How can i use a site-to-site tunnel through another PIX?

Discussion in 'Cisco' started by John, Feb 27, 2005.

  1. John

    John Guest

    Thanks for taking the time to read my request for a little help. We
    currently have a site-to-site vpn tunnel connected from the
    branch-office to another pix at the main-office. The pix in the
    main-office have another site-to-site tunnel to a vpn 3000 concentrator.

    From here on i'll be refering to each location by a single character:
    * [A] - Branch office (PIX 501)
    * - Main office (PIX 501)
    * [C] - Off site (VPN 3000 Concentrator)

    What i want is to be able to connect to an IBM iSeries Server running
    on the inside of [C] from [A]. But without creating a new vpn-tunnel
    from [A] to [C]. In other words i want to use the tunnel from [A] to
    in order to reach server on [C]. How can this be done? or can it be done
    at all? If something is not clear please post so that i may clarify the
    situation.

    Before i forget, if somone knows a good resource for information
    regarding securing a pix (pref. including model 501) please post below.


    Thanks in advance, John
     
    John, Feb 27, 2005
    #1
    1. Advertising

  2. John

    AM Guest

    John wrote:

    > Thanks for taking the time to read my request for a little help. We
    > currently have a site-to-site vpn tunnel connected from the
    > branch-office to another pix at the main-office. The pix in the
    > main-office have another site-to-site tunnel to a vpn 3000 concentrator.
    >
    > From here on i'll be refering to each location by a single character:
    > * [A] - Branch office (PIX 501)
    > * - Main office (PIX 501)
    > * [C] - Off site (VPN 3000 Concentrator)
    >
    > What i want is to be able to connect to an IBM iSeries Server running on
    > the inside of [C] from [A]. But without creating a new vpn-tunnel from
    > [A] to [C]. In other words i want to use the tunnel from [A] to in
    > order to reach server on [C]. How can this be done? or can it be done at
    > all? If something is not clear please post so that i may clarify the
    > situation.
    >
    > Before i forget, if somone knows a good resource for information
    > regarding securing a pix (pref. including model 501) please post below.
    >
    >
    > Thanks in advance, John


    I think you need to add in the "protect rules" the net behind C in the A conf and obviously
    viceversa. Add rules to forward packet in b from A to C and viceversa. If you post your config files
    I should help you better.

    IMHO, Alex.
     
    AM, Feb 27, 2005
    #2
    1. Advertising

  3. In article <f%kUd.3461$Mw3.604@amstwist00>, John <> wrote:
    :We
    :currently have a site-to-site vpn tunnel connected from the
    :branch-office to another pix at the main-office. The pix in the
    :main-office have another site-to-site tunnel to a vpn 3000 concentrator.

    :What i want is to be able to connect to an IBM iSeries Server running
    :eek:n the inside of [C] from [A]. But without creating a new vpn-tunnel
    :from [A] to [C]. In other words i want to use the tunnel from [A] to
    :in order to reach server on [C]. How can this be done? or can it be done
    :at all?

    [At least until 7.0] the PIX will never forward a packet out the
    same [logical] interface it came in on, even if two different
    tunnels are involved.

    :Main office (PIX 501)

    Unfortunately the PIX 501 does not support logical interfaces,
    just physical interfaces, so there is no way to do what you want
    without adding more hardware or changing the hardware.

    If you were using any other 500 series PIX device (other than the 510)
    and had sufficiently new software, you could handle this by
    creating a logical interface on the outside of the PIX and assigning
    it into a different subnet; then you would have the tunnel A<->B
    terminate on a different logical interface than the tunnel B<->C did
    and you would then not be in violation of the forwarding rules.
    A logical interface receives traffic with an IEEE 802.1Q VLAN tag,
    so your WAN router would need to have 802.1Q support for that approach
    to work.

    PIX version 7.0 has been officially announced with software due out
    soon, and it does not have this restriction -- but the initial 7.0
    release supports only the 515/515E, 525, and 535. I would -expect- that
    eventually it will support the 501 and 506/506E (7.1 I suspect),
    but not yet.
    --
    Most Windows users will run any old attachment you send them, so if
    you want to implicate someone you can just send them a Trojan
    -- Adam Langley
     
    Walter Roberson, Feb 27, 2005
    #3
  4. John

    John Guest

    Walter Roberson wrote:
    >
    > In article <f%kUd.3461$Mw3.604@amstwist00>, John <> wrote:
    > [At least until 7.0] the PIX will never forward a packet out the
    > same [logical] interface it came in on, even if two different
    > tunnels are involved.
    >
    > :Main office (PIX 501)
    >
    > Unfortunately the PIX 501 does not support logical interfaces,
    > just physical interfaces, so there is no way to do what you want
    > without adding more hardware or changing the hardware.
    >
    > If you were using any other 500 series PIX device (other than the 510)
    > and had sufficiently new software, you could handle this by
    > creating a logical interface on the outside of the PIX and assigning
    > it into a different subnet; then you would have the tunnel A<->B
    > terminate on a different logical interface than the tunnel B<->C did
    > and you would then not be in violation of the forwarding rules.
    > A logical interface receives traffic with an IEEE 802.1Q VLAN tag,
    > so your WAN router would need to have 802.1Q support for that approach
    > to work.
    >
    > PIX version 7.0 has been officially announced with software due out
    > soon, and it does not have this restriction -- but the initial 7.0
    > release supports only the 515/515E, 525, and 535. I would -expect- that
    > eventually it will support the 501 and 506/506E (7.1 I suspect),
    > but not yet.


    Thanks for the reply with a good explaination of the matter. The easiest
    thing todo atm. would then be to contact the company who has the vpn
    concentrator and make them setup a configuration for another tunnel.
    Hopefully Cisco will release PIX 7.0 for the 501 models aswell.

    Thanks, John
     
    John, Feb 27, 2005
    #4
  5. John

    AM Guest

    Walter Roberson wrote:

    > In article <f%kUd.3461$Mw3.604@amstwist00>, John <> wrote:
    > :We
    > :currently have a site-to-site vpn tunnel connected from the
    > :branch-office to another pix at the main-office. The pix in the
    > :main-office have another site-to-site tunnel to a vpn 3000 concentrator.
    >
    > :What i want is to be able to connect to an IBM iSeries Server running
    > :eek:n the inside of [C] from [A]. But without creating a new vpn-tunnel
    > :from [A] to [C]. In other words i want to use the tunnel from [A] to
    > :in order to reach server on [C]. How can this be done? or can it be done
    > :at all?
    >
    > [At least until 7.0] the PIX will never forward a packet out the
    > same [logical] interface it came in on, even if two different
    > tunnels are involved.


    I supposed his tunnels terminated on different interface. Sorry for the mistakes! I haven't read his
    article well enough!

    Alex.
     
    AM, Feb 27, 2005
    #5
  6. John

    Philip D'Ath Guest

    John wrote:
    > Thanks for taking the time to read my request for a little help. We
    > currently have a site-to-site vpn tunnel connected from the
    > branch-office to another pix at the main-office. The pix in the
    > main-office have another site-to-site tunnel to a vpn 3000 concentrator.
    >
    > From here on i'll be refering to each location by a single character:
    > * [A] - Branch office (PIX 501)
    > * - Main office (PIX 501)
    > * [C] - Off site (VPN 3000 Concentrator)
    >
    > What i want is to be able to connect to an IBM iSeries Server running on
    > the inside of [C] from [A]. But without creating a new vpn-tunnel from
    > [A] to [C]. In other words i want to use the tunnel from [A] to in
    > order to reach server on [C]. How can this be done? or can it be done at
    > all? If something is not clear please post so that i may clarify the
    > situation.

    ....

    You can't do this.
     
    Philip D'Ath, Feb 28, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,190
  2. Jose Ros

    Pix to Pix tunnel through NAT

    Jose Ros, Oct 19, 2004, in forum: Cisco
    Replies:
    6
    Views:
    2,039
    an admin too
    Oct 21, 2004
  3. Benson
    Replies:
    8
    Views:
    7,628
    bvlmv
    Jul 14, 2005
  4. Trouble
    Replies:
    0
    Views:
    792
    Trouble
    Aug 4, 2006
  5. Trouble
    Replies:
    1
    Views:
    595
Loading...

Share This Page