2 VPN's Interface Issues

Discussion in 'Cisco' started by Dave, Jun 23, 2005.

  1. Dave

    Dave Guest

    Hi folks,

    I have a PIX 501 with public IP on the outside interface. I want to
    setup 2 VPNs on 2 other companies VPN devices or using cisco vpn
    client, both would connect to the outside interface. If I do this will
    clients on both the companies VPNs be able to talk to each other? I'm
    thinking of the rule "pix can't route traffic back through the same
    interface it came in on" or does this rule not apply when were talking
    about VPN's?

    Company1 Company2
    | /
    Public IP
    PIX

    If it did apply then could I have 2 PIX 501's, one pix (pix1) with the
    outside interface mapped to a public IP and another pix (pix2) with the
    outside interface mapped to an internal IP but NAT'd to a public IP
    (nating would be done by pix1) one of my vpn's could terminate at pix1
    and the other at pix2. This would ensure traffic travelled over both
    interfaces of pix1.

    Company1
    |
    Public IP
    Pix1
    Internal IP
    |
    Internal IP (nat'd to public IP) - Company 2
    Pix2

    surely there would be an easier way to do this? If you can recommend
    any other way or any other devicae rather than a pix then let me know.
    Also don't worry about security between company 1 and 2, I'm just using
    these as easy to follow examples.

    Any help would be gratefully received.

    cheers
    Dave
    Dave, Jun 23, 2005
    #1
    1. Advertising

  2. Hi,

    You're right, the VPN's will NOT be able to communicate with eachother. The
    rule "pix can't route traffic back through the same interface it came in on"
    still applies for the PIX501. This issue has been "fixed" in PIX OS 7.0,
    wich is currently not available for the PIX 501.

    Erik

    "Dave" <> wrote in message
    news:...
    > Hi folks,
    >
    > I have a PIX 501 with public IP on the outside interface. I want to
    > setup 2 VPNs on 2 other companies VPN devices or using cisco vpn
    > client, both would connect to the outside interface. If I do this will
    > clients on both the companies VPNs be able to talk to each other? I'm
    > thinking of the rule "pix can't route traffic back through the same
    > interface it came in on" or does this rule not apply when were talking
    > about VPN's?
    >
    > Company1 Company2
    > | /
    > Public IP
    > PIX
    >
    > If it did apply then could I have 2 PIX 501's, one pix (pix1) with the
    > outside interface mapped to a public IP and another pix (pix2) with the
    > outside interface mapped to an internal IP but NAT'd to a public IP
    > (nating would be done by pix1) one of my vpn's could terminate at pix1
    > and the other at pix2. This would ensure traffic travelled over both
    > interfaces of pix1.
    >
    > Company1
    > |
    > Public IP
    > Pix1
    > Internal IP
    > |
    > Internal IP (nat'd to public IP) - Company 2
    > Pix2
    >
    > surely there would be an easier way to do this? If you can recommend
    > any other way or any other devicae rather than a pix then let me know.
    > Also don't worry about security between company 1 and 2, I'm just using
    > these as easy to follow examples.
    >
    > Any help would be gratefully received.
    >
    > cheers
    > Dave
    >
    Erik Tamminga, Jun 23, 2005
    #2
    1. Advertising

  3. Dave

    Dave Guest

    Thankyou Erik,

    It looks like our best option, but looks like we'll have to spend some
    cash on a 515 or similar. I now have another question which posted
    separatly.

    Dave
    Dave, Jun 24, 2005
    #3
  4. In article <>,
    Dave <> wrote:
    :It looks like our best option, but looks like we'll have to spend some
    :cash on a 515 or similar.

    If you have more than one public IP address and can spare one, then
    you can add a second PIX 501 to your network. One party would
    VPN to one of them, the other party would VPN to the other, and
    because the packets would not be going out the -same- interface
    they came in on, the PIX would be perfectly happy. (This kind
    of configuration does work -- we've done effectively that here.)
    --
    Ceci, ce n'est pas une idée.
    Walter Roberson, Jun 24, 2005
    #4
  5. Dave

    Dave Guest

    Thankyou Walter
    Dave, Jun 27, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David

    PCI interface or USB interface

    David, Sep 14, 2004, in forum: Wireless Networking
    Replies:
    4
    Views:
    672
    David
    Sep 16, 2004
  2. Odhammar

    PIX VPN-VPN thru same interface

    Odhammar, Nov 4, 2003, in forum: Cisco
    Replies:
    9
    Views:
    584
    Walter Roberson
    Nov 6, 2003
  3. GNY
    Replies:
    0
    Views:
    720
  4. corb
    Replies:
    3
    Views:
    2,948
    Kobe2k9
    May 13, 2009
  5. pasatealinux
    Replies:
    1
    Views:
    2,012
    pasatealinux
    Dec 17, 2007
Loading...

Share This Page