• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 363
  • Last Modified:

Adding an additional Cisco PIX to my network for site-to-site VPN's only.

Below is a diagram of what my network currently looks like.  I've been tasked with adding an additional Pix that will be used for Site-to-Site VPNs only.  My problem is I don't know where to place the Pix on the network.  I don't have a DMZ switch or anything to plug the outside interface of the PIX into.  Is there any way to add this additional PIX without putting a switch between the Cisco 1700 Router and the main PIX.  Thanks.

     Network Diagram
3 Solutions
Ernie BeekExpertCommented:
If the router doesn't have any additional ports I'm afraid you'll need a switch in between. Or you could set up the site to site on the asa already in place....
jmeggersSr. Network and Security EngineerCommented:
Depending on interfaces, the only other option I can think of is to create a DMZ on the existing PIX and hang the new PIX off that DMZ.  But that certainly seems to get more complicated than necessary.

Is there a reason not to configure the VPN on the existing PIX?
This is kind of a fun one, here is an idea.
i'm not sure if it would work.  I might lab it up just to see :)

You could place your VPN PIX on your LAN with a private address on the OUTSIDE interface. On your main pix make a 1-to-1 NAT so your VPN pix can be accessed with a public address. Then in your main PIX on the outside interface ACL permit ip any to the VPN pix.

Basically your VPN pix would be configured just like you would if you had it in parallel to your main PIX except for the fact that you'd be using NAT to get to it.

Like I said i've never tried it so i'm not sure it will work but I have seen some scenarios that lead me to believe it will.

Hows that?
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Ernie BeekExpertCommented:
Depends on the pix version how good it is with vpn passthrough.
The more I think about it, the more I see no reason why it shouldn't work.

Here is a couple of examples using L2L VPN and PPTP/L2TP.

In fact I have done PPTP pass-through across a 5510 running 7.x going to a MS server, so not exactly the same but similar.



denver218Author Commented:
Thanks.  The customer decided it was fine for me to create the VPN on the main PIX.  When I posted this question, the requirement was to use another pix for VPNs, but that changed.  dslam24 I do like your idea, and think I will try that on my network at my office just to see if it works.  I don't see why it wouldn't, I have actually done this with a sonicwall before, it just didn't come to mind until you mentioned it.  Thank you all for your comments.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now