Solved

IP routing via multiple PIX IPSec tunnels

Posted on 2006-06-19
5
470 Views
Last Modified: 2013-11-16
I have 3 PIXes: A=10.20.30.0, B=10.30.40.0, C=10.40.50.0.  There is an IPSec tunnel between A and B and between B and C.  VPN  traffic works between A and B and between B and C.  The requirement is that a host in A should be able to reach a host in C.  Where (which Pix) and how do I define the proper routes to make this possible? (I am using PDM for Pix configurations).
0
Comment
Question by:royrubio
  • 3
  • 2
5 Comments
 
LVL 19

Expert Comment

by:nodisco
Comment Utility
hi there

This is something that a PIX cannot do by default.  PIX does not allow traffic that comes in on the outside interface go back out the same interface.  The quick solution for you is to setup a crypto map and IPSec tunnel for site A to C.  The other workaround would be to upgrade your PIX firewalls to V7 (If your firewall supports it - must be a 515E or later) as V7 has some added functionality to do this for you.

If you look at the attached url - it states clearly at the top of the page that what you are doing will not work:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml

Here is how to configure a fully meshed network with 3 PIXes
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800a2cce.shtml

hope this helps
0
 

Author Comment

by:royrubio
Comment Utility
Hi nodisco,

If I replace the B node with a Cisco2600 with VPN IOS, will it do the job?
0
 
LVL 19

Expert Comment

by:nodisco
Comment Utility
Yes - a router would do the job but if you were using the PIXs for firewalling also, I would stick to using them and add the third IPSec tunnel.  
0
 

Author Comment

by:royrubio
Comment Utility
Hi Nodisco,

Sorry, a mistake, the appliance in node A is a Cisco VPN concentrator.  B and C are PIXes.  The company having the A node would not agree to create another tunnel to C.  With there devices, is routing still not possible between A and C?
0
 
LVL 19

Accepted Solution

by:
nodisco earned 500 total points
Comment Utility
Afraid you are still in the same situation.  The PIX in site B is the one thats causing your issue.  For traffic to go from site A to C it would need to come in on the outside interface of PIX B and then go out the outside interface of PIX B.  PIX does not work this way.
A router would and you could have your current tunnels of A>B and B>C and pass traffic from A to C also.

0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now