We currently have a PIX LAN-to-LAN hub/spoke (2) setup in our environment. I have a situation now that's come up where the subnet of one of our vpn tunnels need to access a web server on the outside interface of the hub PIX.
We are currently running verison 7.0 (2) and I tried adding the command "same-security-traffic permit intra-interface" with out any luck.
Does anybody have any suggestions on how to send traffic coming into the outside interface and then send back out the outside interface?
If "same-security-traffic permint inter-interface" does not work, there is no solution.
do you have a router between inside-lan and the PIX inside ? if so you could route in/out via the router. But you would have to create a "link-net" inbetween the pix-inside and the router.outside, and also give the router the inside Ip on the router-inside interface.
hope it makes sense ...
HTH Martin
This does make sense...but I've never done this before.
Do you have any examples?
Mart> >
This does make sense...but I've never done this before.
Do you have any examples?
Mart> >
As I told you: It is on Cisco.com, if you cared to look:
oops - real sorry - my bad - Wrong posting thread ... let's see: This is the thread about a LAN gateway router ... oh yes:
I assume that your clients today uses the IP address of the PIX-Inside as thier gateway IP.
you take a router, that meets you throughput needs, along with two ethernet ports. Let us call the ports gw-outside and gw-inside. gw-inside you cont. with the "old" pix-inside Ip, and reconnect the pix-inside to this port. gw-outside you "make up" an link net that is not in use in your LAN, fx
10.0.0.0 /30, this gives IP .1 and .2 assign .1 to the gw-oustide and assign .2 to the PIX-inside on the gw-router, add a default route to point to the pix-inside. change whatever, and if needed, NAT in the PIXnow when VPN client connects, they will get routed to the gw-router and the router will route back to the PIX.
in some setups this might not work, fx if the outside IP that the clients need to reach are directly conencted to the PIX, the PIX will not route to the router. In some setups proxy servers on the inside is another way to go. A 3rd way is split tunneling, were VPN clients do not encrypt traffic for specific destinations, hence the go direct on the internet, wereas the rest goes into the tunnel.
Hope this makes sense: and again real sorry for the mixup - I did not mean to offend you in anyway.
Regards Martin Bilgrav
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.