Can I establish VPN tunnels through both the inside and outside interfaces on a Cisco Pix firewall?

Posted on 2010-08-15
Last Modified: 2012-05-10
I currently operate an Internet based WAN with fixed Pix to Pix VPN connections between sites. I am migrating to an MPLS based WAN. While some sites will ditch the firewall and replace it with the MPLS router, others will move the outside interface of their firewall from the Internet router to the MPLS router. During the migration, my location will maintain a direct connection to the MPLS and a firewalled connection to the local Internet service.

My question is: When a remote firewall is moved from Internet to MPLS, can I establish a new tunnel via the inside interface of my Pix, while still maintaining other external VPN tunnels. This would mean, at my end, both encrypted and unencrypted traffic would use the same interface.
Question by:andy_belton
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 20

Expert Comment

ID: 33443250
You are using a VPN tunnel through the mpls?  Why?  Mpls is private.  You don't need a virtual private network (VPN) on a private network.

Anyway, migrating means that hq should be a bridge between mpls and IPSec networks.  Just remove from pix and route as a normal route.

Author Comment

ID: 33443804
I have 2 zones within the MPLS, "private" and "Very private". I am in "Private" but I need to be able to provide admin and support to servers and wkstns in "Very private". Untill all sites are on MPLS, the quickest solution would be to switch VPN tunnel from outside to inside interface when a "Very private" site joins the MPLS. I don't need to know how to do it, just if it is possible. I don't want to spend time reconfiguring the firewall if it turns out that such a configuration will not be permitted by ther Pix.
LVL 20

Expert Comment

ID: 33444628
I'm not sure I get what you mean.

I would recommend enabling IPSec on the very private workstations & server and leave the pix out of it.
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!


Author Comment

ID: 33445762
See attached diagram.

The top scenario shows what it is like now. the Private WAN has been created but all remote sites are suopported using VPNs.

The lower scenario shows How I would like it to be after some sites have been transferred to the WAN. IT Support can access Private LAN A directly without any VPN. Very Private LAN B still has its own firewall in place but the outside of it is connected to the WAN. Is it possible for IT support to access Very Private LAN B by VPN from their local firewall, when the VPN is routed back through the same interface (Inside).

LVL 20

Accepted Solution

RPPreacher earned 500 total points
ID: 33445969
Won't work.

Author Closing Comment

ID: 33446079
It wasn't what I wanted to hear, but it will save me the futile exercise of trying to configure it that way.

Thank you very much fior the advice.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
BGP DUAL ISP with IP SLA 10 70
PIM sparse mode question 1 28
Problems with VPN 4 60
Cisco 3650x ACL 8 51
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question