Solved

IP routing via multiple PIX IPSec tunnels

Posted on 2006-06-19
5
501 Views
Last Modified: 2013-11-16
I have 3 PIXes: A=10.20.30.0, B=10.30.40.0, C=10.40.50.0.  There is an IPSec tunnel between A and B and between B and C.  VPN  traffic works between A and B and between B and C.  The requirement is that a host in A should be able to reach a host in C.  Where (which Pix) and how do I define the proper routes to make this possible? (I am using PDM for Pix configurations).
0
Comment
Question by:royrubio
  • 3
  • 2
5 Comments
 
LVL 19

Expert Comment

by:nodisco
ID: 16933370
hi there

This is something that a PIX cannot do by default.  PIX does not allow traffic that comes in on the outside interface go back out the same interface.  The quick solution for you is to setup a crypto map and IPSec tunnel for site A to C.  The other workaround would be to upgrade your PIX firewalls to V7 (If your firewall supports it - must be a 515E or later) as V7 has some added functionality to do this for you.

If you look at the attached url - it states clearly at the top of the page that what you are doing will not work:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml

Here is how to configure a fully meshed network with 3 PIXes
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800a2cce.shtml

hope this helps
0
 

Author Comment

by:royrubio
ID: 16933491
Hi nodisco,

If I replace the B node with a Cisco2600 with VPN IOS, will it do the job?
0
 
LVL 19

Expert Comment

by:nodisco
ID: 16933606
Yes - a router would do the job but if you were using the PIXs for firewalling also, I would stick to using them and add the third IPSec tunnel.  
0
 

Author Comment

by:royrubio
ID: 16933713
Hi Nodisco,

Sorry, a mistake, the appliance in node A is a Cisco VPN concentrator.  B and C are PIXes.  The company having the A node would not agree to create another tunnel to C.  With there devices, is routing still not possible between A and C?
0
 
LVL 19

Accepted Solution

by:
nodisco earned 500 total points
ID: 16933748
Afraid you are still in the same situation.  The PIX in site B is the one thats causing your issue.  For traffic to go from site A to C it would need to come in on the outside interface of PIX B and then go out the outside interface of PIX B.  PIX does not work this way.
A router would and you could have your current tunnels of A>B and B>C and pass traffic from A to C also.

0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco vWLC DHCP issues 36 60
Vlan extend across 2 switches 16 27
Punctured RAID5 Array on Cisco UCS server. 6 71
Need help on Windows Firewall blocking program 7 45
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question