Solved

Adding an additional Cisco PIX to my network for site-to-site VPN's only.

Posted on 2011-09-30
6
282 Views
Last Modified: 2012-05-12
Below is a diagram of what my network currently looks like.  I've been tasked with adding an additional Pix that will be used for Site-to-Site VPNs only.  My problem is I don't know where to place the Pix on the network.  I don't have a DMZ switch or anything to plug the outside interface of the PIX into.  Is there any way to add this additional PIX without putting a switch between the Cisco 1700 Router and the main PIX.  Thanks.

     Network Diagram
0
Comment
Question by:denver218
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 167 total points
ID: 36891462
If the router doesn't have any additional ports I'm afraid you'll need a switch in between. Or you could set up the site to site on the asa already in place....
0
 
LVL 18

Assisted Solution

by:jmeggers
jmeggers earned 167 total points
ID: 36893384
Depending on interfaces, the only other option I can think of is to create a DMZ on the existing PIX and hang the new PIX off that DMZ.  But that certainly seems to get more complicated than necessary.

Is there a reason not to configure the VPN on the existing PIX?
0
 
LVL 2

Assisted Solution

by:dslam24
dslam24 earned 166 total points
ID: 36893779
This is kind of a fun one, here is an idea.
i'm not sure if it would work.  I might lab it up just to see :)

You could place your VPN PIX on your LAN with a private address on the OUTSIDE interface. On your main pix make a 1-to-1 NAT so your VPN pix can be accessed with a public address. Then in your main PIX on the outside interface ACL permit ip any to the VPN pix.

Basically your VPN pix would be configured just like you would if you had it in parallel to your main PIX except for the fact that you'd be using NAT to get to it.

Like I said i've never tried it so i'm not sure it will work but I have seen some scenarios that lead me to believe it will.

Hows that?
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36894046
Depends on the pix version how good it is with vpn passthrough.
0
 
LVL 2

Expert Comment

by:dslam24
ID: 36894377
The more I think about it, the more I see no reason why it shouldn't work.

Here is a couple of examples using L2L VPN and PPTP/L2TP.

In fact I have done PPTP pass-through across a 5510 running 7.x going to a MS server, so not exactly the same but similar.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml#table2

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094a5a.shtml

0
 
LVL 4

Author Closing Comment

by:denver218
ID: 36917575
Thanks.  The customer decided it was fine for me to create the VPN on the main PIX.  When I posted this question, the requirement was to use another pix for VPNs, but that changed.  dslam24 I do like your idea, and think I will try that on my network at my office just to see if it works.  I don't see why it wouldn't, I have actually done this with a sonicwall before, it just didn't come to mind until you mentioned it.  Thank you all for your comments.
0

Featured Post

How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question