Is a site to site VPN in this scenario possible?

We have 5-6 users who are operating out of another company's office, and I want to create a site-to-site VPN tunnel from that location's PIX 515 DMZ to the outside interface on our local PIX 515. Is this scenario possible? Thanks for any and all replies.

Reply to
Loading thread data ...

In your scenario I think that this is not going to work because for IPSec tunnel traffic should leave source location's VPN firewall trough it's outside interface and enter destination location's VPN firewall trough it's outside interface. So, in your case you have to set vpn configuration (crypto map) on outside interfaces on both PIX boxes. So, why you simply don't set crypto map on outside interfaces and then use cypto acl's to select traffic for encapsulation, for example traffic sourced from DMZ LAN? This is how things should be done at least AFAIK on pix. On Cisco routers you can put the crypto map on loopback interface and then policy route traffic from dmz to loopback...this has some chances to work... Pix doesn't support policy routing nor loopback interfaces. Or if this is scalable and practical configure remote access VPN on your pix and then connect remote users with software vpn clients...Then you don't have to worry about PIX in another company. They just have to let you pass trough IPSec UDP packets trough their PIX out to the Internet.

Reply to
Igor Mamuzic aka Pseto

We terminate VPNs on the outside and DMZ interfaces on PIX 515, there is no restriction on that. It sounds though like you have the 5-6 hosts connected to the DMZ? If that is the case, you would terminate the VPN on the 515 outside interface and pass the VPN traffic to the DMZ and your hosts. On the "local" 515, you would terminate on the outside. Some more detail would help like IP ranges and where you want the encrypted traffic to pass.

Reply to
Shawn Westerhoff

Let me add it's out of site and dyn-o-mite and i learn to do this in technical terms. Can't recognize my own momma and I make alot of money..seems we have went through this before in the real world and waiting on this guy..


Reply to
Sosolar Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.