VPN tp VPN via PIX

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Thu, Jul 14, 2005 5:53 PM

In article , Tom Pouce wrote: :I have to setup a IPSEc-VPN tunnel to a customer on a PIX 515E :The remote LAN had to connect to another remote LAN, also connected on :the same PIX via an IPsec-VPN tunnel. :Are there known problems with such a setup, or is this transparant.

:LAN-----C827-----IPsec-----PIX-----IPsec-----Netscreen-----LAN : | : Internal networks

If the 827 and Netscreen are connecting to the same interface on the PIX 515E, then the 827's LAN will not be able to communicate with the Netscreen's LAN without going through a bunch of bother.

These days, possibly the easiest work-around for the 515E is to upgrade to PIX 7.0(1) --- but that is a "dot zero" release so I would not trust it for a production system.

This limitation does not apply if the two tunnels are connected via different interfaces -- in that situation, you just have the usual security-level / access-list / static / global stuff to worry about.

- T
- Tom Pouce
  
  Contact options for registered users
posted
18 years ago

Thu, Jul 14, 2005 7:45 PM

Hello,

I have to setup a IPSEc-VPN tunnel to a customer on a PIX 515E The remote LAN had to connect to another remote LAN, also connected on the same PIX via an IPsec-VPN tunnel. Are there known problems with such a setup, or is this transparant.

LAN-----C827-----IPsec-----PIX-----IPsec-----Netscreen-----LAN | | | Internal networks

Ciao

Tom

- S
- Sarabjit Singh
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Tue, Jul 19, 2005 4:00 AM

Tom ,

This is not possible if both the tunnels are terminating on same interface of Hub PIX . As the PIX being firewall doesn't redirect traffic on the same interface .

Had the hub device was router this would work or the tunnels were terminating on different interfaces on the PIX this would also work .

SH