configure 2 site-to-site VPN in Pix 515E

Discussion in 'Cisco' started by Benson, Oct 31, 2004.

  1. Benson

    Benson Guest

    Hi,

    My network environment is the following:

    1. Site A ---- Site B ---- Site C
    2. three sites are using one PIX515E.

    How can I configure the PIX Site B, so that 2 Site-to-Site VPN are
    working well.


    My problem is that, two Peers are formed, but I can not use them to
    get into Site A and Site C when I am in Site B, or I can only get
    access to Site A.


    My setting:


    1. crypto ( nothing special )
    2. isakmp key ( 2 keys )
    3. isakmp map ( 2 peers )


    What special configuration I have to take care ?


    Thank you
    Benson
     
    Benson, Oct 31, 2004
    #1
    1. Advertising

  2. Benson

    PES Guest

    Benson wrote:
    > Hi,
    >
    > My network environment is the following:
    >
    > 1. Site A ---- Site B ---- Site C
    > 2. three sites are using one PIX515E.
    >
    > How can I configure the PIX Site B, so that 2 Site-to-Site VPN are
    > working well.
    >
    >
    > My problem is that, two Peers are formed, but I can not use them to
    > get into Site A and Site C when I am in Site B, or I can only get
    > access to Site A.
    >
    >
    > My setting:
    >
    >
    > 1. crypto ( nothing special )
    > 2. isakmp key ( 2 keys )
    > 3. isakmp map ( 2 peers )
    >
    >
    > What special configuration I have to take care ?
    >
    >
    > Thank you
    > Benson


    It is the fundamental design of the pix that a packet that enters an
    interface cannot leave out the same interface (crypto or no crypto).
    Therefore, the location with the pix 515e should be able to access the
    other two locations regardless of thier vpn device. However, assuming
    site 1 has pix 515e and site 2 and 3 have a device that tunnels to the
    pix 515e, site 2 cannot communicate with site 3 or vice versa without
    building a tunnel directly from one to the other. The other option
    would be to add interfaces to the pix 515e so the packets don't break
    the ingress/egress rule. You could also build a 802.1q trunk on the
    outside to accomplish this. Pix 7 may or may not address this issue.
     
    PES, Oct 31, 2004
    #2
    1. Advertising

  3. Benson

    Benson Guest

    PES <pestewart*NOSPAM*@adelphia.net> wrote in message news:<41851720$>...
    > Benson wrote:
    > > Hi,
    > >
    > > My network environment is the following:
    > >
    > > 1. Site A ---- Site B ---- Site C
    > > 2. three sites are using one PIX515E.
    > >
    > > How can I configure the PIX Site B, so that 2 Site-to-Site VPN are
    > > working well.
    > >
    > >
    > > My problem is that, two Peers are formed, but I can not use them to
    > > get into Site A and Site C when I am in Site B, or I can only get
    > > access to Site A.
    > >
    > >
    > > My setting:
    > >
    > >
    > > 1. crypto ( nothing special )
    > > 2. isakmp key ( 2 keys )
    > > 3. isakmp map ( 2 peers )
    > >
    > >
    > > What special configuration I have to take care ?
    > >
    > >
    > > Thank you
    > > Benson

    >
    > It is the fundamental design of the pix that a packet that enters an
    > interface cannot leave out the same interface (crypto or no crypto).
    > Therefore, the location with the pix 515e should be able to access the
    > other two locations regardless of thier vpn device. However, assuming
    > site 1 has pix 515e and site 2 and 3 have a device that tunnels to the
    > pix 515e, site 2 cannot communicate with site 3 or vice versa without
    > building a tunnel directly from one to the other. The other option
    > would be to add interfaces to the pix 515e so the packets don't break
    > the ingress/egress rule. You could also build a 802.1q trunk on the
    > outside to accomplish this. Pix 7 may or may not address this issue.


    Hi,

    What do you mean "building a 802.1q trunk on the outside" ?
    Just enable the trunking on the outside ethernet in order to achieve
    the above goal ?


    BTW, what do you think if I configure two isakmp policies into the PIX
    on Site B ?

    Thank you very much for your help
     
    Benson, Nov 1, 2004
    #3
  4. In article <>,
    Benson <> wrote:
    :pES <pestewart*NOSPAM*@adelphia.net> wrote in message news:<41851720$>...
    :> It is the fundamental design of the pix that a packet that enters an
    :> interface cannot leave out the same interface (crypto or no crypto).

    :> You could also build a 802.1q trunk on the
    :> outside to accomplish this.

    :What do you mean "building a 802.1q trunk on the outside" ?
    :Just enable the trunking on the outside ethernet in order to achieve
    :the above goal ?

    On your switch, you would convert the port from an 'access' port
    to a 'trunk'. On the PIX, you would add a logical interface.
    That's an 'interface' command with the 'logical' keyword.

    There are examples in the PIX reference manual.


    :BTW, what do you think if I configure two isakmp policies into the PIX
    :eek:n Site B ?

    That won't help you achieve your goal of having A be able to access
    C by way of B. There is NO way on the PIX to have the PIX relay
    packets out the same logical interface they came in on. No matter
    what tricks you try, it's still the case that if you try,
    the entrance and exit interfaces (i.e., the one interface you are
    trying to get to relay) will have the same security level [as itself],
    and the PIX never allows packets to go to a destination interface with
    the same security level as the source interface.

    Your only recourses are as PES indicated -- have the remote systems
    talk directly to each other (A->C directly without going through B), or
    use different physical interfaces, or use different logical interfaces
    on the same physical interface [if you have new enough PIX software].
    --
    WW{Backus,Church,Dijkstra,Knuth,Hollerith,Turing,vonNeumann}D ?
     
    Walter Roberson, Nov 1, 2004
    #4
  5. Benson

    Benson Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<cm465j$8io$>...
    > In article <>,
    > Benson <> wrote:
    > :pES <pestewart*NOSPAM*@adelphia.net> wrote in message news:<41851720$>...
    > :> It is the fundamental design of the pix that a packet that enters an
    > :> interface cannot leave out the same interface (crypto or no crypto).
    >
    > :> You could also build a 802.1q trunk on the
    > :> outside to accomplish this.
    >
    > :What do you mean "building a 802.1q trunk on the outside" ?
    > :Just enable the trunking on the outside ethernet in order to achieve
    > :the above goal ?
    >
    > On your switch, you would convert the port from an 'access' port
    > to a 'trunk'. On the PIX, you would add a logical interface.
    > That's an 'interface' command with the 'logical' keyword.
    >
    > There are examples in the PIX reference manual.
    >
    >
    > :BTW, what do you think if I configure two isakmp policies into the PIX
    > :eek:n Site B ?
    >
    > That won't help you achieve your goal of having A be able to access
    > C by way of B. There is NO way on the PIX to have the PIX relay
    > packets out the same logical interface they came in on. No matter
    > what tricks you try, it's still the case that if you try,
    > the entrance and exit interfaces (i.e., the one interface you are
    > trying to get to relay) will have the same security level [as itself],
    > and the PIX never allows packets to go to a destination interface with
    > the same security level as the source interface.
    >
    > Your only recourses are as PES indicated -- have the remote systems
    > talk directly to each other (A->C directly without going through B), or
    > use different physical interfaces, or use different logical interfaces
    > on the same physical interface [if you have new enough PIX software].




    What for creating a logical interface ? Do I configure the logical
    interface with special ip configuration ?

    Thank you
     
    Benson, Nov 1, 2004
    #5
  6. In article <>,
    Benson <> wrote:
    |> :pES <pestewart*NOSPAM*@adelphia.net> wrote in message news:<41851720$>...
    |> :> It is the fundamental design of the pix that a packet that enters an
    |> :> interface cannot leave out the same interface (crypto or no crypto).

    |What for creating a logical interface ? Do I configure the logical
    |interface with special ip configuration ?

    As usual, every interface on the PIX must be configured with a
    different IP address range. Thus, in order to take the logical
    interface approach, you will need the next hop outwards to be either a
    switch or router that supports IEEE 802.1Q VLAN trunks, and the trunk
    must be configured with at least two different VLANs, and you must have
    802.1Q trunking all the way out to a router that is able to split the
    address ranges to go into the appropriate VLAN.

    In order to effectively be able to split the traffic into
    non-overlapping ranges to go into the VLANs to feed into your PIX 515,
    your ISP must be feeding your router disjoint IP address
    ranges or your router must subdivide the existing IP address range
    into subnets, at least one of which must be directected to each VLAN.
    If you have a relatively small IP address range being fed to you,
    then usually you would accomplish this by splitting the range into
    exactly two equal-size subnets. If, though, you have a large IP
    address range being fed to you, you can probably afford the loss
    of two IPs per subnet (base address and broadcast address are
    reserved), and so can probably into more subnets with one of the
    smaller subnets going to each VLAN.

    You would then use the 'interface' command as usual to create any
    untagged vlan (traditionally, no VLAN tag is sent when the VLAN number
    is the same as the port PVID). You then add another 'interface' command
    referencing the same physical interface but giving the keyword
    'logical' and specifying the VLAN number. That will have the effect of
    creating a new pseudo-physical interface named 'vlan' followed by the
    vlan number (e.g., vlan108). These pseudo-interfaces exist at the same
    level as the true physical interfaces such as "ethernet0", so you then
    use the 'nameif' command to assign a security level and meaningful name
    to the interface (such as 'dmz' or 'vpn2C'). Once you have the
    interface named, you proceed to use the 'ip address' command on that
    interface to associate an IP subnet with the VLAN, and you can go ahead
    and refer to the interface in commands such as 'static' and 'isakmp
    enable' and 'crypto map interface', just as you would if it were a
    physical interface such as 'outside'.
    --
    "WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG"
    WHEN QUINED, YIELDS A TORTOISE'S LOVE-SONG. (GEB)
     
    Walter Roberson, Nov 2, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. thejayman
    Replies:
    5
    Views:
    1,720
    thejayman
    Jul 15, 2005
  2. jsandlin0803

    Configure 1750 with PIX 515E...

    jsandlin0803, Nov 22, 2005, in forum: Cisco
    Replies:
    2
    Views:
    490
    jsandlin0803
    Nov 22, 2005
  3. Richard
    Replies:
    1
    Views:
    1,918
    Walter Roberson
    Jan 25, 2006
  4. Replies:
    1
    Views:
    413
    =?UTF-8?B?TWljaGHFgiBJd2Fzemtv?=
    Feb 22, 2007
  5. arie01

    Configure PIX 515E

    arie01, Mar 3, 2010, in forum: Cisco
    Replies:
    0
    Views:
    820
    arie01
    Mar 3, 2010
Loading...

Share This Page