|
2 VPN's Interface Issues
Hi folks,
I have a PIX 501 with public IP on the outside interface. I want to setup 2 VPNs on 2 other companies VPN devices or using cisco vpn client, both would connect to the outside interface. If I do this will clients on both the companies VPNs be able to talk to each other? I'm thinking of the rule "pix can't route traffic back through the same interface it came in on" or does this rule not apply when were talking about VPN's? Company1 Company2 | / Public IP PIX If it did apply then could I have 2 PIX 501's, one pix (pix1) with the outside interface mapped to a public IP and another pix (pix2) with the outside interface mapped to an internal IP but NAT'd to a public IP (nating would be done by pix1) one of my vpn's could terminate at pix1 and the other at pix2. This would ensure traffic travelled over both interfaces of pix1. Company1 | Public IP Pix1 Internal IP | Internal IP (nat'd to public IP) - Company 2 Pix2 surely there would be an easier way to do this? If you can recommend any other way or any other devicae rather than a pix then let me know. Also don't worry about security between company 1 and 2, I'm just using these as easy to follow examples. Any help would be gratefully received. cheers Dave |
Re: 2 VPN's Interface Issues
Hi,
You're right, the VPN's will NOT be able to communicate with eachother. The rule "pix can't route traffic back through the same interface it came in on" still applies for the PIX501. This issue has been "fixed" in PIX OS 7.0, wich is currently not available for the PIX 501. Erik "Dave" <david.hodgson@vianet.co.uk> wrote in message news:1119543929.432966.267020@z14g2000cwz.googlegr oups.com... > Hi folks, > > I have a PIX 501 with public IP on the outside interface. I want to > setup 2 VPNs on 2 other companies VPN devices or using cisco vpn > client, both would connect to the outside interface. If I do this will > clients on both the companies VPNs be able to talk to each other? I'm > thinking of the rule "pix can't route traffic back through the same > interface it came in on" or does this rule not apply when were talking > about VPN's? > > Company1 Company2 > | / > Public IP > PIX > > If it did apply then could I have 2 PIX 501's, one pix (pix1) with the > outside interface mapped to a public IP and another pix (pix2) with the > outside interface mapped to an internal IP but NAT'd to a public IP > (nating would be done by pix1) one of my vpn's could terminate at pix1 > and the other at pix2. This would ensure traffic travelled over both > interfaces of pix1. > > Company1 > | > Public IP > Pix1 > Internal IP > | > Internal IP (nat'd to public IP) - Company 2 > Pix2 > > surely there would be an easier way to do this? If you can recommend > any other way or any other devicae rather than a pix then let me know. > Also don't worry about security between company 1 and 2, I'm just using > these as easy to follow examples. > > Any help would be gratefully received. > > cheers > Dave > |
Re: 2 VPN's Interface Issues
Thankyou Erik,
It looks like our best option, but looks like we'll have to spend some cash on a 515 or similar. I now have another question which posted separatly. Dave |
Re: 2 VPN's Interface Issues
In article <1119610410.684144.248660@z14g2000cwz.googlegroups .com>,
Dave <david.hodgson@vianet.co.uk> wrote: :It looks like our best option, but looks like we'll have to spend some :cash on a 515 or similar. If you have more than one public IP address and can spare one, then you can add a second PIX 501 to your network. One party would VPN to one of them, the other party would VPN to the other, and because the packets would not be going out the -same- interface they came in on, the PIX would be perfectly happy. (This kind of configuration does work -- we've done effectively that here.) -- Ceci, ce n'est pas une idée. |
Re: 2 VPN's Interface Issues
Thankyou Walter
|
| All times are GMT. The time now is 07:18 PM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.