royrubio
asked on
IP routing via multiple PIX IPSec tunnels
I have 3 PIXes: A=10.20.30.0, B=10.30.40.0, C=10.40.50.0. There is an IPSec tunnel between A and B and between B and C. VPN traffic works between A and B and between B and C. The requirement is that a host in A should be able to reach a host in C. Where (which Pix) and how do I define the proper routes to make this possible? (I am using PDM for Pix configurations).
ASKER
Hi nodisco,
If I replace the B node with a Cisco2600 with VPN IOS, will it do the job?
If I replace the B node with a Cisco2600 with VPN IOS, will it do the job?
Yes - a router would do the job but if you were using the PIXs for firewalling also, I would stick to using them and add the third IPSec tunnel.
ASKER
Hi Nodisco,
Sorry, a mistake, the appliance in node A is a Cisco VPN concentrator. B and C are PIXes. The company having the A node would not agree to create another tunnel to C. With there devices, is routing still not possible between A and C?
Sorry, a mistake, the appliance in node A is a Cisco VPN concentrator. B and C are PIXes. The company having the A node would not agree to create another tunnel to C. With there devices, is routing still not possible between A and C?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is something that a PIX cannot do by default. PIX does not allow traffic that comes in on the outside interface go back out the same interface. The quick solution for you is to setup a crypto map and IPSec tunnel for site A to C. The other workaround would be to upgrade your PIX firewalls to V7 (If your firewall supports it - must be a 515E or later) as V7 has some added functionality to do this for you.
If you look at the attached url - it states clearly at the top of the page that what you are doing will not work:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml
Here is how to configure a fully meshed network with 3 PIXes
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800a2cce.shtml
hope this helps