Link to home
Start Free TrialLog in
Avatar of royrubio
royrubioFlag for United States of America

asked on

IP routing via multiple PIX IPSec tunnels

I have 3 PIXes: A=10.20.30.0, B=10.30.40.0, C=10.40.50.0.  There is an IPSec tunnel between A and B and between B and C.  VPN  traffic works between A and B and between B and C.  The requirement is that a host in A should be able to reach a host in C.  Where (which Pix) and how do I define the proper routes to make this possible? (I am using PDM for Pix configurations).
Avatar of nodisco
nodisco
Flag of New Zealand image

hi there

This is something that a PIX cannot do by default.  PIX does not allow traffic that comes in on the outside interface go back out the same interface.  The quick solution for you is to setup a crypto map and IPSec tunnel for site A to C.  The other workaround would be to upgrade your PIX firewalls to V7 (If your firewall supports it - must be a 515E or later) as V7 has some added functionality to do this for you.

If you look at the attached url - it states clearly at the top of the page that what you are doing will not work:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml

Here is how to configure a fully meshed network with 3 PIXes
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800a2cce.shtml

hope this helps
Avatar of royrubio

ASKER

Hi nodisco,

If I replace the B node with a Cisco2600 with VPN IOS, will it do the job?
Yes - a router would do the job but if you were using the PIXs for firewalling also, I would stick to using them and add the third IPSec tunnel.  
Hi Nodisco,

Sorry, a mistake, the appliance in node A is a Cisco VPN concentrator.  B and C are PIXes.  The company having the A node would not agree to create another tunnel to C.  With there devices, is routing still not possible between A and C?
ASKER CERTIFIED SOLUTION
Avatar of nodisco
nodisco
Flag of New Zealand image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial