routing issues on IPSEC

Discussion in 'Cisco' started by al, Mar 3, 2004.

  1. al

    al Guest

    Hi all,
    Here is the scenario:
    We have a PIX on our HQ connected site-to-site VPN to our first remote
    site's PIX. The remote site's PIX has a webserver in its DMZ.
    We also have a Cisco router on our HQ connected site-to-site VPN to our
    second remote site's Cisco router.
    The second remote site users need to connect to the first remote site
    webserver that resides on the DMZ of the PIX.
    That means the second remote site users will have to travel the IPSEC tunnel
    to the HQ and then travel another IPSEC tunnel to the first remote site.
    Can somebody suggest a good solution to this issue?
    Establishing an IPSEC tunnel from the first remote site to the second remote
    site directly is not an option.
    Thanks,
    Al
    al, Mar 3, 2004
    #1
    1. Advertising

  2. In article <lPd1c.19465$>,
    al <> wrote:
    :Here is the scenario:
    :We have a PIX on our HQ connected site-to-site VPN to our first remote
    :site's PIX. The remote site's PIX has a webserver in its DMZ.
    :We also have a Cisco router on our HQ connected site-to-site VPN to our
    :second remote site's Cisco router.
    :The second remote site users need to connect to the first remote site
    :webserver that resides on the DMZ of the PIX.
    :That means the second remote site users will have to travel the IPSEC tunnel
    :to the HQ and then travel another IPSEC tunnel to the first remote site.
    :Can somebody suggest a good solution to this issue?
    :Establishing an IPSEC tunnel from the first remote site to the second remote
    :site directly is not an option.

    You need a VPN server at HQ, or an internal router at HQ (that
    does NAT). Or you can add a second PIX at HQ "inside" the first;
    the second site VPN's to the internal PIX, which NAT's the traffic
    and so it isn't the same traffic when it leaves the outer PIX on its
    way to the first site's VPN.

    [I have successfully implimented the latter strategy. With a PIX 506E
    and moderate transfer needs, it was a lot less expensive than a real
    VPN server.]
    --
    Most Windows users will run any old attachment you send them, so if
    you want to implicate someone you can just send them a Trojan
    -- Adam Langley
    Walter Roberson, Mar 3, 2004
    #2
    1. Advertising

  3. al

    al Guest

    Hey Walter,
    I just want to let you know that adding a NAT router did the trick.
    Thank you very much for the tip.
    -Al


    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:c248ho$7l2$...
    > In article <lPd1c.19465$>,
    > al <> wrote:
    > :Here is the scenario:
    > :We have a PIX on our HQ connected site-to-site VPN to our first remote
    > :site's PIX. The remote site's PIX has a webserver in its DMZ.
    > :We also have a Cisco router on our HQ connected site-to-site VPN to our
    > :second remote site's Cisco router.
    > :The second remote site users need to connect to the first remote site
    > :webserver that resides on the DMZ of the PIX.
    > :That means the second remote site users will have to travel the IPSEC

    tunnel
    > :to the HQ and then travel another IPSEC tunnel to the first remote site.
    > :Can somebody suggest a good solution to this issue?
    > :Establishing an IPSEC tunnel from the first remote site to the second

    remote
    > :site directly is not an option.
    >
    > You need a VPN server at HQ, or an internal router at HQ (that
    > does NAT). Or you can add a second PIX at HQ "inside" the first;
    > the second site VPN's to the internal PIX, which NAT's the traffic
    > and so it isn't the same traffic when it leaves the outer PIX on its
    > way to the first site's VPN.
    >
    > [I have successfully implimented the latter strategy. With a PIX 506E
    > and moderate transfer needs, it was a lot less expensive than a real
    > VPN server.]
    > --
    > Most Windows users will run any old attachment you send them, so if
    > you want to implicate someone you can just send them a Trojan
    > -- Adam Langley
    al, Mar 5, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David

    IPSec vs. L2TP/IPsec vs. PPTP

    David, Jan 7, 2004, in forum: Cisco
    Replies:
    0
    Views:
    6,740
    David
    Jan 7, 2004
  2. AM
    Replies:
    0
    Views:
    622
  3. AM
    Replies:
    1
    Views:
    519
  4. AM
    Replies:
    0
    Views:
    424
  5. Replies:
    1
    Views:
    6,120
    News Reader
    Nov 27, 2008
Loading...

Share This Page