[c-nsp] Site to Site VPN with PIX 515E

[Dave Lim]

Yes, the 2 PIX in question is 6.3. I have the following interfaces on Site
B.

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security90
nameif ethernet3 equant_net security95
nameif ethernet4 scl security98
nameif ethernet5 saut security99

So the PIX 6.3 limitation of not allowing IPsec traffic to make a u-turn is
applicable in my situation  if I want SiteA to access ethernet1 to
ethernet5.




On 9/13/06, Jason Lixfeld <jason at lixfeld.ca> wrote:
>
> You won't need to do any routing, providing the PIXen are the default
> gateways for each respective site.
>
> There is one gotcha.  If you are running < 7.0, you will not be able
> to access the interfaces directly attached to the PIX.  You'll be
> able to access the hosts behind the interfaces, but not the
> interfaces directly.  This is due to a u-turn limitation in < 7.0
> that doesn't permit IPSec traffic to exit the same interface it
> entered on.  Where this becomes annoying is if, say you want to SNMP
> poll PIX B from PIX A's site or vice-verse, you won't be able to.
>
> On 12-Sep-06, at 10:28 PM, Dave Lim wrote:
>
> > Hi,
> >
> > I intend to do a site to site VPN tunnel between 2 sites. For Site
> > A's PIX
> > there are only 2 interfaces, 1 inside and 1 outside. But for Site
> > B, I have
> > 5 interfaces.
> >
> > My question is if I were to do a site to site VPN between these 2
> > sites,
> > will Site A be able to access Site B's 4 interfaces. I guess I need to
> > reflect the routing statements on Site's A PIX?
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>