PIX 501 ipsec and VLANs

- J
- Joey
  
  Contact options for registered users
posted
17 years ago

Sun, Jul 30, 2006 6:36 AM

We're moving our wireless stuff, among other things, to a VLAN separate from the wired workstations. Routing and access is processed on the 6509 with the FWSM.

We also have remote offices (PIX 501's) connected via ipsec to a PIX

520 dedicated to this task. My question is, is there a way to pass 801.2Q tagged packets over the ipsec tunnel, and split them out with a switch on the other end? I can present the PIX520 with access ports or a trunk of course, but I'm not clearly thinking when it comes to sorting them out. The remote sites currently each have their own subnet, but we're likely going to need 3 VLANs represented in the remote sites and this seems like the administrative overhead of access-lists and routing could get out of control very quickly.

Any thoughts anyone?

Thanks, Joey

Loading thread data ...

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Sun, Jul 30, 2006 1:59 PM

You'd need a Layer 2 Transparent Firewall, which is not supported on the 501 or the 520 (you need PIX 7 and those models stop at PIX 6).

If not that, then you'd need some device to encapsulate the packets before they hit the sending PIX, and decapsulate them after they entered the receiving PIX -- extra equipment, and the PIX would see the encapsulation protocol rather than the encapsulated protocol and so would not do fixups on the traffic.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.