LAN-to-LAN involving PIX and VPN

Discussion in 'Cisco' started by Chris Kranz, Aug 23, 2005.

  1. Chris Kranz

    Chris Kranz Guest

    Apparently this isn't a widely used setup?

    I have 2 offices...

    Office 1
    - PIX 515e with DMZ card
    - VPN 3005 Concentrator connected to the DMZ card

    Office 2
    - PIX 515e
    - VPN 3005 Concentrator

    I have a LAN-to-LAN setup between the 2 sites, both VPN's can ping
    eachother, I've added routing to the PIX's (as they're the networks
    default route) to route all the other offices traffic to the VPN
    Concentrator first.

    The problem I have is that the routing doesn't work. It appears that
    from Office 2, the packets go from the client, to the PIX, the PIX then
    does PAT translation before sending them to the VPN, where the VPN has
    no idea what to do with the packets which now have an external IP.

    In reverse, the problem could be the same, however it could also be that
    the Office 2 network is unable to respond correctly as it can't find the
    correct route.

    If I write a logon script (AD domain) to statically set a route on all
    the machines to route directly the VPN's if needed, everything will work
    fine... but should I have to do this? I would like to think that there's
    a nice clean way of accomplishing this without making a static change
    on every machine.

    I've probably been a bit too vague with my setup above, let me know if
    you need things clearing up. I've followed the Cisco guides for setting
    up the LAN-to-LAN, and this is all functioning correctly, everything
    seems to be doing it's job properly, it's just the machines can't find
    the correct route to take, and packets are getting lost...

    Many thanks in advance for any help...

    Chris K
     
    Chris Kranz, Aug 23, 2005
    #1
    1. Advertising

  2. In article <430aecf6$0$38044$>,
    Chris Kranz <> wrote:
    :The problem I have is that the routing doesn't work. It appears that
    :from Office 2, the packets go from the client, to the PIX, the PIX then
    :does PAT translation before sending them to the VPN, where the VPN has
    :no idea what to do with the packets which now have an external IP.

    Why not use nat 0 access-list to disable that address translation ?
    --
    Any sufficiently advanced bug is indistinguishable from a feature.
    -- Rich Kulawiec
     
    Walter Roberson, Aug 23, 2005
    #2
    1. Advertising

  3. Chris Kranz

    Chris Kranz Guest

    Walter Roberson wrote:
    > In article <430aecf6$0$38044$>,
    > Chris Kranz <> wrote:
    > :The problem I have is that the routing doesn't work. It appears that
    > :from Office 2, the packets go from the client, to the PIX, the PIX then
    > :does PAT translation before sending them to the VPN, where the VPN has
    > :no idea what to do with the packets which now have an external IP.
    >
    > Why not use nat 0 access-list to disable that address translation ?


    Will this work as all traffic routing out of the PIX into the VPN is
    coming out of the public interface? Does it not have to perform some
    sort of translation? Will this force it to route back through the
    private interface?

    Sorry for the questions, my only Cisco knowledge is what I've taught
    myself from these machines in the past 6 months...
     
    Chris Kranz, Aug 23, 2005
    #3
  4. In article <430b4407$0$38037$>,
    Chris Kranz <> wrote:
    :Walter Roberson wrote:
    :> Why not use nat 0 access-list to disable that address translation ?

    :Will this work as all traffic routing out of the PIX into the VPN is
    :coming out of the public interface?

    Yes.

    :Does it not have to perform some sort of translation?

    The -outer- packet will have your public IP on it, but the
    encapsulated packet would use the original private IPs. The outer
    packet layer is transparent for this purpose (except for some fine
    points having to do with ACLs on some IOS routers.)
    --
    I was very young in those days, but I was also rather dim.
    -- Christopher Priest
     
    Walter Roberson, Aug 23, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,890
    Martin Bilgrav
    Feb 6, 2004
  2. Ionut
    Replies:
    1
    Views:
    612
  3. Teh Suck
    Replies:
    0
    Views:
    452
    Teh Suck
    Jan 17, 2006
  4. Mike W.
    Replies:
    1
    Views:
    774
    lionsfan25
    Apr 17, 2009
  5. fitwell
    Replies:
    8
    Views:
    14,653
    fitwell
    Dec 26, 2003
Loading...

Share This Page