Cisco pix 515 + static routes between 2 cisco pix

Hello everybody...

I have a big problem with static routes... i have 2 cisco pix 515 with ios 6.3 and 2 interfaces

A) cisco pix "A" have 3 VPN tunnels to 3 diferent remotes office Network A (remote office 1) Network B (remote office 2) Network C (remote office 3)

B) Cisco pix "B" has no vpn tunnels, but i need to those guys which are connected to this pix... have access to vpn`s tunnel (Network A-Network B-Network C) on PIX "A".

C) internal interfaces of Pix "A" and "B" are in the same network and have connectivity eachother (i can ping internals interfaces of both pix)

What i made:

Could you please help me with this huge and terrible problem? Im stuck right now Thanks in advance Greeting

Peter

In article , Peter wrote: :I have a big problem with static routes... :i have 2 cisco pix 515 with ios 6.3 and 2 interfaces

Restating your problem in more compact form:

You have two PIXes with their inside interfaces on the same subnet, and you have some VPN tunnels on one, and you want the other PIX to forward the traffic destined for those tunnels to the PIX that the tunnels live on.

The traffic you want to forward: where is it coming from?

Is the traffic coming from a lower security level interface on the second PIX (such as the outside interface)?

Or is the traffic coming from the inside network that the PIXes are both on, and the traffic is arriving at the second PIX instead of the one that has the tunnels because the inside machines happen to have their default gateway set to the second PIX [and no special route for those tunnels set to the first PIX] ?

If it is the first situation, you would use a series of "route inside" on each of the PIXes, with the forwarding PIX set to route the tunnel destinations to the PIX that has the tunnels, and with the PIX that has the tunnels set to route the traffic to the outside locations through the second PIX.

If it is the second situation, where "inside" devices have a gateway set to the second PIX and you want to redirect the traffic to the first PIX that is on the same network, then you have a problem because the PIX is designed not to allow that. There is a hack which can be done involving creating "logical" interfaces (802.1Q VLANs) on each of the 515s, provided that the switches between the two PIXes allow the extra-length packets, or provided that you set the MTU on the inside interfaces of the PIXes down by a few bytes so that the tagged packets do not exceed the length capacity of your switches.

hi pls do copy and paste ur config ..and send it to us..

do take care in removing the confidential info..

thanks renil

As you were replying to me and you did not quote any context, I must presume that you are asking me to post my PIX configuration. I really don't think that would do any good in solving the original poster's question. My configuration is thousands and thousands of lines that are completely irrelevant to the matter at hand.

Cisco TAC keeps asking for my configuration and I keep telling them, "You don't really want to read it, it won't help you, it will only distract you" And sure enough, if I send in my config because the TAC person I'm dealing with only knows how to go through the "Ask for the configuration and run it through the output interpreter" script, inevitably the TAC points to some irrelevant line and I have to spend the next several hours teaching the TAC person how the PIX *really* works. So.... somehow I really really doubt that my posting my configuration would help the original poster!

Perhaps next time you could quote enough context so that we know what is being asked? If you are using Google Groups, don't click reply, click on Advanced Options and use the reply feature exposed there: it quotes the posting being replied to, and you can then trim that down to the relevant points you wish to discuss.