«

Here's what I have. A PIX 515E at each end of a VPN tunnel connecting two
locations. Now I want to use the VPN client to be able to connect a tunnel
into one location but to be able to also get through to the other location.
As the internet connects to one physical interface, it would mean the VPN
client tunnel coming in on that interface and the inter-location tunnel back
out on the same interface. As far as IP address space is concerned, if one
location uses 10.1.0.0 and the other uses 10.2.0.0, I'd like to have the VPN
client route all 10.0.0.0 traffic down the tunnel and have both locations
accessible.

Can this be done? Anyone have any tips as to how to achieve it? If it's not
possible, how to I achieve the result most effectively?

Thanks,

Steve

Steve Baker wrote:

> Here's what I have. A PIX 515E at each end of a VPN tunnel connecting two
> locations. Now I want to use the VPN client to be able to connect a tunnel
> into one location but to be able to also get through to the other
> location. As the internet connects to one physical interface, it would
> mean the VPN client tunnel coming in on that interface and the
> inter-location tunnel back out on the same interface. As far as IP address
> space is concerned, if one location uses 10.1.0.0 and the other uses
> 10.2.0.0, I'd like to have the VPN client route all 10.0.0.0 traffic down
> the tunnel and have both locations accessible.
>
> Can this be done? Anyone have any tips as to how to achieve it? If it's
> not possible, how to I achieve the result most effectively?
>
> Thanks,
>
> Steve
This has been answer 1000 times...

The answer is no, you need two PIX to do the trick... or a router or a
concentrator

In article <chVac.63325$>,
Joce <> wrote:
:Steve Baker wrote:

:> Here's what I have. A PIX 515E at each end of a VPN tunnel connecting two
:> locations. Now I want to use the VPN client to be able to connect a tunnel
:> into one location but to be able to also get through to the other
:> location. As the internet connects to one physical interface, it would

:This has been answer 1000 times...

:The answer is no, you need two PIX to do the trick... or a router or a
:concentrator

Or wait for 7.0, apparently.

--
Aleph sub {Aleph sub null} little, Aleph sub {Aleph sub one} little,
Aleph sub {Aleph sub two} little infinities...

Walter Roberson wrote:

> In article <chVac.63325$>,
> Joce <> wrote:
> :Steve Baker wrote:
>
> :> Here's what I have. A PIX 515E at each end of a VPN tunnel connecting
> :> two locations. Now I want to use the VPN client to be able to connect a
> :> tunnel
> :> into one location but to be able to also get through to the other
> :> location. As the internet connects to one physical interface, it would
>
> :This has been answer 1000 times...
>
> :The answer is no, you need two PIX to do the trick... or a router or a
> :concentrator
>
> Or wait for 7.0, apparently.
>
It's about time... nothing else I know has this restriction!!

"Joce" <> wrote in message
news:X9Xac.63785$ ...
> Walter Roberson wrote:
>
> > In article <chVac.63325$>,
> > Joce <> wrote:
> > :Steve Baker wrote:
> >
> > :> Here's what I have. A PIX 515E at each end of a VPN tunnel connecting
> > :> two locations. Now I want to use the VPN client to be able to connect
a
> > :> tunnel
> > :> into one location but to be able to also get through to the other
> > :> location. As the internet connects to one physical interface, it
would
> >
> > :This has been answer 1000 times...
> >
> > :The answer is no, you need two PIX to do the trick... or a router or a
> > :concentrator
> >
> > Or wait for 7.0, apparently.
> >
> It's about time... nothing else I know has this restriction!!

It's not a bug.... it's a (security) feature!

admin too wrote:

>
> "Joce" <> wrote in message
> news:X9Xac.63785$ ...
>> Walter Roberson wrote:
>>
>> > In article <chVac.63325$>,
>> > Joce <> wrote:
>> > :Steve Baker wrote:
>> >
>> > :> Here's what I have. A PIX 515E at each end of a VPN tunnel
>> > :> connecting two locations. Now I want to use the VPN client to be
>> > :> able to connect
> a
>> > :> tunnel
>> > :> into one location but to be able to also get through to the other
>> > :> location. As the internet connects to one physical interface, it
> would
>> >
>> > :This has been answer 1000 times...
>> >
>> > :The answer is no, you need two PIX to do the trick... or a router or a
>> > :concentrator
>> >
>> > Or wait for 7.0, apparently.
>> >
>> It's about time... nothing else I know has this restriction!!
>
> It's not a bug.... it's a (security) feature!

yes I know... Microsoft has a lot of features too!!

Seriously I totaly understand the purpose of this "feature" but sometime too
much it's like not enough

Any idea how this has to be configured? If a router's used, does it simply
act as a device to turn packets around. Nothing else? The PIX is still the
VPN end-point and the router just provides an effective loopback outside the
PIX?

Steve

"Joce" <> wrote in message
news:X9Xac.63785$ ...
> Walter Roberson wrote:
>
> > In article <chVac.63325$>,
> > Joce <> wrote:
> > :Steve Baker wrote:
> >
> > :> Here's what I have. A PIX 515E at each end of a VPN tunnel connecting
> > :> two locations. Now I want to use the VPN client to be able to connect
a
> > :> tunnel
> > :> into one location but to be able to also get through to the other
> > :> location. As the internet connects to one physical interface, it
would
> >
> > :This has been answer 1000 times...
> >
> > :The answer is no, you need two PIX to do the trick... or a router or a
> > :concentrator
> >
> > Or wait for 7.0, apparently.
> >
> It's about time... nothing else I know has this restriction!!

In article <406c1d8e$0$16870$>,
Steve Baker <> wrote:
:Here's what I have. A PIX 515E at each end of a VPN tunnel connecting two
:locations. Now I want to use the VPN client to be able to connect a tunnel
:into one location but to be able to also get through to the other location.

:Can this be done? Anyone have any tips as to how to achieve it? If it's not
ossible, how to I achieve the result most effectively?

1) Subnet your outside address space, route part of it to one of the 515
interfaces, route the other part to the other 515 interface,
have one client VPN to the first interface, the other
VPN connect to the second interface. They are then on different interfaces
and can send traffic to each other. Requires a third interface, of course,
unless you are running relatively new PIX and your router knows about
VLANs: in that case you can do it with two interfaces [but not on the
PIX 501, 506, or 506E, which don't support vlans.]

2) Add a second PIX on the "inside". set the ACL's of the outside
PIX to pass through IPSec. Have the second client VPN to the inside
PIX instead of the outside. Have that inside PIX "reversed" so that
the VPN connection is to the inside interface instead of the outside.
Have the outside interface do normal nat'ing into your regular IP
address space. Make sure you use subnets or 'route' statements on
your outside PIX so that replies to those IPs get directed to the
inside PIX. The connections come in encrypted from the second PIX,
get decrypted, nat'd into your other address space, and so are not
the same packets when they hit the outside PIX on the way out, so
the outside PIX will not block them. Replies back from the remote
end just look like replies to hosts in your regular address space,
so they can passed along to the inside, where they hit the outside
address of the inner PIX, get de-nat'd and get encapsulated into the
IPSec tunnel for sending to the second site.

This method works -- I have it running. Mind you, most of the connections
are one-way, one site to the other, so I haven't had to worry much about
connections initiated the other way around. Can certainly be done, but
requires static mapping of the carrier IP addresses.

--
Cannot open .signature: Permission denied

Steve Baker wrote:

> Any idea how this has to be configured? If a router's used, does it simply
> act as a device to turn packets around. Nothing else? The PIX is still the
> VPN end-point and the router just provides an effective loopback outside
> the PIX?
>
> Steve
>
> "Joce" <> wrote in message
> news:X9Xac.63785$ ...
>> Walter Roberson wrote:
>>
>> > In article <chVac.63325$>,
>> > Joce <> wrote:
>> > :Steve Baker wrote:
>> >
>> > :> Here's what I have. A PIX 515E at each end of a VPN tunnel
>> > :> connecting two locations. Now I want to use the VPN client to be
>> > :> able to connect
> a
>> > :> tunnel
>> > :> into one location but to be able to also get through to the other
>> > :> location. As the internet connects to one physical interface, it
> would
>> >
>> > :This has been answer 1000 times...
>> >
>> > :The answer is no, you need two PIX to do the trick... or a router or a
>> > :concentrator
>> >
>> > Or wait for 7.0, apparently.
>> >
>> It's about time... nothing else I know has this restriction!!

You can just terminate you tunnels directly in the router, if you got the
power.