Is a site to site VPN in this scenario possible?

Discussion in 'Cisco' started by tical, Dec 17, 2009.

  1. tical

    tical Guest

    We have 5-6 users who are operating out of another company's office,
    and I want to create a site-to-site VPN tunnel from that location's
    PIX 515 DMZ to the outside interface on our local PIX 515. Is this
    scenario possible? Thanks for any and all replies.
     
    tical, Dec 17, 2009
    #1
    1. Advertisements

  2. In your scenario I think that this is not going to work because for IPSec
    tunnel traffic should leave source location's VPN firewall trough it's
    outside interface and enter destination location's VPN firewall trough it's
    outside interface. So, in your case you have to set vpn configuration
    (crypto map) on outside interfaces on both PIX boxes.
    So, why you simply don't set crypto map on outside interfaces and then use
    cypto acl's to select traffic for encapsulation, for example traffic sourced
    from DMZ LAN? This is how things should be done at least AFAIK on pix.
    On Cisco routers you can put the crypto map on loopback interface and then
    policy route traffic from dmz to loopback...this has some chances to work...
    Pix doesn't support policy routing nor loopback interfaces.
    Or if this is scalable and practical configure remote access VPN on your pix
    and then connect remote users with software vpn clients...Then you don't
    have to worry about PIX in another company. They just have to let you pass
    trough IPSec UDP packets trough their PIX out to the Internet.

    i
     
    Igor Mamuzic aka Pseto, Dec 19, 2009
    #2
    1. Advertisements

  3. We terminate VPNs on the outside and DMZ interfaces on PIX 515, there
    is no restriction on that. It sounds though like you have the 5-6
    hosts connected to the DMZ? If that is the case, you would terminate
    the VPN on the 515 outside interface and pass the VPN traffic to the
    DMZ and your hosts. On the "local" 515, you would terminate on the
    outside. Some more detail would help like IP ranges and where you
    want the encrypted traffic to pass.
     
    Shawn Westerhoff, Dec 19, 2009
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.