?
Solved

Adding an additional Cisco PIX to my network for site-to-site VPN's only.

Posted on 2011-09-30
6
Medium Priority
?
286 Views
Last Modified: 2012-05-12
Below is a diagram of what my network currently looks like.  I've been tasked with adding an additional Pix that will be used for Site-to-Site VPNs only.  My problem is I don't know where to place the Pix on the network.  I don't have a DMZ switch or anything to plug the outside interface of the PIX into.  Is there any way to add this additional PIX without putting a switch between the Cisco 1700 Router and the main PIX.  Thanks.

     Network Diagram
0
Comment
Question by:denver218
6 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 668 total points
ID: 36891462
If the router doesn't have any additional ports I'm afraid you'll need a switch in between. Or you could set up the site to site on the asa already in place....
0
 
LVL 18

Assisted Solution

by:jmeggers
jmeggers earned 668 total points
ID: 36893384
Depending on interfaces, the only other option I can think of is to create a DMZ on the existing PIX and hang the new PIX off that DMZ.  But that certainly seems to get more complicated than necessary.

Is there a reason not to configure the VPN on the existing PIX?
0
 
LVL 2

Assisted Solution

by:dslam24
dslam24 earned 664 total points
ID: 36893779
This is kind of a fun one, here is an idea.
i'm not sure if it would work.  I might lab it up just to see :)

You could place your VPN PIX on your LAN with a private address on the OUTSIDE interface. On your main pix make a 1-to-1 NAT so your VPN pix can be accessed with a public address. Then in your main PIX on the outside interface ACL permit ip any to the VPN pix.

Basically your VPN pix would be configured just like you would if you had it in parallel to your main PIX except for the fact that you'd be using NAT to get to it.

Like I said i've never tried it so i'm not sure it will work but I have seen some scenarios that lead me to believe it will.

Hows that?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36894046
Depends on the pix version how good it is with vpn passthrough.
0
 
LVL 2

Expert Comment

by:dslam24
ID: 36894377
The more I think about it, the more I see no reason why it shouldn't work.

Here is a couple of examples using L2L VPN and PPTP/L2TP.

In fact I have done PPTP pass-through across a 5510 running 7.x going to a MS server, so not exactly the same but similar.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml#table2

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

0
 
LVL 4

Author Closing Comment

by:denver218
ID: 36917575
Thanks.  The customer decided it was fine for me to create the VPN on the main PIX.  When I posted this question, the requirement was to use another pix for VPNs, but that changed.  dslam24 I do like your idea, and think I will try that on my network at my office just to see if it works.  I don't see why it wouldn't, I have actually done this with a sonicwall before, it just didn't come to mind until you mentioned it.  Thank you all for your comments.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question