Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > configure 2 site-to-site VPN in Pix 515E

Reply
Thread Tools

configure 2 site-to-site VPN in Pix 515E

 
 
Benson
Guest
Posts: n/a
 
      10-31-2004
Hi,

My network environment is the following:

1. Site A ---- Site B ---- Site C
2. three sites are using one PIX515E.

How can I configure the PIX Site B, so that 2 Site-to-Site VPN are
working well.


My problem is that, two Peers are formed, but I can not use them to
get into Site A and Site C when I am in Site B, or I can only get
access to Site A.


My setting:


1. crypto ( nothing special )
2. isakmp key ( 2 keys )
3. isakmp map ( 2 peers )


What special configuration I have to take care ?


Thank you
Benson
 
Reply With Quote
 
 
 
 
PES
Guest
Posts: n/a
 
      10-31-2004
Benson wrote:
> Hi,
>
> My network environment is the following:
>
> 1. Site A ---- Site B ---- Site C
> 2. three sites are using one PIX515E.
>
> How can I configure the PIX Site B, so that 2 Site-to-Site VPN are
> working well.
>
>
> My problem is that, two Peers are formed, but I can not use them to
> get into Site A and Site C when I am in Site B, or I can only get
> access to Site A.
>
>
> My setting:
>
>
> 1. crypto ( nothing special )
> 2. isakmp key ( 2 keys )
> 3. isakmp map ( 2 peers )
>
>
> What special configuration I have to take care ?
>
>
> Thank you
> Benson


It is the fundamental design of the pix that a packet that enters an
interface cannot leave out the same interface (crypto or no crypto).
Therefore, the location with the pix 515e should be able to access the
other two locations regardless of thier vpn device. However, assuming
site 1 has pix 515e and site 2 and 3 have a device that tunnels to the
pix 515e, site 2 cannot communicate with site 3 or vice versa without
building a tunnel directly from one to the other. The other option
would be to add interfaces to the pix 515e so the packets don't break
the ingress/egress rule. You could also build a 802.1q trunk on the
outside to accomplish this. Pix 7 may or may not address this issue.
 
Reply With Quote
 
 
 
 
Benson
Guest
Posts: n/a
 
      11-01-2004
PES <pestewart*NOSPAM*@adelphia.net> wrote in message news:<41851720$(E-Mail Removed)>...
> Benson wrote:
> > Hi,
> >
> > My network environment is the following:
> >
> > 1. Site A ---- Site B ---- Site C
> > 2. three sites are using one PIX515E.
> >
> > How can I configure the PIX Site B, so that 2 Site-to-Site VPN are
> > working well.
> >
> >
> > My problem is that, two Peers are formed, but I can not use them to
> > get into Site A and Site C when I am in Site B, or I can only get
> > access to Site A.
> >
> >
> > My setting:
> >
> >
> > 1. crypto ( nothing special )
> > 2. isakmp key ( 2 keys )
> > 3. isakmp map ( 2 peers )
> >
> >
> > What special configuration I have to take care ?
> >
> >
> > Thank you
> > Benson

>
> It is the fundamental design of the pix that a packet that enters an
> interface cannot leave out the same interface (crypto or no crypto).
> Therefore, the location with the pix 515e should be able to access the
> other two locations regardless of thier vpn device. However, assuming
> site 1 has pix 515e and site 2 and 3 have a device that tunnels to the
> pix 515e, site 2 cannot communicate with site 3 or vice versa without
> building a tunnel directly from one to the other. The other option
> would be to add interfaces to the pix 515e so the packets don't break
> the ingress/egress rule. You could also build a 802.1q trunk on the
> outside to accomplish this. Pix 7 may or may not address this issue.


Hi,

What do you mean "building a 802.1q trunk on the outside" ?
Just enable the trunking on the outside ethernet in order to achieve
the above goal ?


BTW, what do you think if I configure two isakmp policies into the PIX
on Site B ?

Thank you very much for your help
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      11-01-2004
In article <(E-Mail Removed) >,
Benson <(E-Mail Removed)> wrote:
ES <pestewart*NOSPAM*@adelphia.net> wrote in message news:<41851720$(E-Mail Removed)>...
:> It is the fundamental design of the pix that a packet that enters an
:> interface cannot leave out the same interface (crypto or no crypto).

:> You could also build a 802.1q trunk on the
:> outside to accomplish this.

:What do you mean "building a 802.1q trunk on the outside" ?
:Just enable the trunking on the outside ethernet in order to achieve
:the above goal ?

On your switch, you would convert the port from an 'access' port
to a 'trunk'. On the PIX, you would add a logical interface.
That's an 'interface' command with the 'logical' keyword.

There are examples in the PIX reference manual.


:BTW, what do you think if I configure two isakmp policies into the PIX
n Site B ?

That won't help you achieve your goal of having A be able to access
C by way of B. There is NO way on the PIX to have the PIX relay
packets out the same logical interface they came in on. No matter
what tricks you try, it's still the case that if you try,
the entrance and exit interfaces (i.e., the one interface you are
trying to get to relay) will have the same security level [as itself],
and the PIX never allows packets to go to a destination interface with
the same security level as the source interface.

Your only recourses are as PES indicated -- have the remote systems
talk directly to each other (A->C directly without going through B), or
use different physical interfaces, or use different logical interfaces
on the same physical interface [if you have new enough PIX software].
--
WW{Backus,Church,Dijkstra,Knuth,Hollerith,Turing,v onNeumann}D ?
 
Reply With Quote
 
Benson
Guest
Posts: n/a
 
      11-01-2004
http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message news:<cm465j$8io$(E-Mail Removed)>...
> In article <(E-Mail Removed) >,
> Benson <(E-Mail Removed)> wrote:
> ES <pestewart*NOSPAM*@adelphia.net> wrote in message news:<41851720$(E-Mail Removed)>...
> :> It is the fundamental design of the pix that a packet that enters an
> :> interface cannot leave out the same interface (crypto or no crypto).
>
> :> You could also build a 802.1q trunk on the
> :> outside to accomplish this.
>
> :What do you mean "building a 802.1q trunk on the outside" ?
> :Just enable the trunking on the outside ethernet in order to achieve
> :the above goal ?
>
> On your switch, you would convert the port from an 'access' port
> to a 'trunk'. On the PIX, you would add a logical interface.
> That's an 'interface' command with the 'logical' keyword.
>
> There are examples in the PIX reference manual.
>
>
> :BTW, what do you think if I configure two isakmp policies into the PIX
> n Site B ?
>
> That won't help you achieve your goal of having A be able to access
> C by way of B. There is NO way on the PIX to have the PIX relay
> packets out the same logical interface they came in on. No matter
> what tricks you try, it's still the case that if you try,
> the entrance and exit interfaces (i.e., the one interface you are
> trying to get to relay) will have the same security level [as itself],
> and the PIX never allows packets to go to a destination interface with
> the same security level as the source interface.
>
> Your only recourses are as PES indicated -- have the remote systems
> talk directly to each other (A->C directly without going through B), or
> use different physical interfaces, or use different logical interfaces
> on the same physical interface [if you have new enough PIX software].




What for creating a logical interface ? Do I configure the logical
interface with special ip configuration ?

Thank you
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      11-02-2004
In article <(E-Mail Removed) >,
Benson <(E-Mail Removed)> wrote:
|> ES <pestewart*NOSPAM*@adelphia.net> wrote in message news:<41851720$(E-Mail Removed)>...
|> :> It is the fundamental design of the pix that a packet that enters an
|> :> interface cannot leave out the same interface (crypto or no crypto).

|What for creating a logical interface ? Do I configure the logical
|interface with special ip configuration ?

As usual, every interface on the PIX must be configured with a
different IP address range. Thus, in order to take the logical
interface approach, you will need the next hop outwards to be either a
switch or router that supports IEEE 802.1Q VLAN trunks, and the trunk
must be configured with at least two different VLANs, and you must have
802.1Q trunking all the way out to a router that is able to split the
address ranges to go into the appropriate VLAN.

In order to effectively be able to split the traffic into
non-overlapping ranges to go into the VLANs to feed into your PIX 515,
your ISP must be feeding your router disjoint IP address
ranges or your router must subdivide the existing IP address range
into subnets, at least one of which must be directected to each VLAN.
If you have a relatively small IP address range being fed to you,
then usually you would accomplish this by splitting the range into
exactly two equal-size subnets. If, though, you have a large IP
address range being fed to you, you can probably afford the loss
of two IPs per subnet (base address and broadcast address are
reserved), and so can probably into more subnets with one of the
smaller subnets going to each VLAN.

You would then use the 'interface' command as usual to create any
untagged vlan (traditionally, no VLAN tag is sent when the VLAN number
is the same as the port PVID). You then add another 'interface' command
referencing the same physical interface but giving the keyword
'logical' and specifying the VLAN number. That will have the effect of
creating a new pseudo-physical interface named 'vlan' followed by the
vlan number (e.g., vlan10. These pseudo-interfaces exist at the same
level as the true physical interfaces such as "ethernet0", so you then
use the 'nameif' command to assign a security level and meaningful name
to the interface (such as 'dmz' or 'vpn2C'). Once you have the
interface named, you proceed to use the 'ip address' command on that
interface to associate an IP subnet with the VLAN, and you can go ahead
and refer to the interface in commands such as 'static' and 'isakmp
enable' and 'crypto map interface', just as you would if it were a
physical interface such as 'outside'.
--
"WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG. (GEB)
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Configure PIX 515E arie01 Cisco 0 03-03-2010 08:16 PM
515e PIX to 501 PIX - site to site vpn Jim.Seedlenissip@gmail.com Cisco 1 02-22-2007 09:31 AM
Configure 1750 with PIX 515E... jsandlin0803 Cisco 2 11-22-2005 09:32 PM
PIX 515E, VPN client has no route to outside network via vpn Clemens Schwaighofer Cisco 7 06-13-2005 03:48 PM
VPN in and VPN out on same port on PIX 515E...possible? Steve Baker Cisco 8 04-26-2004 07:10 PM



Advertisments