Solved

Adding an additional Cisco PIX to my network for site-to-site VPN's only.

Posted on 2011-09-30
6
283 Views
Last Modified: 2012-05-12
Below is a diagram of what my network currently looks like.  I've been tasked with adding an additional Pix that will be used for Site-to-Site VPNs only.  My problem is I don't know where to place the Pix on the network.  I don't have a DMZ switch or anything to plug the outside interface of the PIX into.  Is there any way to add this additional PIX without putting a switch between the Cisco 1700 Router and the main PIX.  Thanks.

     Network Diagram
0
Comment
Question by:denver218
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 167 total points
ID: 36891462
If the router doesn't have any additional ports I'm afraid you'll need a switch in between. Or you could set up the site to site on the asa already in place....
0
 
LVL 18

Assisted Solution

by:jmeggers
jmeggers earned 167 total points
ID: 36893384
Depending on interfaces, the only other option I can think of is to create a DMZ on the existing PIX and hang the new PIX off that DMZ.  But that certainly seems to get more complicated than necessary.

Is there a reason not to configure the VPN on the existing PIX?
0
 
LVL 2

Assisted Solution

by:dslam24
dslam24 earned 166 total points
ID: 36893779
This is kind of a fun one, here is an idea.
i'm not sure if it would work.  I might lab it up just to see :)

You could place your VPN PIX on your LAN with a private address on the OUTSIDE interface. On your main pix make a 1-to-1 NAT so your VPN pix can be accessed with a public address. Then in your main PIX on the outside interface ACL permit ip any to the VPN pix.

Basically your VPN pix would be configured just like you would if you had it in parallel to your main PIX except for the fact that you'd be using NAT to get to it.

Like I said i've never tried it so i'm not sure it will work but I have seen some scenarios that lead me to believe it will.

Hows that?
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36894046
Depends on the pix version how good it is with vpn passthrough.
0
 
LVL 2

Expert Comment

by:dslam24
ID: 36894377
The more I think about it, the more I see no reason why it shouldn't work.

Here is a couple of examples using L2L VPN and PPTP/L2TP.

In fact I have done PPTP pass-through across a 5510 running 7.x going to a MS server, so not exactly the same but similar.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml#table2

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

0
 
LVL 4

Author Closing Comment

by:denver218
ID: 36917575
Thanks.  The customer decided it was fine for me to create the VPN on the main PIX.  When I posted this question, the requirement was to use another pix for VPNs, but that changed.  dslam24 I do like your idea, and think I will try that on my network at my office just to see if it works.  I don't see why it wouldn't, I have actually done this with a sonicwall before, it just didn't come to mind until you mentioned it.  Thank you all for your comments.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question