[c-nsp] VPN tunnel between two PIXes with VPN Clients
Tony Mucker
Tony at tonymucker.com
Thu Jan 20 20:48:03 EST 2005
Hello again,
I'm to connect our other office's PIX with ours via an IPSEC tunnel.
Both of the PIXes also have VPN clients connected to each. After this
is completed, my boss wants to be able to offer our users the ability to
VPN into either PIX. It looks something like this:
VPN Clients West ----- PIX West ----- PIX East ----- VPN Clients East
The actual configuration is straight-forward enough. My question is,
will VPN Clients West be able to pass traffic through PIX West and into
PIX East's network (accessing servers or something), and can VPN Clients
East do the same for PIX West's network?
http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml
That's the Cisco doc on configuring PIX-to-PIX-to-PIX IPSec (Hub and
spoke), which looks like this:
PIX Central
/
\
PIX2 PIX3
In this config example from Cisco, it specifically states that "The two
outlying networks [PIX2 and PIX3] will not be able to communicate with
each other by going through the central PIX because the PIX will not
route traffic received on one interface back out the same interface."
IIRC, what they're describing is called Router-on-a-stick, which the PIX
does not do (this I know from firsthand experience). In my first
example, traffic from VPN Clients West would travel to PIX West's
outside interface, and then be routed out again through that outside
interface to PIX East. The same thing would again happen in reverse, if
VPN Clients East were trying to access PIX West's network.
So, is there anyway to get this setup working? Or will those users
wanting to access resources behind PIX East need to VPN into PIX East?
Thanks again,
Tony
More information about the cisco-nsp
mailing list