Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

IP routing via multiple PIX IPSec tunnels

Posted on 2006-06-19
5
Medium Priority
?
547 Views
Last Modified: 2013-11-16
I have 3 PIXes: A=10.20.30.0, B=10.30.40.0, C=10.40.50.0.  There is an IPSec tunnel between A and B and between B and C.  VPN  traffic works between A and B and between B and C.  The requirement is that a host in A should be able to reach a host in C.  Where (which Pix) and how do I define the proper routes to make this possible? (I am using PDM for Pix configurations).
0
Comment
Question by:royrubio
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 19

Expert Comment

by:nodisco
ID: 16933370
hi there

This is something that a PIX cannot do by default.  PIX does not allow traffic that comes in on the outside interface go back out the same interface.  The quick solution for you is to setup a crypto map and IPSec tunnel for site A to C.  The other workaround would be to upgrade your PIX firewalls to V7 (If your firewall supports it - must be a 515E or later) as V7 has some added functionality to do this for you.

If you look at the attached url - it states clearly at the top of the page that what you are doing will not work:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml

Here is how to configure a fully meshed network with 3 PIXes
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800a2cce.shtml

hope this helps
0
 

Author Comment

by:royrubio
ID: 16933491
Hi nodisco,

If I replace the B node with a Cisco2600 with VPN IOS, will it do the job?
0
 
LVL 19

Expert Comment

by:nodisco
ID: 16933606
Yes - a router would do the job but if you were using the PIXs for firewalling also, I would stick to using them and add the third IPSec tunnel.  
0
 

Author Comment

by:royrubio
ID: 16933713
Hi Nodisco,

Sorry, a mistake, the appliance in node A is a Cisco VPN concentrator.  B and C are PIXes.  The company having the A node would not agree to create another tunnel to C.  With there devices, is routing still not possible between A and C?
0
 
LVL 19

Accepted Solution

by:
nodisco earned 2000 total points
ID: 16933748
Afraid you are still in the same situation.  The PIX in site B is the one thats causing your issue.  For traffic to go from site A to C it would need to come in on the outside interface of PIX B and then go out the outside interface of PIX B.  PIX does not work this way.
A router would and you could have your current tunnels of A>B and B>C and pass traffic from A to C also.

0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question