1. Home
  2. Cisco Systems
  3. PIX "routing"

PIX "routing"

Hi there !

For educational reasons, I have configured a 1710 and a PIX 501 to establish a VPN tunnel to a PIX 515 (see some older postings). Both devices are located in my internal network behind a NATing DSL router. This works fine in both cases, with one exception: there's no problem when logged in directly on the device _but_ when used as a VPN gateway, the router doesn't seem to care about "routing" with only one interface whereas the PIX apparently does and refuses to "route" throgh the inside interface (it's a firewall ;). Is there any way to fix this or do I have to simulate a real external network, e.g. with the two unused interfaces (on the router and on the PIX)?

TIA

fw

Reply to
Frank Winkler
Loading thread data ...

I'm confused... Maybe a simple diagram would help?

Reply to
Michał Iwaszko

The basic setup is like this:

LAN ------------ DSL router -- Internet -- Corp router - PIX 515 | | | 1710 PIX 501 Corp network

Directly logged in on the 1710 or the PIX, I can ping into the remote network.

When I now use the 1710 as a VPN router to the Corp network, things work fine. The same with my PIX fails because the PIX doesn't like incoming and outgoing traffic for one connection on the same interface. Can I change this behavior?

A poosible workaround would be to connect the PIX's outside interface with Ethernet0 of the 1710:

LAN ------------ DSL router -- Internet -- Corp router - PIX 515 | | | 1710 PIX 501 Corp network | | ---------

Then I could do a global NAT on the PIX, set its default route to the 1710, which hopefully would send it through the original network to the DSL router, resulting in the same as above. This would require a backward route on the DSL router, sending traffic for the NAT address to the 1710. Should work, shouldn't it?

TIA

fw

Reply to
Frank Winkler

So, the VPN works.

As far as i recall routing through the same interface isn't possible on PIX - I had the same problem with making a small DMZ using 506.

It should, but I'm starting to be confused again. Are You doing it only for educational purposes, because I can't see the point of using 1710 and PIX simultaneously :-). Yes, but it would work :-).

Reply to
Michał Iwaszko

Yep - that's what I wanted to say.

Damn. Will there ever be a PIX 7 for the 501 and 506E or is this part of the EOL policy?

Primarily, it was for learning but now that the PIX won't route through one and the same interace, the 1710 may be very useful.

Regards

fw

Reply to
Frank Winkler

I don't think it'll happen. 7.x is one of the reasons to go 515E+ or ASA.

But isn't 1710 enough for Your network and this kind of configuration?

Reply to
Michał Iwaszko

Sure, but:

- the 1710 is borrowed from the company, whereas the PIX in mine - the VPN tunnel between the 1710 and the PIX 515 is terminated after a very short time (why?), the PIX2PIX tunnel stays up

Regards

fw

Reply to
Frank Winkler

That erm.... Sucks... :-)

Take a look at logfiles, it should be clear then. And of course debugging level is really appreciated.

Reply to
Michał Iwaszko

It doesn't, at least out of the box. I suppose the double NAT may be a problem in this setup? I can ping the remote PIX but can't get the tunnel up.

Regards

fw

Reply to
Frank Winkler

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.