PIX 515 VPN RELAYING FROM INSIDE

Discussion in 'Cisco' started by daniel-fr, Sep 24, 2006.

  1. daniel-fr

    daniel-fr Guest

    HI,
    I'v got a couple of PIX 515 in failover which are used to make vpn
    connections with some of our clients and all works fine.
    What we are challenged to make is relaying a vpn from the inside
    because we have several inside sites and from one of them there will be
    a vlan dedicated to computers belonging to our new client. Routing them
    from this site to the pix would imply putting all the routes to my
    client's networks. First inconvenience, they use internally publice
    addresses which they don't own.
    2nd constraint, the internal network assigned to the client must be
    sealed to and from all our networks.
    I thought including this network in an internal vpn with a little pix
    501 on this site up to the pix connected to the Internet.
    Trying to make a layout :

    MY SITE A MY SITE B INTERNET CLIENT

    CLIENT----PIX 501----RTRA------RTRB----PIX515-----VPN --------HIS
    NETWORKS

    Does somebody knows if it is possible to make a vpn directly to pix 515
    on its inside interface and then rebuild another tunnel to the client
    networks ?

    I thought of another solution with another pix 501 in front of the pix
    515 having a vpn between the 2 501 and then rebuilding another tunnel
    with the 515.
    MY SITE A MY SITE B INTERNET CLIENT

    CLIENT----PIX 501----RTRA------RTRB--501--PIX515-----VPN --------HIS
    NETWORKS


    Could this work ?
    Does anybody have already setup such a configuration ?

    Thanks in advance
    Daniel
     
    daniel-fr, Sep 24, 2006
    #1
    1. Advertising

  2. In article <>,
    daniel-fr <> wrote:
    > MY SITE A MY SITE B INTERNET CLIENT
    >
    >CLIENT----PIX 501----RTRA------RTRB----PIX515-----VPN --------HIS
    >NETWORKS


    >Does somebody knows if it is possible to make a vpn directly to pix 515
    >on its inside interface and then rebuild another tunnel to the client
    >networks ?


    No, it isn't. The only way to VPN from outside a lower security
    interface, "directly" to a higher security interface, is to
    use a "management interface" VPN. Management VPNs can only be used
    to manage the PIX itself (or for the PIX to send out traffic
    that it itself has generated) -- for example, ping or ssh the PIX.
    Management VPNs use a different -kind- of IPSec which is *defined*
    as not permitting relaying.
     
    Walter Roberson, Sep 25, 2006
    #2
    1. Advertising

  3. daniel-fr

    daniel-fr Guest

    Thanks for the answer Walter
    I thought of it already. So I think the only solution should be the
    second one :
    vpn between the 2 501 on both sites and from the 515 to the client
    between the 501 on site B and the 515 I'll build a legitimate subnet
    and it should work
    .... I hope.
    I'll try modeling it today


    Walter Roberson wrote:
    > In article <>,
    > daniel-fr <> wrote:
    > > MY SITE A MY SITE B INTERNET CLIENT
    > >
    > >CLIENT----PIX 501----RTRA------RTRB----PIX515-----VPN --------HIS
    > >NETWORKS

    >
    > >Does somebody knows if it is possible to make a vpn directly to pix 515
    > >on its inside interface and then rebuild another tunnel to the client
    > >networks ?

    >
    > No, it isn't. The only way to VPN from outside a lower security
    > interface, "directly" to a higher security interface, is to
    > use a "management interface" VPN. Management VPNs can only be used
    > to manage the PIX itself (or for the PIX to send out traffic
    > that it itself has generated) -- for example, ping or ssh the PIX.
    > Management VPNs use a different -kind- of IPSec which is *defined*
    > as not permitting relaying.
     
    daniel-fr, Sep 25, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Guest
    Replies:
    5
    Views:
    1,766
    Romme
    Jun 15, 2004
  2. Scott Townsend
    Replies:
    8
    Views:
    709
    Roman Nakhmanson
    Feb 22, 2006
  3. Stephen M
    Replies:
    1
    Views:
    671
    mcaissie
    Nov 14, 2006
  4. Ryan S.
    Replies:
    2
    Views:
    360
    Ryan S.
    Apr 30, 2007
  5. Scott Townsend
    Replies:
    2
    Views:
    561
    Scott Townsend
    Mar 4, 2008
Loading...

Share This Page