[c-nsp] Site to Site VPN with PIX 515E

Jason Lixfeld jason at lixfeld.ca
Wed Sep 13 00:07:08 EDT 2006 

If ethernet0 - ethernet5 on PIX B are configured like so:

ethernet0 ip: 192.168.0.1/24
ethernet1 ip: 192.168.1.1/24
ethernet2 ip: 192.168.2.1/24
ethernet3 ip: 192.168.3.1/24
ethernet4 ip: 192.168.4.1/24
ethernet5 ip: 192.168.5.1/24

Site A will not be able to access any IPs configured locally on the  
device.  Any IPs configured on devices hanging off any of the  
interfaces themselves (assume .2 - .254, assuming a /24 network on  
each interface) will be accessible from Site A.

That caveat only affects access to the device directly, not access  
through the device, sorry if I wasn't clear.

On 12-Sep-06, at 11:54 PM, Dave Lim wrote:

> Yes, the 2 PIX in question is 6.3. I have the following interfaces  
> on Site
> B.
>
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 dmz security90
> nameif ethernet3 equant_net security95
> nameif ethernet4 scl security98
> nameif ethernet5 saut security99
>
> So the PIX 6.3 limitation of not allowing IPsec traffic to make a u- 
> turn is
> applicable in my situation  if I want SiteA to access ethernet1 to
> ethernet5.
>
>
>
>
> On 9/13/06, Jason Lixfeld <jason at lixfeld.ca> wrote:
>>
>> You won't need to do any routing, providing the PIXen are the default
>> gateways for each respective site.
>>
>> There is one gotcha.  If you are running < 7.0, you will not be able
>> to access the interfaces directly attached to the PIX.  You'll be
>> able to access the hosts behind the interfaces, but not the
>> interfaces directly.  This is due to a u-turn limitation in < 7.0
>> that doesn't permit IPSec traffic to exit the same interface it
>> entered on.  Where this becomes annoying is if, say you want to SNMP
>> poll PIX B from PIX A's site or vice-verse, you won't be able to.
>>
>> On 12-Sep-06, at 10:28 PM, Dave Lim wrote:
>>
>>> Hi,
>>>
>>> I intend to do a site to site VPN tunnel between 2 sites. For Site
>>> A's PIX
>>> there are only 2 interfaces, 1 inside and 1 outside. But for Site
>>> B, I have
>>> 5 interfaces.
>>>
>>> My question is if I were to do a site to site VPN between these 2
>>> sites,
>>> will Site A be able to access Site B's 4 interfaces. I guess I  
>>> need to
>>> reflect the routing statements on Site's A PIX?
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list