.I'm not sure if the 805 can do the policy based routing. I'll have to find out. If I could do the NAT-T it would be great. Basically I need to get the Cisco VPN client to connect to the PIX through the 895. PPTP would be helpful, but not required. Any configuration example would be greatly appreciated.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.