LAN-to-LAN involving PIX and VPN

Discussion in 'Cisco' started by Chris Kranz, Aug 23, 2005.

  1. Chris Kranz

    Chris Kranz Guest

    Apparently this isn't a widely used setup?

    I have 2 offices...

    Office 1
    - PIX 515e with DMZ card
    - VPN 3005 Concentrator connected to the DMZ card

    Office 2
    - PIX 515e
    - VPN 3005 Concentrator

    I have a LAN-to-LAN setup between the 2 sites, both VPN's can ping
    eachother, I've added routing to the PIX's (as they're the networks
    default route) to route all the other offices traffic to the VPN
    Concentrator first.

    The problem I have is that the routing doesn't work. It appears that
    from Office 2, the packets go from the client, to the PIX, the PIX then
    does PAT translation before sending them to the VPN, where the VPN has
    no idea what to do with the packets which now have an external IP.

    In reverse, the problem could be the same, however it could also be that
    the Office 2 network is unable to respond correctly as it can't find the
    correct route.

    If I write a logon script (AD domain) to statically set a route on all
    the machines to route directly the VPN's if needed, everything will work
    fine... but should I have to do this? I would like to think that there's
    a nice clean way of accomplishing this without making a static change
    on every machine.

    I've probably been a bit too vague with my setup above, let me know if
    you need things clearing up. I've followed the Cisco guides for setting
    up the LAN-to-LAN, and this is all functioning correctly, everything
    seems to be doing it's job properly, it's just the machines can't find
    the correct route to take, and packets are getting lost...

    Many thanks in advance for any help...

    Chris K
     
    Chris Kranz, Aug 23, 2005
    #1
    1. Advertisements

  2. :The problem I have is that the routing doesn't work. It appears that
    :from Office 2, the packets go from the client, to the PIX, the PIX then
    :does PAT translation before sending them to the VPN, where the VPN has
    :no idea what to do with the packets which now have an external IP.

    Why not use nat 0 access-list to disable that address translation ?
     
    Walter Roberson, Aug 23, 2005
    #2
    1. Advertisements

  3. Chris Kranz

    Chris Kranz Guest

    Will this work as all traffic routing out of the PIX into the VPN is
    coming out of the public interface? Does it not have to perform some
    sort of translation? Will this force it to route back through the
    private interface?

    Sorry for the questions, my only Cisco knowledge is what I've taught
    myself from these machines in the past 6 months...
     
    Chris Kranz, Aug 23, 2005
    #3
  4. :> Why not use nat 0 access-list to disable that address translation ?

    :Will this work as all traffic routing out of the PIX into the VPN is
    :coming out of the public interface?

    Yes.

    :Does it not have to perform some sort of translation?

    The -outer- packet will have your public IP on it, but the
    encapsulated packet would use the original private IPs. The outer
    packet layer is transparent for this purpose (except for some fine
    points having to do with ACLs on some IOS routers.)
     
    Walter Roberson, Aug 23, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.