?
Solved

IP routing via multiple PIX IPSec tunnels

Posted on 2006-06-19
5
Medium Priority
?
534 Views
Last Modified: 2013-11-16
I have 3 PIXes: A=10.20.30.0, B=10.30.40.0, C=10.40.50.0.  There is an IPSec tunnel between A and B and between B and C.  VPN  traffic works between A and B and between B and C.  The requirement is that a host in A should be able to reach a host in C.  Where (which Pix) and how do I define the proper routes to make this possible? (I am using PDM for Pix configurations).
0
Comment
Question by:royrubio
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 19

Expert Comment

by:nodisco
ID: 16933370
hi there

This is something that a PIX cannot do by default.  PIX does not allow traffic that comes in on the outside interface go back out the same interface.  The quick solution for you is to setup a crypto map and IPSec tunnel for site A to C.  The other workaround would be to upgrade your PIX firewalls to V7 (If your firewall supports it - must be a 515E or later) as V7 has some added functionality to do this for you.

If you look at the attached url - it states clearly at the top of the page that what you are doing will not work:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml

Here is how to configure a fully meshed network with 3 PIXes
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800a2cce.shtml

hope this helps
0
 

Author Comment

by:royrubio
ID: 16933491
Hi nodisco,

If I replace the B node with a Cisco2600 with VPN IOS, will it do the job?
0
 
LVL 19

Expert Comment

by:nodisco
ID: 16933606
Yes - a router would do the job but if you were using the PIXs for firewalling also, I would stick to using them and add the third IPSec tunnel.  
0
 

Author Comment

by:royrubio
ID: 16933713
Hi Nodisco,

Sorry, a mistake, the appliance in node A is a Cisco VPN concentrator.  B and C are PIXes.  The company having the A node would not agree to create another tunnel to C.  With there devices, is routing still not possible between A and C?
0
 
LVL 19

Accepted Solution

by:
nodisco earned 2000 total points
ID: 16933748
Afraid you are still in the same situation.  The PIX in site B is the one thats causing your issue.  For traffic to go from site A to C it would need to come in on the outside interface of PIX B and then go out the outside interface of PIX B.  PIX does not work this way.
A router would and you could have your current tunnels of A>B and B>C and pass traffic from A to C also.

0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month10 days, 10 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question