VPN in and VPN out on same port on PIX 515E...possible?

Discussion in 'Cisco' started by Steve Baker, Apr 1, 2004.

  1. Steve Baker

    Steve Baker Guest

    Here's what I have. A PIX 515E at each end of a VPN tunnel connecting two
    locations. Now I want to use the VPN client to be able to connect a tunnel
    into one location but to be able to also get through to the other location.
    As the internet connects to one physical interface, it would mean the VPN
    client tunnel coming in on that interface and the inter-location tunnel back
    out on the same interface. As far as IP address space is concerned, if one
    location uses 10.1.0.0 and the other uses 10.2.0.0, I'd like to have the VPN
    client route all 10.0.0.0 traffic down the tunnel and have both locations
    accessible.

    Can this be done? Anyone have any tips as to how to achieve it? If it's not
    possible, how to I achieve the result most effectively?

    Thanks,

    Steve
     
    Steve Baker, Apr 1, 2004
    #1
    1. Advertisements

  2. Steve Baker

    Joce Guest

    This has been answer 1000 times...

    The answer is no, you need two PIX to do the trick... or a router or a
    concentrator
     
    Joce, Apr 1, 2004
    #2
    1. Advertisements

  3. :> Here's what I have. A PIX 515E at each end of a VPN tunnel connecting two
    :> locations. Now I want to use the VPN client to be able to connect a tunnel
    :> into one location but to be able to also get through to the other
    :> location. As the internet connects to one physical interface, it would

    :This has been answer 1000 times...

    :The answer is no, you need two PIX to do the trick... or a router or a
    :concentrator

    Or wait for 7.0, apparently.
     
    Walter Roberson, Apr 1, 2004
    #3
  4. Steve Baker

    Joce Guest

    It's about time... nothing else I know has this restriction!!
     
    Joce, Apr 1, 2004
    #4
  5. Steve Baker

    admin too Guest

    It's not a bug.... it's a (security) feature!
     
    admin too, Apr 1, 2004
    #5
  6. Steve Baker

    Joce Guest

    yes I know... Microsoft has a lot of features too!!

    Seriously I totaly understand the purpose of this "feature" but sometime too
    much it's like not enough
     
    Joce, Apr 2, 2004
    #6
  7. Steve Baker

    Steve Baker Guest

    Any idea how this has to be configured? If a router's used, does it simply
    act as a device to turn packets around. Nothing else? The PIX is still the
    VPN end-point and the router just provides an effective loopback outside the
    PIX?

    Steve
     
    Steve Baker, Apr 8, 2004
    #7
  8. :Here's what I have. A PIX 515E at each end of a VPN tunnel connecting two
    :locations. Now I want to use the VPN client to be able to connect a tunnel
    :into one location but to be able to also get through to the other location.

    :Can this be done? Anyone have any tips as to how to achieve it? If it's not
    :possible, how to I achieve the result most effectively?

    1) Subnet your outside address space, route part of it to one of the 515
    interfaces, route the other part to the other 515 interface,
    have one client VPN to the first interface, the other
    VPN connect to the second interface. They are then on different interfaces
    and can send traffic to each other. Requires a third interface, of course,
    unless you are running relatively new PIX and your router knows about
    VLANs: in that case you can do it with two interfaces [but not on the
    PIX 501, 506, or 506E, which don't support vlans.]

    2) Add a second PIX on the "inside". set the ACL's of the outside
    PIX to pass through IPSec. Have the second client VPN to the inside
    PIX instead of the outside. Have that inside PIX "reversed" so that
    the VPN connection is to the inside interface instead of the outside.
    Have the outside interface do normal nat'ing into your regular IP
    address space. Make sure you use subnets or 'route' statements on
    your outside PIX so that replies to those IPs get directed to the
    inside PIX. The connections come in encrypted from the second PIX,
    get decrypted, nat'd into your other address space, and so are not
    the same packets when they hit the outside PIX on the way out, so
    the outside PIX will not block them. Replies back from the remote
    end just look like replies to hosts in your regular address space,
    so they can passed along to the inside, where they hit the outside
    address of the inner PIX, get de-nat'd and get encapsulated into the
    IPSec tunnel for sending to the second site.

    This method works -- I have it running. Mind you, most of the connections
    are one-way, one site to the other, so I haven't had to worry much about
    connections initiated the other way around. Can certainly be done, but
    requires static mapping of the carrier IP addresses.
     
    Walter Roberson, Apr 8, 2004
    #8
  9. Steve Baker

    Joce Guest

    You can just terminate you tunnels directly in the router, if you got the
    power.
     
    Joce, Apr 26, 2004
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.