I have a PIX 525 which serves as the main firewall for the company I work for. The connection we have to our ISP is currently a T1, provided by a 2821 router. Eth0 on the 2821 goes to a switch, which is where we also connect Eth0 of the PIX for internet connectivity.
We have had another T1 installed from a different ISP (i.e. we're not bonding them), and I'd like to use this bandwidth provided for some site-to-site VPNs. That is, I want most of our traffic to go through the 1st T1, but some site-to-site VPNs to use the 2nd T1. Trouble is, I'm not sure how to do this. The PIX 525 has Eth0 (outside) and Eth1 (inside) interfaces, as well as four additional interfaces (Eth2- Eth5). Eth4 is currently free, and that's the IP I'd like to use for the site-to-site VPNs.
I suppose my question boils down to a question of routing. I want to maintain the default route (the 1st T1), and use the 2nd T1 *only* for the site-to-site VPNs. So can I just do this?
ip address Eth4 72.45.x.194 255.255.255.248 route Eth4 72.45.x.194 255.255.255.248 72.45.165.193
Obviously, 72.45.x.194 is my ISP-assigned IP address and 72.45.165.193 is my ISP-assigned gateway IP address. Do I need to add this route, or not? My big concern is that I do NOT want "regular" network traffic to go out of that interface, I only site-to-site VPNs that I provide a "site-vpn set peer" address to use this interface.
Does my question make sense? And if so, can it be done? This is running PIX OS 6.3(5).
Yes, of course...do a simple host route for the VPN pointing to the second ISP and that specific interface. Your route statement is un-needed, the Pix will know automatically what interfaces are connected. You need a host route on the Pix for the VPN peer "route Eth4 host X.X.X.X 72.45.165.193" (The X.X's being the VPN peer). As long as it is a P2P tunnel and not for dynamic VPN's. Neither the Pix nor the ASA has policy rouing abilities
I'm a little confused by this discussion. I plan on having two sets of VPN traffic connecting to my PIX 525. Specifically, I would like clients using Cisco's software VPN Client to connect to the VPN through the Eth0 interface (64.223.x.9); and then site-to-site VPNs (using PIX 501s) connect to PIX 525 via the Eth4 interface (72.45.x.
194).
Could you please clarify for me whether or not this is possible?
Do I need to add a "global" command? Once I had configured what I thought was necessary, the VPN tunnel came up (as evidenced by the LED on the front of the 501) but no traffic would pass through the link. "show logging" on the 525 indicated that there was no translation in place for the selected protocol...
Do I need to add a "global" command? Once I had configured what I thought was necessary, the VPN tunnel came up (as evidenced by the LED on the front of the 501) but no traffic would pass through the link. "show logging" on the 525 indicated that there was no translation in place for the selected protocol...
Chris
Most likley a nat 0 is needed for the interface pointing to the nonat access-list. Can't help you much more than that without the config.
I have added a "nat 1" command (I'm already using nat 0 for something else, perhaps that's my problem?) but I still seem to have the same problem. The tunnel is up (even a "show crypto isakmp sa" says that it is), but I can't pass traffic over it. Any thoughts? "show logging" on the 525 produced this error:
305005: No translation group found for icmp src twc:172.20.13.1 dst inside:172.16.1.133 (type 8, code 0)
172.16.1.133 is a machine on the local (local to the 525) LAN,
172.20.13.1 is the IP address of the client at the remote site.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.